Add TotpTokenValidator

jrauh01 · jrauh01 · commit 5636a67174e0 · 2025-12-02T07:49:41.000+01:00
It validates two things:
1. The token must only contain numbers
2. The token must have a specific length (this is configurable via
   the constructor, the default is 6)
diff --git a/application/forms/Account/TwoFactorConfigForm.php b/application/forms/Account/TwoFactorConfigForm.php
@@ -7,10 +7,10 @@
 use Icinga\Authentication\TwoFactorTotp;
 use Icinga\Common\Database;
 use Icinga\User;
+use Icinga\Web\Form\Validator\TotpTokenValidator;
 use Icinga\Web\Notification;
 use ipl\Html\Attributes;
 use ipl\Html\HtmlElement;
-use ipl\Validator\CallbackValidator;
 use ipl\Web\Common\FormUid;
 use ipl\Web\Compat\CompatForm;
 use ipl\Web\Url;
@@ -124,27 +124,15 @@ protected function assemble(): void
                 );
 
                 $this->addElement(
-                    'number',
+                    'text',
                     '2fa_verification_token',
                     [
+                        'required'    => true,
                         'label'       => $this->translate('Verification Token'),
                         'description' => $this->translate(
                             'Please enter the token from your authenticator app to verify your setup.'
                         ),
-                        'min'         => 0,
-                        'max'         => 999999,
-                        'step'        => 1,
-                        'validators'  => [
-                            new CallbackValidator(function (string $value, CallbackValidator $validator) {
-                                if (strlen($value) !== 6) {
-                                    $validator->addMessage($this->translate('The token must be exactly 6 digits long.'));
-
-                                    return false;
-                                }
-
-                                return true;
-                            })
-                        ]
+                        'validators'  => [new TotpTokenValidator()]
                     ]
                 );
 
diff --git a/application/forms/Authentication/Challenge2FAForm.php b/application/forms/Authentication/Challenge2FAForm.php
@@ -11,6 +11,7 @@
 use Icinga\Authentication\Auth;
 use Icinga\Authentication\TwoFactorTotp;
 use Icinga\Common\Database;
+use Icinga\Web\Form\Validator\TotpTokenValidator;
 use Icinga\Web\Response;
 use Icinga\Web\Session;
 use Icinga\Web\Url;
@@ -62,7 +63,8 @@ protected function assemble(): void
                 'decorators'     => [
                     'RenderElement' => new RenderElementDecorator(),
                     'Errors'        => ['name' => 'Errors', 'options' => ['class' => 'errors']]
-                ]
+                ],
+                'validators'     => [new TotpTokenValidator()]
             ]
         );
 
diff --git a/library/Icinga/Web/Form/Validator/TotpTokenValidator.php b/library/Icinga/Web/Form/Validator/TotpTokenValidator.php
@@ -0,0 +1,39 @@
+<?php
+
+/* Icinga Web 2 | (c) 2025 Icinga GmbH | GPLv2+ */
+
+namespace Icinga\Web\Form\Validator;
+
+use ipl\I18n\Translation;
+use ipl\Validator\BaseValidator;
+
+class TotpTokenValidator extends BaseValidator
+{
+    use Translation;
+
+    public function __construct(
+        /** @var int Token length */
+        protected int $digits = 6
+    ) {
+    }
+
+    public function isValid($value): bool
+    {
+        // Multiple isValid() calls must not stack validation messages
+        $this->clearMessages();
+
+        if (! is_numeric($value)) {
+            $this->addMessage($this->translate('The token must only contain numbers'));
+
+            return false;
+        }
+
+        if (strlen($value) !== $this->digits) {
+            $this->addMessage($this->translate('The token must be exactly 6 digits long.'));
+
+            return false;
+        }
+
+        return true;
+    }
+}
