✨ Add Support for OTP in KeyCloak API

.env.test

@@ -1,10 +1,12 @@
 DATABASE_DRIVER=pdo_sqlite
 DATABASE_URL=sqlite:///%kernel.project_dir%/var/db_test.sqlite
+APP_DOMAIN=example.org
 APP_ENV=test
 APP_SECRET=165e25e3846534bb4665d7078a851c0b
 APP_NAME="Userli"
 APP_URL="https://users.example.org"
 PROJECT_NAME="example.org"
+PROJECT_LOGO_URL="https://www.example.org/logo.png"
 PROJECT_URL="https://www.example.org"
 SENDER_ADDRESS="admin@example.org"
 NOTIFICATION_ADDRESS="monitoring@example.org"

src/Controller/KeycloakController.php

@@ -7,6 +7,7 @@
 use App\Entity\User;
 use App\Handler\UserAuthenticationHandler;
 use Doctrine\ORM\EntityManagerInterface;
+use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Totp\TotpAuthenticator;
 use Symfony\Bridge\Doctrine\Attribute\MapEntity;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Response;
@@ -16,15 +17,21 @@
 
 class KeycloakController extends AbstractController
 {
-    public function __construct(private readonly EntityManagerInterface $manager, private readonly UserAuthenticationHandler $handler)
-    {}
+    const MESSAGE_SUCCESS = 'success';
+    const MESSAGE_AUTHENTICATION_FAILED = 'authentication failed';
+    const MESSAGE_USER_NOT_FOUND = 'user not found';
+    const MESSAGE_NOT_SUPPORTED = 'not supported';
+
+    public function __construct(private readonly EntityManagerInterface $manager, private readonly UserAuthenticationHandler $handler, private readonly TotpAuthenticator $totpAuthenticator)
+    {
+    }
 
     #[Route(path: '/api/keycloak/{domainUrl}', name: 'api_keycloak_index', methods: ['GET'], stateless: true)]
     public function getUsersSearch(
         #[MapEntity(mapping: ['domainUrl' => 'name'])] Domain $domain,
-        #[MapQueryParameter] string $search = '',
-        #[MapQueryParameter] int $max = 10,
-        #[MapQueryParameter] int $first = 0,
+        #[MapQueryParameter] string                           $search = '',
+        #[MapQueryParameter] int                              $max = 10,
+        #[MapQueryParameter] int                              $first = 0,
     ): Response
     {
         $users = $this->manager->getRepository(User::class)->findUsersByString($domain, $search, $max, $first)->map(function (User $user) {
@@ -45,7 +52,7 @@ public function getUsersCount(#[MapEntity(mapping: ['domainUrl' => 'name'])] Dom
     #[Route(path: '/api/keycloak/{domainUrl}/user/{email}', name: 'api_keycloak_user', methods: ['GET'], stateless: true)]
     public function getOneUser(
         #[MapEntity(mapping: ['domainUrl' => 'name'])] Domain $domain,
-        string $email,
+        string                                                $email,
     ): Response
     {
         if (!str_contains($email, '@')) {
@@ -67,24 +74,75 @@ public function getOneUser(
     #[Route(path: '/api/keycloak/{domainUrl}/validate/{email}', name: 'api_keycloak_user_validate', methods: ['POST'], stateless: true)]
     public function postUserValidate(
         #[MapEntity(mapping: ['domainUrl' => 'name'])] Domain $domain,
-        #[MapRequestPayload] KeycloakUserValidateDto $requestData,
-        string $email,
+        #[MapRequestPayload] KeycloakUserValidateDto          $requestData,
+        string                                                $email,
     ): Response
     {
         if (null === $user = $this->manager->getRepository(User::class)->findByDomainAndEmail($domain, $email)) {
             return $this->json([
-                'message' => 'authentication failed',
+                'message' => self::MESSAGE_AUTHENTICATION_FAILED,
             ], Response::HTTP_FORBIDDEN);
         }
 
