AC-10982::[2FA] Integrate with Duo Web SDK to support Universal Prompt-duo model related changes

Author: glo05363

TwoFactorAuth/Block/Adminhtml/System/Config/Providers.php

@@ -1,8 +1,9 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2024 Adobe
+ * All Rights Reserved.
  */
+
 declare(strict_types=1);
 namespace Magento\TwoFactorAuth\Block\Adminhtml\System\Config;
 

TwoFactorAuth/Helper/Data.php

@@ -0,0 +1,35 @@
+<?php
+/**
+ * Copyright 2024 Adobe
+ * All Rights Reserved.
+ */
+
+namespace Magento\TwoFactorAuth\Helper;
+
+use Magento\Framework\Data\Form\FormKey;
+
+class Data
+{
+    /**
+     * @var FormKey
+     */
+    private $formKey;
+
+    /**
+     * @param FormKey $formKey
+     */
+    public function __construct(FormKey $formKey)
+    {
+        $this->formKey = $formKey;
+    }
+
+    /**
+     * Get form key
+     *
+     * @return string
+     */
+    public function getFormKey(): string
+    {
+        return $this->formKey->getFormKey();
+    }
+}

TwoFactorAuth/Model/Provider/Engine/DuoSecurity.php

@@ -10,9 +10,9 @@
 
 use Magento\Framework\App\Config\ScopeConfigInterface;
 use Magento\Framework\DataObject;
-use Magento\Framework\Data\Form\FormKey;
 use Magento\Framework\Encryption\EncryptorInterface;
 use Magento\Framework\UrlInterface;
+use Magento\TwoFactorAuth\Helper\Data as TwoFactorAuthHelper;
 use Magento\User\Api\Data\UserInterface;
 use Magento\TwoFactorAuth\Api\EngineInterface;
 use Duo\DuoUniversal\Client;
@@ -104,15 +104,15 @@ class DuoSecurity implements EngineInterface
     private $urlBuilder;
 
     /**
-     * @var FormKey
+     * @var TwoFactorAuthHelper
      */
-    private $formKey;
+    private $helper;
 
     /**
      * @param ScopeConfigInterface $scopeConfig
      * @param EncryptorInterface $encryptor
      * @param UrlInterface $urlBuilder
-     * @param FormKey $formKey
+     * @param TwoFactorAuthHelper $helper
      * @param Client|null $client
      * @param DuoAuth|null $duoAuth
      * @throws \Duo\DuoUniversal\DuoException
@@ -121,24 +121,26 @@ public function __construct(
         ScopeConfigInterface $scopeConfig,
         EncryptorInterface $encryptor,
         UrlInterface $urlBuilder,
+        TwoFactorAuthHelper $helper,
         Client $client = null,
         DuoAuth $duoAuth = null
     ) {
         $this->scopeConfig = $scopeConfig;
         $this->encryptor = $encryptor;
         $this->urlBuilder = $urlBuilder;
+        $this->helper = $helper;
         if ($this->isDuoForcedProvider()) {
             $this->client = $client ?? new Client(
-                    $this->getClientId(),
-                    $this->getClientSecret(),
-                    $this->getApiHostname(),
-                    $this->getCallbackUrl()
-                );
+                $this->getClientId(),
+                $this->getClientSecret(),
+                $this->getApiHostname(),
+                $this->getCallbackUrl()
+            );
             $this->duoAuth = $duoAuth ?? new DuoAuth(
-                    $this->getIkey(),
-                    $this->getSkey(),
-                    $this->getApiHostname()
-                );
+                $this->getIkey(),
+                $this->getSkey(),
+                $this->getApiHostname()
+            );
         }
     }
 
@@ -227,16 +229,23 @@ public function verify(UserInterface $user, DataObject $request): bool
             return false;
         }
 
+        if ($this->helper->getFormKey() . self::AUTH_SUFFIX != $savedState) {
+            return false;
+        }
+
         try {
-            // Not saving token as this is just for verificaiton purpose
-            $decoded_token = $this->client->exchangeAuthorizationCodeFor2FAResult($duoCode, $username);
+            // Not saving token as this is for verification purpose
+            $this->client->exchangeAuthorizationCodeFor2FAResult($duoCode, $username);
         } catch (LocalizedException $e) {
             return false;
         }
         # Exchange happened successfully so render success page
         return true;
     }
 
+    /**
+     * Check if Duo is selected as forced provider
+     */
     private function isDuoForcedProvider(): bool
     {
         $providers = $this->scopeConfig->getValue('twofactorauth/general/force_providers') ?? '';

TwoFactorAuth/Test/Integration/Controller/Adminhtml/Duo/AuthTest.php

@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2024 Adobe
+ * All Rights Reserved.
  */
 
 declare(strict_types=1);