Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: email-based authentication codes for MFA/2FA #19008

Merged
merged 88 commits into from
Dec 9, 2024
Merged

feat: email-based authentication codes for MFA/2FA #19008

merged 88 commits into from
Dec 9, 2024

Conversation

netroms
Copy link
Contributor

@netroms netroms commented Nov 1, 2024
edited
Loading

Summary

This adds 2FA login with a code sent via email as a new feature.

NOTE: This PR removes the enforced 2FA enrollment with TOTP functionality and does not address this for email 2FA either. The requirements for enforced enrollment needs to be addressed in a separate JIRA ticket. Enforced enrollment for TOTP was never used, so it's safe to remove.

TODO:

  • Add rate limiting to email 2FA sending
  • Do sending of 2FA email async so we don't block UI
  • Enforced enrollment

Automatic tests

  • TwoFactorControllerTest
  • UserServiceTest
  • AuthenticationControllerTest
  • LoginTest (E2E)

Manual tests

  • Enable 2FA email in system settings: POST api/42/systemSettings/email2FAEnabled?value=true
  • Set up a working email SMTP server in settings
  • Verify your email: POST api/account/sendEmailVerification (email with code will be sent to your verified email)
  • Enroll in email 2FA: POST api/2fa/enrollEmail2FA
  • Enable email 2FA with code sent to your email: POST api/2fa/enable with {code:CODE_SENT_TO_EMAIL}
  • Try to login, code should be sent to email
  • Now login should show 2FA code input, enter the code and submit
  • Observe you are logged in

Jira:

DHIS2-13334

@netroms
feat: email-based authentication codes for MFA/2FA
117d117 
Signed-off-by: Morrten Svanaes <[email protected]>
@netroms
Merge branch 'master' of github.com:dhis2/dhis2-core into DHIS2-13334_2
488b24c 
# Conflicts:
#	dhis-2/dhis-api/src/main/java/org/hisp/dhis/setting/SystemSettings.java
@netroms
Merge branch 'master' of github.com:dhis2/dhis2-core into DHIS2-13334_2
7a1304d
@netroms
feat: email-based authentication codes for MFA/2FA
e3e923a 
Signed-off-by: Morrten Svanaes <[email protected]>
@netroms
feat: email-based authentication codes for MFA/2FA
12f2bb8 
Signed-off-by: Morrten Svanaes <[email protected]>
@netroms
feat: email-based authentication codes for MFA/2FA
d1331ef 
Signed-off-by: Morrten Svanaes <[email protected]>
@netroms
feat: email-based authentication codes for MFA/2FA
cdc4234 
Signed-off-by: Morrten Svanaes <[email protected]>
@netroms
Merge branch 'master' of github.com:dhis2/dhis2-core into DHIS2-13334_2
e12819d
netroms added 10 commits November 4, 2024 18:11
@netroms
feat: email-based authentication codes for MFA/2FA
8512ce0 
Signed-off-by: Morrten Svanaes <[email protected]>
@netroms
feat: email-based authentication codes for MFA/2FA
7ba0daf 
Signed-off-by: Morrten Svanaes <[email protected]>
@netroms
feat: email-based authentication codes for MFA/2FA
48b510b 
Signed-off-by: Morrten Svanaes <[email protected]>
@netroms
Merge branch 'master' of github.com:dhis2/dhis2-core into DHIS2-13334_2
65c3541
@netroms
feat: email-based authentication codes for MFA/2FA
661bcab 
Signed-off-by: Morrten Svanaes <[email protected]>
@netroms
Merge branch 'master' of github.com:dhis2/dhis2-core into DHIS2-13334_2
2c482f6
@netroms
Merge branch 'master' of github.com:dhis2/dhis2-core into DHIS2-13334_2
86b3d33
@netroms
feat: email-based authentication codes for MFA/2FA
0f6e7e5 
Signed-off-by: Morrten Svanaes <[email protected]>
@netroms
Merge branch 'master' of github.com:dhis2/dhis2-core into DHIS2-13334_2
924ca40
@netroms
Merge branch 'master' of github.com:dhis2/dhis2-core into DHIS2-13334_2
809abd2 
# Conflicts:
#	dhis-2/dhis-api/src/main/java/org/hisp/dhis/setting/SystemSettings.java
#	dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/SystemUser.java
#	dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserDetails.java
#	dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserDetailsImpl.java
#	dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/oidc/DhisOidcUser.java
#	dhis-2/dhis-services/dhis-service-setting/src/test/java/org/hisp/dhis/setting/SystemSettingsTest.java
netroms added 10 commits November 18, 2024 16:49
@netroms
feat: email-based authentication codes for MFA/2FA
72e26bb 
Signed-off-by: Morrten Svanaes <[email protected]>
@netroms
Merge branch 'master' of github.com:dhis2/dhis2-core into DHIS2-13334_2
f2b1acd
@netroms
feat: email-based authentication codes for MFA/2FA
9ba3e45 
Signed-off-by: Morrten Svanaes <[email protected]>
@netroms
Merge branch 'master' of github.com:dhis2/dhis2-core into DHIS2-13334_2
7452165
@netroms
feat: email-based authentication codes for MFA/2FA
547a270 
Signed-off-by: Morrten Svanaes <[email protected]>
@netroms
feat: email-based authentication codes for MFA/2FA
2b55d4b 
Signed-off-by: Morrten Svanaes <[email protected]>
@netroms
Merge branch 'master' of github.com:dhis2/dhis2-core into DHIS2-13334_2
772cef3
@netroms
feat: email-based authentication codes for MFA/2FA
0ec1698 
Signed-off-by: Morrten Svanaes <[email protected]>
@netroms
feat: email-based authentication codes for MFA/2FA
f0cef75 
Signed-off-by: Morrten Svanaes <[email protected]>
@netroms
feat: email-based authentication codes for MFA/2FA
3e9267e 
Signed-off-by: Morrten Svanaes <[email protected]>
david-mackessy
david-mackessy approved these changes Dec 5, 2024
View reviewed changes
Copy link
Contributor

