Trigger local MFA when coming through GSS

[michielbdejong]

I want to test https://github.com/pondersource/nextcloud-mfa-awareness/issues/72 myself with our new setup from https://github.com/pondersource/dev-stock/issues/50#issuecomment-1789180642

[michielbdejong]

Testing this now, trying to set up a local MFA method for usr2 on sunet-nc2.

[michielbdejong]

I set up TOTP for usr2 and then logged in in a private browsing tab, but TOTP was not triggered after landing from GSS. Investigating.

[michielbdejong]

will add some logging statements into https://github.com/pondersource/mfazones/blob/8a2edc40201e4f6759bc66c518f591ff56f34f4a/lib/AppInfo/Application.php#L59

[michielbdejong]

I can see error_log statements getting logged:

docker logs -f sunet-nc2 | grep php:notice

[michielbdejong]

I'm getting an error on https://github.com/pondersource/mfazones/blob/21ed0179b4ba05e65096ffa251f130311fee8a3a/lib/AppInfo/Application.php#L51 - no instance of the class TwoFactorManager is found in the server container apparently.

[michielbdejong]

58 mentioned this snippet:

--- lib/Controller/SlaveController.php.bak      2023-05-15 12:09:59.781413663 +0200
+++ lib/Controller/SlaveController.php  2023-05-15 12:21:22.377966117 +0200
@@ -26,6 +26,7 @@
 use Firebase\JWT\ExpiredException;
 use Firebase\JWT\JWT;
 use OC\Authentication\Token\IToken;
+use OC\Authentication\TwoFactorAuth\Manager;
 use OCA\GlobalSiteSelector\GlobalSiteSelector;
 use OCA\GlobalSiteSelector\TokenHandler;
 use OCA\GlobalSiteSelector\UserBackend;
@@ -33,6 +34,7 @@
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\AppFramework\OCSController;
+use OCP\IConfig;
 use OCP\ILogger;
 use OCP\IRequest;
 use OCP\ISession;
@@ -63,12 +65,16 @@
        /** @var IURLGenerator */
        private $urlGenerator;

+       private IConfig $config;
+
        /** @var ICrypto */
        private $crypto;

        /** @var TokenHandler */
        private $tokenHandler;

+       private Manager $twoFactorManager;
+
        /** @var IUserManager */
        private $userManager;

@@ -100,7 +106,9 @@
                                                                IUserSession $userSession,
                                                                ISession $session,
                                                                IURLGenerator $urlGenerator,
+                                                               IConfig $config,
                                                                ICrypto $crypto,
+                                                               Manager $twoFactorManager,
                                                                TokenHandler $tokenHandler,
                                                                IUserManager $userManager,
                                                                UserBackend $userBackend
@@ -110,7 +118,9 @@
                $this->logger = $logger;
                $this->userSession = $userSession;
                $this->urlGenerator = $urlGenerator;
+               $this->config = $config;
                $this->crypto = $crypto;
+               $this->twoFactorManager = $twoFactorManager;
                $this->tokenHandler = $tokenHandler;
                $this->userManager = $userManager;
                $this->userBackend = $userBackend;
@@ -173,6 +183,10 @@
                }

                $this->userSession->createSessionToken($this->request, $uid, $uid, null, IToken::REMEMBER);
+
+               $user = $this->userManager->get($uid);
+               $this->twoFactorManager->prepareTwoFactorLogin($user, false);
+
                $home = $this->urlGenerator->getAbsoluteURL($target);
                return new RedirectResponse($home);

[michielbdejong]

We should fix https://github.com/pondersource/nextcloud-mfa-awareness/blob/sunet-custom-with-gss/servers/sunet-nextcloud/init-nc2-gss-follower.sh#L9 before we can investigate this further

[michielbdejong]

Duplicate of #72