+        return match ($requestData->getCredentialType()) {
+            'password' => $this->handlePasswordValidate($user, $requestData),
+            'otp' => $this->handleTotpValidate($user, $requestData),
+            default => $this->json([
+                'message' => self::MESSAGE_NOT_SUPPORTED,
+            ], Response::HTTP_BAD_REQUEST),
+        };
+    }
+
+    #[Route(path: '/api/keycloak/{domainUrl}/configured/{credentialType}/{email}', name: 'api_keycloak_user_configured', methods: ['GET'], stateless: true)]
+    public function getIsConfiguredFor(#[MapEntity(mapping: ['domainUrl' => 'name'])] Domain $domain, string $credentialType, string $email): Response
+    {
+        if (null === $user = $this->manager->getRepository(User::class)->findByDomainAndEmail($domain, $email)) {
+            return $this->json([
+                'message' => self::MESSAGE_USER_NOT_FOUND,
+            ], Response::HTTP_NOT_FOUND);
+        }
+
+        return match ($credentialType) {
+            'password' => $this->json(['message' => self::MESSAGE_SUCCESS]),
+            'otp' => $this->handleTotpConfigured($user),
+            default => $this->json(['message' => self::MESSAGE_NOT_SUPPORTED], Response::HTTP_NOT_FOUND),
+        };
+    }
+
+    private function handlePasswordValidate(User $user, KeycloakUserValidateDto $requestData): Response
+    {
         if ($this->handler->authenticate($user, $requestData->getPassword()) === null) {
             return $this->json([
-                'message' => 'authentication failed',
+                'message' => self::MESSAGE_AUTHENTICATION_FAILED,
+            ], Response::HTTP_FORBIDDEN);
+        }
+
+        return $this->json([
+            'message' => self::MESSAGE_SUCCESS,
+        ]);
+    }
+
+    private function handleTotpValidate(User $user, KeycloakUserValidateDto $requestData): Response
+    {
+        if (!$user->isTotpAuthenticationEnabled()) {
+            return $this->json([
+                'message' => self::MESSAGE_NOT_SUPPORTED,
+            ], Response::HTTP_FORBIDDEN);
+        }
+
+        if (!$this->totpAuthenticator->checkCode($user, $requestData->getPassword())) {
+            return $this->json([
+                'message' => self::MESSAGE_AUTHENTICATION_FAILED,
             ], Response::HTTP_FORBIDDEN);
         }
 
         return $this->json([
-            'message' => 'success',
+            'message' => self::MESSAGE_SUCCESS,
         ]);
     }
+
+    private function handleTotpConfigured(User $user): Response
+    {
+        return $user->isTotpAuthenticationEnabled() ? $this->json(['message' => self::MESSAGE_SUCCESS]) : $this->json(['message' => self::MESSAGE_USER_NOT_FOUND], Response::HTTP_NOT_FOUND);
+    }
 }

src/DataFixtures/AbstractUserData.php

@@ -6,14 +6,15 @@
 use App\Entity\User;
 use App\Helper\PasswordUpdater;
 use Doctrine\Bundle\FixturesBundle\Fixture;
+use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Totp\TotpAuthenticator;
 
 abstract class AbstractUserData extends Fixture
 {
     private const PASSWORD = 'password';
 
     protected string $passwordHash;
 
-    public function __construct(readonly PasswordUpdater $passwordUpdater)
+    public function __construct(readonly PasswordUpdater $passwordUpdater, readonly TotpAuthenticator $totpAuthenticator)
     {
         $user = new User();
         $passwordUpdater->updatePassword($user, self::PASSWORD);

