Implement Multi-Factor Authentication (MFA) feature

Author: tsviz

pom.xml

@@ -136,7 +136,24 @@
 			<artifactId>spring-data-commons</artifactId>
 		</dependency>
 
-</dependencies>
+		<!-- TOTP MFA Dependencies -->
+		<dependency>
+			<groupId>dev.samstevens.totp</groupId>
+			<artifactId>totp</artifactId>
+			<version>1.7.1</version>
+		</dependency>
+		<dependency>
+			<groupId>com.google.zxing</groupId>
+			<artifactId>core</artifactId>
+			<version>3.5.1</version>
+		</dependency>
+		<dependency>
+			<groupId>com.google.zxing</groupId>
+			<artifactId>javase</artifactId>
+			<version>3.5.1</version>
+		</dependency>
+
+	</dependencies>
 
 	<build>
 		<plugins>

src/main/java/net/codejava/AppController.java

@@ -8,6 +8,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.data.domain.Pageable;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
@@ -28,7 +29,6 @@
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.data.domain.PageRequest; // Add this import statement
 import org.springframework.data.domain.Page; // Add this import statement
@@ -65,6 +65,9 @@ public class AppController {
 	@Autowired
 	private AuthenticationManager authenticationManager;
 
+	@Autowired
+    private UserRepository userRepository;
+	
 	// private static final Logger logger = Logger.getLogger(AppController.class.getName());
 
 	@Value("${enableSearchFeature}")
@@ -74,6 +77,18 @@ public boolean getEnableSearchFeature() {
 		return this.enableSearchFeature;
 	}
 
+	// Add MFA status to all pages that need it
+	private void addUserInfoToModel(Model model, Principal principal) {
+		if (principal != null) {
+			String username = principal.getName();
+			User user = userRepository.findByUsername(username);
+			if (user != null) {
+				model.addAttribute("mfaEnabled", user.isMfaEnabled());
+				model.addAttribute("username", username);
+			}
+		}
+	}
+	
 	private String handleSale(Sale sale, HttpSession session, RedirectAttributes redirectAttributes, Runnable action) {
 		sale.setEditing(true); // set isEditing to true
 		action.run();
@@ -89,7 +104,7 @@ private String handleSale(Sale sale, HttpSession session, RedirectAttributes red
 	}
 
 	@RequestMapping("/")
-	public String viewHomePage(Model model , Principal principal, @RequestParam(defaultValue = "0") int page, HttpSession session) {
+	public String viewHomePage(Model model, Principal principal, @RequestParam(defaultValue = "0") int page, HttpSession session) {
 		String lastSearchQuery = (String) session.getAttribute("lastSearchQuery");
 		if (lastSearchQuery != null && !lastSearchQuery.isEmpty()) {
 			session.setAttribute("lastSearchQuery", null); // set lastSearchQuery to null
@@ -103,37 +118,67 @@ public String viewHomePage(Model model , Principal principal, @RequestParam(defa
 		model.addAttribute("listSale", salePage.getContent());
 		model.addAttribute("currentPage", page);
 		model.addAttribute("totalPages", salePage.getTotalPages());
+		
+		// Add user info including MFA status
+		addUserInfoToModel(model, principal);
+		
 		return "index";
 	}
 
 	@RequestMapping("/new")
-	public ModelAndView showNewForm() {
+	public ModelAndView showNewForm(Principal principal) {
 		ModelAndView mav = new ModelAndView("new_form");
 		Sale sale = new Sale();
 		mav.addObject("sale", sale);
 		mav.addObject("currentDate", LocalDate.now());
 		mav.addObject("enableSearchFeature", enableSearchFeature);
+		
+		// Add user info including MFA status
+		if (principal != null) {
+			String username = principal.getName();
+			User user = userRepository.findByUsername(username);
+			if (user != null) {
+				mav.addObject("mfaEnabled", user.isMfaEnabled());
+				mav.addObject("username", username);
+			}
+		}
+		
 		return mav;
 	}
 
 	@RequestMapping("/edit/{serialNumber}")
-	public ModelAndView showEditForm(@PathVariable(name = "serialNumber") String serialNumber) {
+	public ModelAndView showEditForm(@PathVariable(name = "serialNumber") String serialNumber, Principal principal) {
 		ModelAndView mav = new ModelAndView("edit_form");
 		Sale sale = dao.get(serialNumber);
 		sale.setEditing(true);
 		mav.addObject("sale", sale);
 		mav.addObject("enableSearchFeature", enableSearchFeature);
+		
+		// Add user info including MFA status
+		if (principal != null) {
+			String username = principal.getName();
+			User user = userRepository.findByUsername(username);
+			if (user != null) {
+				mav.addObject("mfaEnabled", user.isMfaEnabled());
+				mav.addObject("username", username);
+			}
+		}
+		
 		return mav;
 	}
 
