Various improvements

- Show notice when onboarding missing - Ensure admin has 2FA enabled on conflicting change - Report Notakey availability states for user
notakey · Jun 3, 2022 · 1b4b8cc · 1b4b8cc
1 parent 7f7edcc
commit 1b4b8cc
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 7 deletions.
diff --git a/class-two-factor-notakey.php b/class-two-factor-notakey.php
@@ -33,9 +33,50 @@ protected function __construct()
         add_action('two_factor_user_options_' . __CLASS__, array($this, 'user_options'));
         add_action('personal_options_update', array($this, 'user_options_update'));
         add_action('edit_user_profile_update', array($this, 'user_options_update'));
+        add_action('admin_notices', array($this, 'admin_notices'));
         return parent::__construct();
     }
 
+    /**
+     * Displays an admin notice when backup user not onboarded.
+     *
+     * @since 0.1-dev
+     */
+    public function admin_notices()
+    {
+        $user = wp_get_current_user();
+
+        // Return if the provider is not enabled.
+        if (!in_array(__CLASS__, Two_Factor_Core::get_enabled_providers_for_user($user->ID), true)) {
+            return;
+        }
+
+        // Return if if user is already provisioned
+        if ($this->is_available_for_user($user)) {
+            return;
+        }
+
+?>
+        <div class="error">
+            <p>
+                <span>
+                    <?php
+                    echo wp_kses(
+                        sprintf(
+                            /* translators: %s: URL for code regeneration */
+                            __('Two-Factor: Notakey Authenticator mobile device has not been registered. Register device <a href="%s">here</a>!', Ntk_Two_Factor_Core::td()),
+                            esc_url(get_edit_user_link($user->ID) . '')
+                        ),
+                        array('a' => array('href' => true))
+                    );
+                    ?>
+                    <span>
+            </p>
+        </div>
+    <?php
+    }
+
+
     /**
      * Ensures only one instance of this class exists in memory at any one time.
      *
@@ -179,7 +220,7 @@ public function authentication_page($user)
         wp_enqueue_script('ntk-script', plugins_url('ntk.js', __FILE__), ['wp-util', 'jquery']);
 
         require_once ABSPATH . '/wp-admin/includes/template.php';
-?>
+    ?>
         <p><strong><?php esc_html_e('Notakey Authentication', Ntk_Two_Factor_Core::td()); ?></strong></p>
         <input type="hidden" name="wp-auth-ntk-uuid" id="wp-auth-ntk-uuid" value="<?php echo esc_attr($uuid); ?>">
         <div id="ntk_auth_wait">
@@ -296,6 +337,13 @@ public function validate_authentication($user)
      */
     public function is_available_for_user($user)
     {
+        $ob_status = $this->get_umeta($user->ID, self::KEY_ONBOARDING_STATUS, self::ONBOARDING_STATUS_NONE);
+
+        if ($ob_status != self::ONBOARDING_STATUS_NONE) {
+            return true;
+        }
+
+        // In case we don't have local state for this user
         return $this->ntkas()->user_exists($this->get_ntk_username($user));
     }
 
@@ -487,7 +535,8 @@ private function onboarding_status(WP_User $user)
 
         if ($this->ntkas()->user_exists($this->get_ntk_username($user))) {
             if ($this->ntkas()->can_be_onboarded($this->get_ntk_username($user))) {
-                $ob_status = get_user_meta($user->ID, self::KEY_ONBOARDING_STATUS, true);
+                // User has free device seats available
+                $ob_status = $this->get_umeta($user->ID, self::KEY_ONBOARDING_STATUS, self::ONBOARDING_STATUS_STARTED);
             } else {
                 $ob_status = self::ONBOARDING_STATUS_DONE;
             }
@@ -514,7 +563,7 @@ private function get_umeta($user_id, $key, $default)
     {
         $v = get_user_meta($user_id, $key, true);
 
-        if ($v == false) {
+        if ($v === false) {
             $v = $default;
         }
 

diff --git a/nas-api.php b/nas-api.php
@@ -180,7 +180,7 @@ public function service()
 
     public function user_exists($username)
     {
-        return $this->get_user($username);
+        return $this->get_user($username) !== false;
     }
 
     public function get_user($username)
@@ -211,7 +211,7 @@ public function create_user($userdata)
 
     public function delete_user($username)
     {
-        $u = $this->user_exists($username);
+        $u = $this->get_user($username);
         if ($u) {
             return $this->delete_user_by_keyname($u->keyname);
         }
@@ -232,7 +232,7 @@ public function update_user_by_keyname($user_keyname, $userdata)
 
     public function sync_user($username, $userdata)
     {
-        $u = $this->user_exists($username);
+        $u = $this->get_user($username);
         if ($u) {
             return $this->update_user_by_keyname($u->keyname, $userdata);
         } else {

diff --git a/two-factor-notakey.php b/two-factor-notakey.php
@@ -86,7 +86,8 @@ public static function two_factor_enabled_providers_for_user_filter($enabled_pro
 
         if (self::get_config('reject_login_without_mfa', false)) {
             if (count($enabled_providers) == 0) {
-                throw new Exception("Login without 2FA not allowed.");
+                wp_die(esc_html__("Login without 2FA is not allowed. Contact your site administrator.", self::td()), 403);
+                throw new Exception("Login without 2FA is not allowed.");
             }
         }