feat: add sign in with two factor to resource owner flow (#58)

* feat: add sign in with two factor to resource owner flow

* chore: add ports, commands and tests

* chore: run format

* fix: tests and preloads

* Update apps/authenticator/test/authenticator/sign_in/commands/resource_owner_test.exs

Co-authored-by: Yashin Santos <31665100+yashin5@users.noreply.github.com>

* Update apps/authenticator/test/authenticator/sign_in/commands/resource_owner_test.exs

Co-authored-by: Yashin Santos <31665100+yashin5@users.noreply.github.com>

* Update apps/authenticator/test/authenticator/sign_in/commands/resource_owner_test.exs

Co-authored-by: Yashin Santos <31665100+yashin5@users.noreply.github.com>

* chore: minor refactors on function heads

Co-authored-by: Yashin Santos <31665100+yashin5@users.noreply.github.com>

Author: lcpojr

apps/authenticator/lib/ports/resource_manager.ex

@@ -9,10 +9,17 @@ defmodule Authenticator.Ports.ResourceManager do
   @doc "Delegates to ResourceManager.get_identity/1"
   @callback get_identity(input :: map()) :: possible_responses()
 
-  @doc "Authenticates the subject using Resource Owner Flow"
+  @doc "Delegates to ResourceManager.valid_totp?/2"
+  @callback valid_totp?(totp :: struct(), code :: String.t()) :: possible_responses()
+
+  @doc "Gets the subject identity by its username or client_id"
   @spec get_identity(input :: map()) :: possible_responses()
   def get_identity(input), do: implementation().get_identity(input)
 
+  @doc "Verifies if the given totp code matches the generated for the user"
+  @spec valid_totp?(totp :: struct(), code :: String.t()) :: boolean()
+  def valid_totp?(totp, code), do: implementation().valid_totp?(totp, code)
+
   defp implementation do
     :authenticator
     |> Application.get_env(__MODULE__)

apps/authenticator/lib/sign_in/commands/inputs/resource_owner.ex

@@ -19,10 +19,11 @@ defmodule Authenticator.SignIn.Inputs.ResourceOwner do
   @acceptable_assertion_types ~w(urn:ietf:params:oauth:client-assertion-type:jwt-bearer)
 
   @required [:username, :password, :client_id, :ip_address, :scope, :grant_type]
-  @optional [:client_secret, :client_assertion, :client_assertion_type]
+  @optional [:otp, :client_secret, :client_assertion, :client_assertion_type]
   embedded_schema do
     field :username, :string
     field :password, :string
+    field :otp, :string
     field :grant_type, :string
     field :scope, :string
     field :client_id, :string
@@ -40,6 +41,7 @@ defmodule Authenticator.SignIn.Inputs.ResourceOwner do
     |> cast(params, @required ++ @optional)
     |> validate_length(:username, min: 1)
     |> validate_length(:password, min: 1)
+    |> validate_format(:otp, ~r(\d{4,6}))
     |> validate_inclusion(:grant_type, @possible_grant_type)
     |> validate_length(:scope, min: 1)
     |> validate_length(:client_id, min: 1)

apps/authenticator/lib/sign_in/commands/resource_owner.ex

@@ -110,8 +110,8 @@ defmodule Authenticator.SignIn.Commands.ResourceOwner do
     end
   end
 
-  defp run_public_authentication(user, app, input) do
-    if VerifyHash.execute(user, input.password) do
+  defp run_public_authentication(user, app, %{password: password, otp: otp} = input) do
+    if VerifyHash.execute(user, password) and valid_totp?(user, otp) do
       user
       |> generate_tokens(app, input)
       |> parse_response()
@@ -122,6 +122,10 @@ defmodule Authenticator.SignIn.Commands.ResourceOwner do
     end
   end
 
