feat(totp): support account name setting from schema

Author: aeneasr

driver/config/config.go

@@ -6,8 +6,8 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
-	"io"
 	"github.com/duo-labs/webauthn/protocol"
+	"io"
 	"net"
 	"net/http"
 	"net/url"
@@ -1010,7 +1010,7 @@ func (p *Config) WebAuthnConfig() *webauthn.Config {
 		RPOrigin:      p.p.String(ViperKeyWebAuthnRPOrigin),
 		RPIcon:        p.p.String(ViperKeyWebAuthnRPIcon),
 		AuthenticatorSelection: protocol.AuthenticatorSelection{
-			UserVerification:        protocol.VerificationDiscouraged,
+			UserVerification: protocol.VerificationDiscouraged,
 		},
 	}
 }

schema/extension.go

@@ -20,6 +20,9 @@ type (
 			Password struct {
 				Identifier bool `json:"identifier"`
 			} `json:"password"`
+			TOTP struct {
+				AccountName bool `json:"account_name"`
+			} `json:"totp"`
 		} `json:"credentials"`
 		Verification struct {
 			Via string `json:"via"`

schema/extension_test.go

@@ -13,13 +13,17 @@ import (
 )
 
 type extensionStub struct {
-	identifiers []string
+	identifiers  []string
+	accountNames []string
 }
 
 func (r *extensionStub) Run(ctx jsonschema.ValidationContext, config ExtensionConfig, value interface{}) error {
 	if config.Credentials.Password.Identifier {
 		r.identifiers = append(r.identifiers, fmt.Sprintf("%s", value))
 	}
+	if config.Credentials.TOTP.AccountName {
+		r.accountNames = append(r.accountNames, fmt.Sprintf("%s", value))
+	}
 	return nil
 }
 
@@ -60,6 +64,7 @@ func TestExtensionRunner(t *testing.T) {
 				}
 
 				assert.EqualValues(t, tc.expect, r.identifiers)
+				assert.EqualValues(t, tc.expect, r.accountNames)
 			})
 		}
 	})

schema/stub/extension/schema.json

@@ -8,6 +8,9 @@
         "credentials": {
           "password": {
             "identifier": true
+          },
+          "totp": {
+            "account_name": true
           }
         }
       }

schema/stub/extension/schema.nested.json

@@ -10,6 +10,9 @@
           "credentials": {
             "password": {
               "identifier": true
+            },
+            "totp": {
+              "account_name": true
             }
           }
         }

selfservice/strategy/totp/schema_extension.go

@@ -0,0 +1,31 @@
+package totp
+
+import (
+	"fmt"
+	"sync"
+
+	"github.com/ory/jsonschema/v3"
+	"github.com/ory/kratos/schema"
+)
+
+type SchemaExtension struct {
+	AccountName string
+	l           sync.Mutex
+}
+
+func NewSchemaExtension(fallback string) *SchemaExtension {
+	return &SchemaExtension{AccountName: fallback}
+}
+
+func (r *SchemaExtension) Run(_ jsonschema.ValidationContext, s schema.ExtensionConfig, value interface{}) error {
+	r.l.Lock()
+	defer r.l.Unlock()
+	if s.Credentials.TOTP.AccountName {
+		r.AccountName = fmt.Sprintf("%s", value)
+	}
+	return nil
+}
+
+func (r *SchemaExtension) Finish() error {
+	return nil
+}

selfservice/strategy/totp/settings.go

@@ -249,8 +249,11 @@ func (s *Strategy) PopulateSettingsMethod(r *http.Request, id *identity.Identity
 	if hasTOTP {
 		f.UI.Nodes.Upsert(NewUnlinkTOTPNode())
 	} else {
+		e := NewSchemaExtension(id.ID.String())
+		_ = s.d.IdentityValidator().ValidateWithRunner(r.Context(), id, e)
+
 		// No TOTP set up yet, add nodes allowing us to add it.
-		key, err := NewKey(r.Context(), id.ID.String(), s.d)
+		key, err := NewKey(r.Context(), e.AccountName, s.d)
 		if err != nil {
 			return err
 		}

selfservice/strategy/totp/settings_test.go

@@ -59,7 +59,7 @@ func TestCompleteSettings(t *testing.T) {
 
 	conf.MustSet(config.ViperKeySelfServiceSettingsPrivilegedAuthenticationAfter, "1m")
 
-	conf.MustSet(config.ViperKeyDefaultIdentitySchemaURL, "file://./stub/login.schema.json")
+	conf.MustSet(config.ViperKeyDefaultIdentitySchemaURL, "file://./stub/settings.schema.json")
 	conf.MustSet(config.ViperKeySecretsDefault, []string{"not-a-secure-session-key"})
 
 	t.Run("case=device unlinking is available when identity has totp", func(t *testing.T) {
@@ -297,13 +297,14 @@ func TestCompleteSettings(t *testing.T) {
 
 	t.Run("type=set up TOTP device", func(t *testing.T) {
 		checkIdentity := func(t *testing.T, id *identity.Identity, key string) {
-			_, cred, err := reg.PrivilegedIdentityPool().FindByCredentialsIdentifier(context.Background(), identity.CredentialsTypeTOTP, id.ID.String())
+			i, cred, err := reg.PrivilegedIdentityPool().FindByCredentialsIdentifier(context.Background(), identity.CredentialsTypeTOTP, id.ID.String())
 			require.NoError(t, err)
 			var c totp.CredentialsConfig
 			require.NoError(t, json.Unmarshal(cred.Config, &c))
 			actual, err := otp.NewKeyFromURL(c.TOTPURL)
 			require.NoError(t, err)
 			assert.Equal(t, key, actual.Secret())
+			assert.Contains(t, c.TOTPURL, gjson.GetBytes(i.Traits, "subject").String())
 		}
 
 		run := func(t *testing.T, isAPI, isSPA bool, id *identity.Identity, hc *http.Client, f *kratos.SelfServiceSettingsFlow) {

selfservice/strategy/totp/stub/settings.schema.json

@@ -0,0 +1,23 @@
+{
+  "$id": "https://example.com/person.schema.json",
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Person",
+  "type": "object",
+  "properties": {
+    "traits": {
+      "type": "object",
+      "properties": {
+        "subject": {
+          "type": "string",
+          "ory.sh/kratos": {
+            "credentials": {
+              "totp": {
+                "account_name": true
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}