Package eu.webtoolkit.jwt.auth.mfa

Class TotpProcess

java.lang.Object
eu.webtoolkit.jwt.WObject
eu.webtoolkit.jwt.auth.mfa.AbstractMfaProcess
eu.webtoolkit.jwt.auth.mfa.TotpProcess
public class TotpProcess extends AbstractMfaProcess
A process managing the TOTP setup and validation.

This process allows the User that is trying to log in an extra step to validate their identity. They will have to provide the TOTP code as an extra step to validate their log-in additionally.

This process' functionality is twofold. If a User does not have TOTP set-up yet, they will be shown the QR code and the secret key. They can then add this to an authenticator app or extension of their choice (createSetupView()).

If they have it enabled already, they will simply be asked to provide a TOTP code to verify their identity as a second factor (createInputView()).

This process will also look in the environment for cookies, so that the MFA step can also be remembered (processEnvironment()). If the user logs in using a device they use often, they can opt to remember the login, which creates a cookie (see AuthService#setMfaTokenCookieName(), and AuthService#setMfaTokenValidity()). If this cookie remains in the user's browser, and in the local database (in the "auth_token" table, by default), the user's TOTP step can be skipped for a certain time (see AbstractMfaProcess.getProcessMfaToken()).

If a developer wants to force all users to use this functionality, they can do so by enabling AuthService#setMfaRequired().

Whether or not this process is executed when logging in, is managed by AuthModel#hasMfaStep().

See Also:

  • Constructor Details

    • TotpProcess

      public TotpProcess(AuthService authService, AbstractUserDatabase users, Login login)
      Constructs the TotpProcess holding the TOTP "login".

      For the provided authentication service authService this will either request a TOTP code from the user as a second factor, or initiate the process to add the TOTP secret to their record, allowing for future TOTP code requests.

      Optionally, if authentication tokens are enabled (see AuthService#setAuthTokensEnabled()), this step can be temporarily bypassed, for as long as the token is valid (see AuthService.getMfaTokenValidity()).

  • Method Details

    • processEnvironment

      public void processEnvironment()
      Processes the (initial) environment.

      This can be called to tell the widget to look through the environment for the relevent cookies. It will handle the side-effect of finding such a cookie, and it still being valid. The user will be logged in, in a weak state (LoginState.Weak), and the authenticated() signal will be fired, with an AuthenticationStatus.Success.

      Overrides:
      processEnvironment in class AbstractMfaProcess

    • createSetupView

      public WWidget createSetupView()
      Creates the view to manage the TOTP code.

      This either adds a new code to the user, or expects a code to be entered based on their existing TOTP secret key.

      Specified by:
      createSetupView in class AbstractMfaProcess

    • createInputView

      public WWidget createInputView()
      Creates the view to input the TOTP code.
      Specified by:
      createInputView in class AbstractMfaProcess
      See Also:

    • authenticated

      public Signal1<AuthenticationResult> authenticated()
      Signal emitted upon an authentication event.

      This event can be a success, failure, or error.

      The additional string can provide more information on the attempt, indicating the type of error, or the reason for the failure. The status and message are both stored in an instance of the AuthenticationResult.

      This can be used to reliably check whether the user has logged in with MFA. Previously the Login.changed() signal had been fired, when the user logged in, but it could still be that the state was not LoginState.Weak or LoginState.Strong, but LoginState.RequiresMfa. This signal can be listened to, to ensure that, on success, the user will actually be logged in.

      Side-effects to the login can then be attached to this signal.