src/DataFixtures/LoadUserData.php

@@ -12,12 +12,13 @@
 class LoadUserData extends AbstractUserData implements DependentFixtureInterface, FixtureGroupInterface
 {
     private array $users = [
-        ['email' => 'admin@example.org', 'roles' => [Roles::ADMIN]],
-        ['email' => 'user@example.org', 'roles' => [Roles::USER]],
-        ['email' => 'spam@example.org', 'roles' => [Roles::SPAM]],
-        ['email' => 'support@example.org', 'roles' => [Roles::MULTIPLIER]],
-        ['email' => 'suspicious@example.org', 'roles' => [Roles::SUSPICIOUS]],
-        ['email' => 'domain@example.com', 'roles' => [Roles::DOMAIN_ADMIN]],
+        ['email' => 'admin@example.org', 'roles' => [Roles::ADMIN], 'totp' => false],
+        ['email' => 'user@example.org', 'roles' => [Roles::USER], 'totp' => false],
+        ['email' => 'totp@example.org', 'roles' => [Roles::USER], 'totp' => true],
+        ['email' => 'spam@example.org', 'roles' => [Roles::SPAM], 'totp' => false],
+        ['email' => 'support@example.org', 'roles' => [Roles::MULTIPLIER], 'totp' => false],
+        ['email' => 'suspicious@example.org', 'roles' => [Roles::SUSPICIOUS], 'totp' => false],
+        ['email' => 'domain@example.com', 'roles' => [Roles::DOMAIN_ADMIN], 'totp' => false],
     ];
 
     /**
@@ -33,7 +34,12 @@ public function load(ObjectManager $manager): void
             $roles = $user['roles'];
             $domain = $manager->getRepository(Domain::class)->findOneBy(['name' => $splitted[1]]);
 
+            $totpEnabled = $user['totp'];
             $user = $this->buildUser($domain, $email, $roles);
+            if ($totpEnabled) {
+                $user->setTotpSecret($this->totpAuthenticator->generateSecret());
+                $user->setTotpConfirmed(true);
+            }
 
             $manager->persist($user);
         }

src/Dto/KeycloakUserValidateDto.php

@@ -8,11 +8,24 @@ class KeycloakUserValidateDto {
     #[Assert\NotBlank]
     private string $password = '';
 
+    #[Assert\NotBlank]
+    private string $credentialType = 'password';
+
     public function getPassword(): string {
         return $this->password;
     }
 
     public function setPassword(string $password): void {
         $this->password = $password;
     }
+
+    public function getCredentialType(): string
+    {
+        return $this->credentialType;
+    }
+
+    public function setCredentialType(string $credentialType): void
+    {
+        $this->credentialType = $credentialType;
+    }
 }

tests/Controller/KeycloakControllerTest.php

@@ -2,6 +2,7 @@
 
 namespace App\Tests\Controller;
 
+use App\Entity\User;
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
 
 class KeycloakControllerTest extends WebTestCase
@@ -26,8 +27,8 @@ public function testGetUsersSearch(): void
         self::assertResponseIsSuccessful();
 
         $expected = [
-            [ 'id' => 'admin', 'email' => 'admin@example.org' ],
-            [ 'id' => 'user', 'email' => 'user@example.org']
+            ['id' => 'admin', 'email' => 'admin@example.org'],
+            ['id' => 'user', 'email' => 'user@example.org']
         ];
         $data = json_decode($client->getResponse()->getContent(), true, 512, JSON_THROW_ON_ERROR);
         self::assertEquals($expected, $data);
@@ -52,9 +53,8 @@ public function testGetUsersCount(): void
 
         self::assertResponseIsSuccessful();
 
-        $expected = 5;
         $data = json_decode($client->getResponse()->getContent(), true, 512, JSON_THROW_ON_ERROR);
-        self::assertEquals($expected, $data);
+        self::assertEquals(6, $data);
     }
 
     public function testGetOneUser(): void
@@ -66,7 +66,7 @@ public function testGetOneUser(): void
 
         self::assertResponseIsSuccessful();
 
-        $expected = [ 'id' => 'user', 'email' => 'user@example.org' ];
+        $expected = ['id' => 'user', 'email' => 'user@example.org'];
         $data = json_decode($client->getResponse()->getContent(), true, 512, JSON_THROW_ON_ERROR);
         self::assertEquals($expected, $data);
     }
@@ -81,31 +81,68 @@ public function testGetOneNonexistentUser(): void
         self::assertResponseStatusCodeSame(404);
     }
 