+  defp valid_totp?(%{totp: nil}, nil), do: true
+  defp valid_totp?(%{totp: nil}, code) when is_binary(code), do: false
+  defp valid_totp?(%{totp: totp}, code) when is_binary(code), do: Port.valid_totp?(totp, code)
+
   defp run_confidential_authentication(user, app, input) do
     with {:secret_matches?, true} <- {:secret_matches?, secret_matches?(app, input)},
          {:pass_matches?, true} <- {:pass_matches?, VerifyHash.execute(user, input.password)} do

apps/authenticator/test/authenticator/sign_in/commands/resource_owner_test.exs

@@ -38,7 +38,74 @@ defmodule Authenticator.SignIn.Commands.ResourceOwnerTest do
 
       expect(ResourceManagerMock, :get_identity, fn %{username: input_username} ->
         assert username == input_username
-        {:ok, %{user | password: password, scopes: scopes}}
+        {:ok, %{user | password: password, totp: nil, scopes: scopes}}
+      end)
+
+      assert {:ok,
+              %{
+                access_token: access_token,
+                refresh_token: nil,
+                expires_in: 7200,
+                token_type: typ
+              }} = Command.execute(input)
+
+      assert {:ok,
+              %{
+                "aud" => ^client_id,
+                "azp" => ^client_name,
+                "exp" => _,
+                "iat" => _,
+                "iss" => "WatcherEx",
+                "jti" => jti,
+                "nbf" => _,
+                "scope" => ^scope,
+                "identity" => "user",
+                "sub" => ^subject_id,
+                "typ" => ^typ
+              }} = AccessToken.verify_and_validate(access_token)
+
+      assert %UserAttempt{username: ^username} = Repo.one(UserAttempt)
+      assert %Session{jti: ^jti} = Repo.one(Session)
+    end
+
+    test "succeeds and generates an access_token validating totp" do
+      scopes = RF.insert_list!(:scope, 3)
+      user = RF.insert!(:user)
+      totp = RF.insert!(:totp, user: user)
+      app = RF.insert!(:client_application)
+      hash = RF.gen_hashed_password("MyPassw@rd234")
+      password = RF.insert!(:password, user: user, password_hash: hash)
+
+      username = user.username
+      subject_id = user.id
+      client_id = app.client_id
+      client_name = app.name
+      scope = scopes |> Enum.map(& &1.name) |> Enum.join(" ")
+
+      input = %{
+        username: username,
+        password: "MyPassw@rd234",
+        otp: "1234",
+        grant_type: "password",
+        ip_address: "45.232.192.12",
+        scope: scope,
+        client_id: client_id,
+        client_secret: app.secret
+      }
+
+      expect(ResourceManagerMock, :get_identity, fn %{client_id: client_id} ->
+        assert app.client_id == client_id
+        {:ok, %{app | public_key: nil, scopes: scopes}}
+      end)
+
+      expect(ResourceManagerMock, :get_identity, fn %{username: input_username} ->
+        assert username == input_username
+        {:ok, %{user | password: password, totp: totp, scopes: scopes}}
+      end)
+
+      expect(ResourceManagerMock, :valid_totp?, fn %{id: totp_id}, "1234" ->
+        assert totp.id == totp_id
+        true
       end)
 
       assert {:ok,
@@ -96,7 +163,72 @@ defmodule Authenticator.SignIn.Commands.ResourceOwnerTest do
 
       expect(ResourceManagerMock, :get_identity, fn %{username: input_username} ->
         assert username == input_username
-        {:ok, %{user | password: password, scopes: scopes}}
+        {:ok, %{user | password: password, totp: nil, scopes: scopes}}
+      end)
+
+      assert {:ok,
+              %{
+                access_token: access_token,
+                refresh_token: refresh_token,
+                expires_in: 7200,
+                token_type: typ
+              }} = Command.execute(input)
+
+      assert {:ok, %{"jti" => jti}} = RefreshToken.verify_and_validate(access_token)
+
+      assert {:ok,
+              %{
+                "aud" => ^client_id,
+                "ati" => ^jti,
+                "exp" => _,
+                "iat" => _,
+                "iss" => "WatcherEx",
+                "jti" => _,
+                "nbf" => _,
+                "typ" => ^typ
+              }} = RefreshToken.verify_and_validate(refresh_token)
+
+      assert %UserAttempt{username: ^username} = Repo.one(UserAttempt)
+      assert %Session{jti: ^jti} = Repo.one(Session)
+    end
+
+    test "succeeds and generates a refresh_token validating totp" do
+      scopes = RF.insert_list!(:scope, 3)
+      %{username: username} = user = RF.insert!(:user)
+      totp = RF.insert!(:totp, user: user)
+
+      %{client_id: client_id} =
+        app = RF.insert!(:client_application, grant_flows: ["resource_owner", "refresh_token"])
+
+      hash = RF.gen_hashed_password("MyPassw@rd234")
+      password = RF.insert!(:password, user: user, password_hash: hash)
+
+      scope = scopes |> Enum.map(& &1.name) |> Enum.join(" ")
+
+      input = %{
+        "username" => username,
+        "password" => "MyPassw@rd234",
+        "otp" => "1234",
+        "grant_type" => "password",
+        "ip_address" => "45.232.192.12",
+        "scope" => scope,
+        "client_id" => client_id,
+        "client_secret" => app.secret
+      }
+
+      expect(ResourceManagerMock, :get_identity, fn %{client_id: client_id} ->
+        assert app.client_id == client_id
+        {:ok, %{app | public_key: nil, scopes: scopes}}
+      end)
+
+      expect(ResourceManagerMock, :get_identity, fn %{username: input_username} ->
+        assert username == input_username
+        {:ok, %{user | password: password, totp: totp, scopes: scopes}}
+      end)
+
+      expect(ResourceManagerMock, :valid_totp?, fn %{id: totp_id}, "1234" ->
+        assert totp.id == totp_id
+        true
       end)
 
