Refactor GoogleAuthenticatorChallenge to allow for setting code along with challenge. #1244
Conversation
|
This enables creating a challenge including the code at the same time for GoogleAuthenticator: NOTE: I will add the above to the javadocs before deploying. Just wanted to get it built on CI first. |
| setProperty(CODE, code); | ||
| return this; | ||
| } | ||
| } |
There was a problem hiding this comment.
Why did we remove the setCode() method and made the property public instead?
There was a problem hiding this comment.
Before this PR, that method was only used in one place in the validate method, and in two places in tests which should not have had access to that protected method anyway. So there was no need for it.
The property, on the other hand, is used both in the validate method and now also when creating a Google Authenticator challenge and providing the code at the same time (which is not allowed in the SMS case).
| @Override | ||
| public void setCode(String code) { | ||
| setProperty(CODE, code); | ||
| } |
There was a problem hiding this comment.
This method could have stayed in the Abstract Class, no? SmsChallenge also needs to be able to set the code.
Looking at the following snippet in IAM for SmsChallenge
JsonPath challengeResponse = postRestCall(challenge.href + "?expand=factor", [code: code])
There was a problem hiding this comment.
See above. There is no reason for a code to be set on an SMS challenge outside of the validate method.
There was a problem hiding this comment.
But doesn't the snippet above post to the sms challenge with a code in the body? That means it is supported on the API.
There was a problem hiding this comment.
@mrafiei - Previously, the interface didn't support calling setCode for either SMS or GA as it was not public. Based on the way that GA works, it makes sense to set the code at the same time you create the challenge. It doesn't make the same sense for SMS, which is why we moved it into the more specific GA side of things.
What I am saying is that with GA, you can algorithmically know the code, which is how the TOTP app gives it to you, so it makes sense to be able to create the challenge and submit the code all in one shot.
With SMS, you can't know the code (from an end-user perspective) until you've received the text. I will dig into the spec in Jira/Confluence some more, but am I missing something here?
There was a problem hiding this comment.
@mrafiei POSTing to a challenge href with a code is indeed supported by the REST API, and that is what is mirrored by the validate method on AbstractChallenge.
There was a problem hiding this comment.
@dogeared Its correct what you stated above, my only thing is since it is supported on the REST API we should also support it for Sms challenges on SDK side to be consistent.
| @@ -0,0 +1,5 @@ | |||
| package com.stormpath.sdk.challenge.google; | |||
|
|
||
| import com.stormpath.sdk.challenge.CreateChallengeRequest; | ||
|
|
||
| public interface GoogleAuthenticatorCreateChallengeRequest extends CreateChallengeRequest {} |
There was a problem hiding this comment.
Missing Javadoc. In particular both a short description and the version are important since it is an interface in the api module
| @@ -0,0 +1,8 @@ | |||
| package com.stormpath.sdk.challenge.google; | |||
|
|
||
| import com.stormpath.sdk.challenge.CreateChallengeRequestBuilder; | ||
|
|
||
| public interface GoogleAuthenticatorCreateChallengeRequestBuilder extends CreateChallengeRequestBuilder<GoogleAuthenticatorChallenge> { |
There was a problem hiding this comment.
Missing Javadoc in the class and in the method. Both a short description and the version are important since it is an interface in the api module
| @@ -0,0 +1,13 @@ | |||
| package com.stormpath.sdk.impl.challenge.google; | |||
| @@ -0,0 +1,24 @@ | |||
| package com.stormpath.sdk.impl.challenge.google; | |||
|
@dogeared now that I see that a developer would do: I does not look good to me. You are creating a challenge and then creating another one passing that challenge. I think the proper sentence should be like this: See that the operation |
|
@mrioan - I agree. However, this pattern is all throughout MFA code and will require some more refactoring to have the change be more systemic. I will endeavor to update the code you pointed out as the model for other changes and I'll put in issues for those other changes in upcoming releases. |
| * | ||
| * @since 1.4.0 | ||
| */ | ||
| public interface GoogleAuthenticatorCreateChallengeRequestBuilder extends CreateChallengeRequestBuilder<GoogleAuthenticatorChallenge> { |
There was a problem hiding this comment.
is this class still needed?
There was a problem hiding this comment.
@mrioan - I think so. There are two supported ways to validate a challenge on the backend - by hitting the .../factors... collection endpoint and by hitting a specific challenge endpoint, so I think we need to support that in the SDK as well.
There was a problem hiding this comment.
but, maybe not - looking
| * challenge and validate it all in one call. | ||
| * @return the {@link GoogleAuthenticatorChallenge} | ||
| */ | ||
| GoogleAuthenticatorChallenge createChallenge(String code); |
Resolves #1243