-    public function testPostUserValidatae(): void
+    public function testPostUserValidate(): void
     {
         $client = static::createClient([], [
             'HTTP_Authorization' => 'Bearer insecure',
         ]);
-        $client->request('POST', '/api/keycloak/example.org/validate/support@example.org', ['password' => 'password']);
+        $client->request('POST', '/api/keycloak/example.org/validate/support@example.org', ['credentialType' => 'password', 'password' => 'password']);
 
         self::assertResponseIsSuccessful();
+        $data = json_decode($client->getResponse()->getContent(), true, 512, JSON_THROW_ON_ERROR);
+        self::assertEquals(['message' => 'success'], $data);
+
+        $client->request('POST', '/api/keycloak/example.org/validate/support@example.org', ['password' => 'wrong']);
 
-        $expected = ['message' => 'success'];
+        self::assertResponseStatusCodeSame(403);
         $data = json_decode($client->getResponse()->getContent(), true, 512, JSON_THROW_ON_ERROR);
-        self::assertEquals($expected, $data);
+        self::assertEquals(['message' => 'authentication failed'], $data);
+
+        $client->request('POST', '/api/keycloak/example.org/validate/support@example.org', ['credentialType' => 'wrong', 'password' => 'password']);
+
+        self::assertResponseStatusCodeSame(400);
+        $data = json_decode($client->getResponse()->getContent(), true, 512, JSON_THROW_ON_ERROR);
+        self::assertEquals(['message' => 'not supported'], $data);
+
+        $client->request('POST', '/api/keycloak/example.org/validate/404@example.org', ['credentialType' => 'password', 'password' => 'password']);
+
+        self::assertResponseStatusCodeSame(403);
+        $data = json_decode($client->getResponse()->getContent(), true, 512, JSON_THROW_ON_ERROR);
+        self::assertEquals(['message' => 'authentication failed'], $data);
     }
 
-    public function testPostUserValidateWrongPassword(): void
+    public function testPostUserValidateOTP(): void
     {
         $client = static::createClient([], [
             'HTTP_Authorization' => 'Bearer insecure',
         ]);
-        $client->request('POST', '/api/keycloak/example.org/validate/support@example.org', ['password' => 'wrong']);
+        $client->request('POST', '/api/keycloak/example.org/validate/support@example.org', ['credentialType' => 'otp', 'password' => '123456']);
+        self::assertResponseStatusCodeSame(403);
 
+        $client->request('POST', '/api/keycloak/example.org/validate/totp@example.org', ['credentialType' => 'otp', 'password' => '123456']);
         self::assertResponseStatusCodeSame(403);
 
-        $expected = ['message' => 'authentication failed'];
-        $data = json_decode($client->getResponse()->getContent(), true, 512, JSON_THROW_ON_ERROR);
-        self::assertEquals($expected, $data);
+        $user = $client->getContainer()->get('doctrine.orm.entity_manager')->getRepository(User::class)->findOneBy(['email' => 'totp@example.org']);
+        $totp = $client->getContainer()->get('scheb_two_factor.security.totp_factory')->createTotpForUser($user);
+
+        $client->request('POST', '/api/keycloak/example.org/validate/totp@example.org', ['credentialType' => 'otp', 'password' => $totp->now()]);
+        self::assertResponseIsSuccessful();
+    }
+    public function testGetIsConfiguredFor(): void
+    {
+        $client = static::createClient([], [
+            'HTTP_Authorization' => 'Bearer insecure',
+        ]);
+        $client->request('GET', '/api/keycloak/example.org/configured/otp/support@example.org');
+        self::assertResponseStatusCodeSame(404);
+
+        $client->request('GET', '/api/keycloak/example.org/configured/otp/totp@example.org');
+        self::assertResponseIsSuccessful();
+
+        $client->request('GET', '/api/keycloak/example.org/configured/password/support@example.org');
+        self::assertResponseIsSuccessful();
+
+        $client->request('GET', '/api/keycloak/example.org/configured/password/404@example.org');
+        self::assertResponseStatusCodeSame(404);
     }
 }