       assert {:ok,
@@ -418,5 +550,46 @@ defmodule Authenticator.SignIn.Commands.ResourceOwnerTest do
 
       assert {:error, :unauthenticated} == Command.execute(input)
     end
+
+    test "fails if user totp do not match credential" do
+      scopes = RF.insert_list!(:scope, 3)
+      user = RF.insert!(:user)
+      totp = RF.insert!(:totp, user: user)
+      app = RF.insert!(:client_application)
+      hash = RF.gen_hashed_password("MyPassw@rd234")
+      password = RF.insert!(:password, user: user, password_hash: hash)
+
+      username = user.username
+      client_id = app.client_id
+      scope = scopes |> Enum.map(& &1.name) |> Enum.join(" ")
+
+      input = %{
+        username: username,
+        password: "MyPassw@rd234",
+        otp: "4321",
+        grant_type: "password",
+        ip_address: "45.232.192.12",
+        scope: scope,
+        client_id: client_id,
+        client_secret: app.secret
+      }
+
+      expect(ResourceManagerMock, :get_identity, fn %{client_id: client_id} ->
+        assert app.client_id == client_id
+        {:ok, %{app | public_key: nil, scopes: scopes}}
+      end)
+
+      expect(ResourceManagerMock, :get_identity, fn %{username: input_username} ->
+        assert username == input_username
+        {:ok, %{user | password: password, totp: totp, scopes: scopes}}
+      end)
+
+      expect(ResourceManagerMock, :valid_totp?, fn %{id: totp_id}, "4321" ->
+        assert totp.id == totp_id
+        false
+      end)
+
+      assert {:error, :unauthenticated} == Command.execute(input)
+    end
   end
 end

apps/resource_manager/lib/identities/commands/get_identity.ex

@@ -27,7 +27,7 @@ defmodule ResourceManager.Identities.Commands.GetIdentity do
     input
     |> GetUser.cast_to_list()
     |> Users.get_by()
-    |> Repo.preload([:password, :scopes])
+    |> Repo.preload([:password, :totp, :scopes])
     |> case do
       %User{} = user ->
         Logger.info("User identity #{user.id} got with success")

apps/resource_manager/lib/identities/schemas/user.ex

@@ -10,7 +10,7 @@ defmodule ResourceManager.Identities.Schemas.User do
 
   import Ecto.Changeset
 
-  alias ResourceManager.Credentials.Schemas.Password
+  alias ResourceManager.Credentials.Schemas.{Password, TOTP}
   alias ResourceManager.Permissions.Schemas.Scope
 
   @typedoc "User schema fields"
@@ -37,6 +37,7 @@ defmodule ResourceManager.Identities.Schemas.User do
     field :blocked_until, :naive_datetime
 
     has_one :password, Password
+    has_one :totp, TOTP
     many_to_many :scopes, Scope, join_through: "users_scopes"
 
     timestamps()

apps/resource_manager/lib/resource_manager.ex

@@ -4,6 +4,7 @@ defmodule ResourceManager do
   """
 
   alias ResourceManager.Credentials.Commands.PasswordIsAllowed
+  alias ResourceManager.Credentials.TOTPs
   alias ResourceManager.Identities.Commands.{CreateClientApplication, CreateUser, GetIdentity}
   alias ResourceManager.Permissions.Commands.{ConsentScope, RemoveScope}
 