@david-mackessy david-mackessy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some small comments left, good job 👍

jbee
jbee requested changes Dec 5, 2024
View reviewed changes
Copy link
Contributor

@jbee jbee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I saw you moved more (internal) APIs from using a user's UID to the username which I think is a good thing. As we discussed it seems to me that the username is our identifier when it comes to questions of authentication. 👍

The are a handful or so details to correct and some suggestions about the REST API endpoints.

dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/CodeGenerator.java Outdated Show resolved Hide resolved
dhis-2/dhis-api/src/main/java/org/hisp/dhis/common/CodeGenerator.java Show resolved Hide resolved
dhis-2/dhis-api/src/main/java/org/hisp/dhis/security/twofa/TwoFactorType.java Outdated Show resolved Hide resolved
...vices/dhis-service-core/src/main/java/org/hisp/dhis/security/twofa/TwoFactorAuthService.java Show resolved Hide resolved
...vices/dhis-service-core/src/main/java/org/hisp/dhis/security/twofa/TwoFactorAuthService.java Outdated Show resolved Hide resolved
...2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/security/SessionController.java Outdated Show resolved Hide resolved
...2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/security/SessionController.java Show resolved Hide resolved
...dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/security/TwoFactorController.java Show resolved Hide resolved
dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java Outdated Show resolved Hide resolved
dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/servlet/DhisWebApiWebAppInitializer.java Show resolved Hide resolved
jbee
jbee reviewed Dec 9, 2024
View reviewed changes
Copy link
Contributor

@jbee jbee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There a some comments left

  • on visibility and TX-annotations in services
  • on which HTTP method and response code to use for the new endpoints (session controller)

...vices/dhis-service-core/src/main/java/org/hisp/dhis/security/twofa/TwoFactorAuthService.java Outdated Show resolved Hide resolved
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Dec 9, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
8 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@netroms netroms merged commit 80e3d05 into master Dec 9, 2024
16 checks passed
@netroms netroms deleted the DHIS2-13334_2 branch December 9, 2024 11:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@david-mackessy david-mackessy david-mackessy approved these changes

@larshelge larshelge larshelge left review comments

@vietnguyen vietnguyen vietnguyen approved these changes

@jbee jbee jbee approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@netroms @jbee @vietnguyen @larshelge @david-mackessy