 	@RequestMapping("/search")
-	public String search(@ModelAttribute("q") String query, Model model, HttpSession session) {
+	public String search(@ModelAttribute("q") String query, Model model, HttpSession session, Principal principal) {
 		List<Sale> listSale = dao.search(query);
 		model.addAttribute("listSale", listSale);
 
 		boolean enableSearchFeature = true;
 		model.addAttribute("enableSearchFeature", enableSearchFeature);
 		session.setAttribute("lastSearchQuery", query); // save the last search query in the session
+		
+		// Add user info including MFA status
+		addUserInfoToModel(model, principal);
+		
 		return "search";
 	}
 

src/main/java/net/codejava/MfaAuthentication.java

@@ -0,0 +1,42 @@
+package net.codejava;
+
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.Collection;
+
+public class MfaAuthentication extends UsernamePasswordAuthenticationToken {
+    
+    private boolean mfaAuthenticated;
+    private User user;
+
+    public MfaAuthentication(User user, Object credentials, 
+                            Collection<? extends GrantedAuthority> authorities,
+                            boolean mfaAuthenticated) {
+        super(user.getUsername(), credentials, authorities);
+        this.user = user;
+        this.mfaAuthenticated = mfaAuthenticated;
+    }
+
+    public boolean isMfaAuthenticated() {
+        return mfaAuthenticated;
+    }
+
+    public void setMfaAuthenticated(boolean mfaAuthenticated) {
+        this.mfaAuthenticated = mfaAuthenticated;
+    }
+    
+    public User getUser() {
+        return user;
+    }
+
+    @Override
+    public boolean isAuthenticated() {
+        // Only consider the authentication fully complete if MFA has been verified
+        // for users who have MFA enabled
+        if (user.isMfaEnabled()) {
+            return super.isAuthenticated() && mfaAuthenticated;
+        }
+        return super.isAuthenticated();
+    }
+}

src/main/java/net/codejava/MfaAuthenticationFilter.java

@@ -0,0 +1,56 @@
+package net.codejava;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
+
+@Component
+public class MfaAuthenticationFilter extends OncePerRequestFilter {
+
+    private static final String MFA_VERIFICATION_URL = "/mfa/verify";
+    private static final String MFA_SETUP_URL = "/mfa/setup";
+    private static final String LOGIN_URL = "/login";
+    
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+            throws ServletException, IOException {
+            
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        HttpSession session = request.getSession();
+        
+        // Skip the filter for login and MFA-related URLs
+        String requestURI = request.getRequestURI();
+        if (requestURI.equals(LOGIN_URL) || requestURI.startsWith(MFA_VERIFICATION_URL) || 
+            requestURI.startsWith(MFA_SETUP_URL) || requestURI.startsWith("/css/") || 
+            requestURI.startsWith("/js/")) {
+            filterChain.doFilter(request, response);
+            return;
+        }
+        
+        // Check if the user is authenticated with MFA
+        if (authentication instanceof MfaAuthentication) {
+            MfaAuthentication mfaAuthentication = (MfaAuthentication) authentication;
+            
+            // If MFA is needed but not yet verified
+            if (mfaAuthentication.getUser().isMfaEnabled() && !mfaAuthentication.isMfaAuthenticated()) {
+                // Store the requested URL in the session
+                session.setAttribute("REQUESTED_URL", requestURI);
+                
+                // Redirect to MFA verification page
+                response.sendRedirect(MFA_VERIFICATION_URL);
+                return;
+            }
+        }
+        
+        filterChain.doFilter(request, response);
+    }
+}

src/main/java/net/codejava/MfaAuthenticationProvider.java

@@ -0,0 +1,68 @@
+package net.codejava;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.stereotype.Component;
+
+@Component
+public class MfaAuthenticationProvider implements AuthenticationProvider {
+
+    @Autowired
+    private UserRepository userRepository;
+    
+    @Autowired
+    private UserDetailsService userDetailsService;
+    
+    @Autowired
+    private PasswordEncoder passwordEncoder;
+    
+    @Autowired
+    private MfaService mfaService;
+
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        // First stage: verify username and password (primary authentication)
+        String username = authentication.getName();
+        String password = authentication.getCredentials().toString();
+        
+        UserDetails userDetails = userDetailsService.loadUserByUsername(username);
+        
+        if (!passwordEncoder.matches(password, userDetails.getPassword())) {
+            throw new BadCredentialsException("Invalid username or password");
+        }
+        
+        // Find the user entity to check MFA settings
+        User user = userRepository.findByUsername(username);
+        
+        // Check if MFA is enabled for the user
+        if (user != null && user.isMfaEnabled()) {
+            // For MFA-enabled users, we return a partially authenticated token
+            // The MfaAuthentication object will be used in the filter chain
+            return new MfaAuthentication(
+                user, 
+                authentication.getCredentials(),
+                userDetails.getAuthorities(),
+                true  // authenticated with password, but pending MFA verification
+            );
+        }
+        
+        // For users without MFA, return a fully authenticated token
+        return new UsernamePasswordAuthenticationToken(
+            userDetails,
+            null, // clear credentials
+            userDetails.getAuthorities()
+        );
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return authentication.equals(UsernamePasswordAuthenticationToken.class);
+    }
+}