@@ -24,4 +25,7 @@ defmodule ResourceManager do
 
   @doc "Delegates to #{PasswordIsAllowed}.execute/1"
   defdelegate password_allowed?(password), to: PasswordIsAllowed, as: :execute
+
+  @doc "Delegates to #{TOTP}.valid_code?/2"
+  defdelegate valid_totp?(totp, code), to: TOTPs, as: :valid_code?
 end

apps/resource_manager/test/resource_manager/identity/commands/get_identity_test.exs

@@ -19,7 +19,7 @@ defmodule ResourceManager.Identities.Commands.GetIdentityTest do
       }
 
       assert {:ok, %User{} = user} = GetIdentity.execute(input)
-      assert user == User |> Repo.one() |> Repo.preload([:password, :scopes])
+      assert user == User |> Repo.one() |> Repo.preload([:password, :scopes, :totp])
     end
 
     test "succeeds in getting client application identity if params are valid", ctx do

apps/rest_api/test/controllers/public/auth_test.exs

@@ -31,6 +31,28 @@ defmodule RestAPI.Controllers.Public.AuthTest do
                |> json_response(200)
     end
 
+    test "suceeds in Resource Owner Flow with totp if params are valid", %{conn: conn} do
+      params = %{
+        "username" => "my-username",
+        "password" => "my-password",
+        "otp" => "1234",
+        "grant_type" => "password",
+        "scope" => "admin:read admin:write",
+        "client_id" => "2e455bb1-0604-4812-9756-36f7ab23b8d9",
+        "client_secret" => "w3MehAvgztbMYpnhneVLQhkoZbxAXBGUCFe"
+      }
+
+      expect(AuthenticatorMock, :sign_in_resource_owner, fn _input ->
+        {:ok, success_payload()}
+      end)
+
+      assert %{"access_token" => _, "refresh_token" => _, "token_type" => _, "expires_in" => _} =
+               conn
+               |> put_req_header("content-type", @content_type)
+               |> post(@token_endpoint, params)
+               |> json_response(200)
+    end
+
     test "suceeds in Refresh Token Flow if params are valid", %{conn: conn} do
       params = %{
         "refresh_token" => "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9",
@@ -73,18 +95,22 @@ defmodule RestAPI.Controllers.Public.AuthTest do
       end)
 
       assert %{
+               "detail" => "The given params failed in validation",
+               "error" => "bad_request",
+               "status" => 400,
                "response" => %{
                  "scope" => ["can't be blank"],
                  "client_id" => ["can't be blank"],
                  "client_assertion" => ["can't be blank"],
                  "client_assertion_type" => ["can't be blank"],
                  "password" => ["can't be blank"],
-                 "username" => ["can't be blank"]
+                 "username" => ["can't be blank"],
+                 "otp" => ["is invalid"]
                }
-             } =
+             } ==
                conn
                |> put_req_header("content-type", @content_type)
-               |> post(@token_endpoint, %{"grant_type" => "password"})
+               |> post(@token_endpoint, %{"grant_type" => "password", "otp" => 123})
                |> json_response(400)
     end
 
@@ -93,7 +119,12 @@ defmodule RestAPI.Controllers.Public.AuthTest do
         RefreshToken.cast_and_apply(input)
       end)
 
-      assert %{"response" => %{"refresh_token" => ["can't be blank"]}} =
+      assert %{
+               "detail" => "The given params failed in validation",
+               "error" => "bad_request",
+               "status" => 400,
+               "response" => %{"refresh_token" => ["can't be blank"]}
+             } ==
                conn
                |> put_req_header("content-type", @content_type)
                |> post(@token_endpoint, %{"grant_type" => "refresh_token"})
@@ -106,13 +137,16 @@ defmodule RestAPI.Controllers.Public.AuthTest do
       end)
 
       assert %{
+               "detail" => "The given params failed in validation",
+               "error" => "bad_request",
+               "status" => 400,
                "response" => %{
                  "scope" => ["can't be blank"],
                  "client_id" => ["can't be blank"],
                  "client_assertion" => ["can't be blank"],
                  "client_assertion_type" => ["can't be blank"]
                }
-             } =
+             } ==
                conn
                |> put_req_header("content-type", @content_type)
                |> post(@token_endpoint, %{"grant_type" => "client_credentials"})