Package eu.webtoolkit.jwt.auth.mfa

Class AbstractMfaProcess

  • Direct Known Subclasses:
    TotpProcess
    public abstract class AbstractMfaProcess
extends WObject
    The interface for a second factor authentication process.

    This class defines the interface to be used when implementing a second factor in the authentication flow. Currently, it is strongly advised (by among others OWASP) that a second factor is added to any authentication module.

    When a developer wishes to enable MFA they will need to set the AuthService#setMfaProvider(), and optionally AuthService#setMfaRequired(). This will enable JWt to display the MFA step to users logging into the system. This will be shown after a user:

    • logs in (with username/password)
    • is authenticated with a login cookie

    The MFA step can be either the setup view, which holds the initial state for the MFA method. For JWt's default, this means a QR code with the TOTP secret encoded. This then adds an Identity to the user, by which they can be authenticated against a certain provider. The secret key is also displayed, so that it can be copied into a password manager or authenticator app.

    For this to work, a developer needs to implement createSetupView(). The method creates the widget that displays the view. This view tells the user how to set up the MFA step. The default TotpProcess will bind the content to a template. But developers are free to use their own way (like showing a pop-up) This will require the developer to override the AuthWidget.createMfaView().

    After this setup, the process can be repeated but a simpler view is often desired here, one that no longer hold any configuration state, but simply asks for a token of authentication. This is where createInputView() comes into play. This functions the exact same way as the above setup view counterpart, but shows less information. Again, for JWt's default implementation, using TOTP, this means a 6 (depending on configuration, see: AuthService#setMfaCodeLength()) digit code, that is generated from their secret key will be asked of the user. The initial (QR) code that serves as the way to generate the TOTP keys, will no longer be displayed.

    A successful match of the second factor will then result in an actual login (Login#login()) (see the note).

    To use your own widget in the normal authentication flow, one also needs to override AuthWidget.createMfaProcess(), so that it will create the correct widget. By default this will create the TotpProcess.

    Note: The Login.changed() signal will be fired both when the user logs in with username/password, and when the MFA step is completed successfully. If your application listens to this signal to determine some state or logic, you should check whether the login has taken place fully (based on the LoginState (Login.getState())). For convenience it's a good idea to make your custom widget fire a signal when it tries to authenticate

    See Also:
    AuthenticationResult

    • Field Detail

      • throttlingDelay_

        protected int throttlingDelay_

    • Method Detail

      • processEnvironment

        public void processEnvironment()
        Processes the (initial) environment.

        This can be called to tell the widget to look through the environment for the relevant cookies. It will handle the side-effect of finding such a cookie, and it still being valid. The user will be logged in, in a weak state (LoginState.Weak), and the authenticated() signal will be fired, with an AuthenticationStatus.Success.

      • createSetupView

        public abstract WWidget createSetupView()
        Creates the view that displays the MFA configuration step.

        This is the view that is shown to a user if they do not have MFA enabled yet. This will often show more information to them, telling them how the feature is to be used and activated.

        The state of whether a user has MFA enabled or not can be decided in two ways:

      • createInputView

        public abstract WWidget createInputView()
        Creates the view that displays the MFA input step.

        The user already has an identity attached to their record. This step now needs valid input from them to continue.

        See Also:
        createSetupView()

      • setMfaThrottle

        public void setMfaThrottle​(AuthThrottle authThrottle)
        Sets the instance that manages throttling.

        Throtteling is an additional safety measure. It ensures that the MFA process cannot be brute-forced.

        Setting the throttler, will allow for it to be configured (configureThrottling()), and updated (updateThrottling()) if applicable.

      • getUserIdentity

        protected WString getUserIdentity()
        Retrieves the current User's identity for the provider.

        This is simply a method that retrieves the current User's identity, given the provider the process specified (see getProvider()). This can be accessed by calling User#getIdentity() as well.

        The method will return the identity, if it exists, or an empty string if it does not. It will also log (to "warn") in the latter case.

        See Also:
        createUserIdentity(CharSequence identityValue)

      • createUserIdentity

        protected boolean createUserIdentity​(java.lang.CharSequence identityValue)
        Adds an Identity to the current User with the given value.

        The identity will be created with the specified getProvider() on the process. And the actual identity will be identityValue.

        This is again a method that offers very basic functionality, calling: User#getIdentity() and User#addIdentity(), with some logging added to it.

        Note: This will store the value in plaintext in the database. Should your chosen method of MFA want this to be stored in a more secure manner, the developer will have to do this manually (or the database itself should be encrypted).

        See Also:
        getUserIdentity()

      • getProcessMfaToken

        protected User getProcessMfaToken()
        Processes an MFA authentication token.

        If a token is present in the browser, going by the name found in AuthService.getMfaTokenCookieName(), and that is still valid (see AuthService.getMfaTokenValidity()), the User can be retrieved from that token. This identifies the user uniquely, ensuring their MFA verification step can be skipped for a certain period.

      • setRememberMeCookie

        protected void setRememberMeCookie​(User user)
        Creates an MFA authentication token.

        A token (with the correct prefix for MFA) is created and persisted in the database. A cookie is created in the user's browser. This token can later be used by getProcessMfaToken() to identify the User, allowing them to skip the MFA step.

      • configureThrottling

        protected void configureThrottling​(WInteractWidget button)
        Configures client-side throttling on the process.

        If attempt throttling is enabled, then this may also be indicated client-side using JavaScript by disabling the login button and showing a count-down indicator. This method initializes this JavaScript utility function for a login button.

        If throttling is enabled, it may be necessary for a custom implementation to manage this state itself. This is to allow developers the freedom to define their own MFA processes.

        Look at TotpProcess#verifyCode() for an example.

        See Also:
        updateThrottling(WInteractWidget button)

      • updateThrottling

        protected void updateThrottling​(WInteractWidget button)
        Updates client-side login throttling on the process.

        This should be called after a MFA authentication event takes place, if you want to reflect throttling using a client-side count-down indicator on the button.

        You need to call configureThrottling() before you can do this.

        If throttling is enabled, it may be necessary for a custom implementation to manage this state itself. This is to allow developers the freedom to define their own MFA processes.

        Look at TotpProcess#verifyCode() for an example.

      • getLogin

        protected Login getLogin()