Merge branch 'main' of https://github.com/devforth/adminforth-two-factors-auth

Author: SerVitasik

README.md

@@ -1,7 +1,31 @@
 # AdminForth TwoFactorsAuth Plugin
 
-<img src="https://img.shields.io/badge/License-MIT-blue.svg" alt="License: MIT" /> <img src="https://woodpecker.devforth.io/api/badges/3848/status.svg" alt="Build Status" /> <a href="https://www.npmjs.com/package/@adminforth/two-factors-auth"> <img src="https://img.shields.io/npm/dt/@adminforth/two-factors-auth" alt="npm downloads" /></a> <a href="https://www.npmjs.com/package/@adminforth/two-factors-auth"><img src="https://img.shields.io/npm/v/@adminforth/two-factors-auth" alt="npm version" /></a> <a href="https://www.npmjs.com/package/@adminforth/two-factors-auth">
+<img src="https://img.shields.io/badge/License-MIT-blue.svg" alt="License: MIT" /> <img src="https://woodpecker.devforth.io/api/badges/3848/status.svg" alt="Build Status" /> <a href="https://www.npmjs.com/package/@adminforth/two-factors-auth"><img src="https://img.shields.io/npm/dm/@adminforth/two-factors-auth" alt="npm downloads" /></a> <a href="https://www.npmjs.com/package/@adminforth/two-factors-auth"><img src="https://img.shields.io/npm/v/@adminforth/two-factors-auth" alt="npm version" /></a>
+
+[![Ask AI](https://tluma.ai/badge)](https://tluma.ai/ask-ai/devforth/adminforth)
 
 Allows to enable Two-Factor Authentication to an adminforth application.
 
-## For usage, see [AdminForth TwoFactorsAuth Documentation](https://adminforth.dev/docs/tutorial/Plugins/TwoFactorsAuth/)
+## Features
+
+- Add two-factor authentication to AdminForth login.
+- Improve account security for admin users.
+- Introduce a stronger verification step at sign-in.
+- Integrate 2FA into existing authentication workflows.
+
+## Documentation
+
+Full setup and configuration guide:
+
+[AdminForth TwoFactorsAuth Documentation](https://adminforth.dev/docs/tutorial/Plugins/two-factors-auth/)
+
+## About AdminForth
+
+AdminForth is an open-source, agent-first admin framework for building robust admin panels and back-office applications faster.
+
+## Related links
+
+- [AdminForth website](https://adminforth.dev)
+- [npm package](https://www.npmjs.com/package/@adminforth/two-factors-auth)
+- [More AdminForth plugins](https://adminforth.dev/docs/tutorial/ListOfPlugins/)
+- [Built by DevForth](https://devforth.io)

custom/TwoFAModal.vue

@@ -37,11 +37,11 @@
             @on-complete="handleOnComplete"
           />
         </div>
-
-        <p class="af-2fa-totp-footer text-center text-xs text-gray-500 dark:text-gray-400">
+        <p v-if="doesUserHavePasskeys" class="af-2fa-totp-footer text-center text-xs text-gray-500 dark:text-gray-400">
           {{$t('Having trouble?')}}
-          <button v-if="doesUserHavePasskeys" type="button" class="af-2fa-switch-to-passkey text-lightPrimary dark:text-white hover:underline cursor-pointer" @click="modalMode = 'passkey'">{{$t('Use passkey instead')}}</button>
+          <button type="button" class="af-2fa-switch-to-passkey text-lightPrimary dark:text-white hover:underline cursor-pointer" @click="modalMode = 'passkey'">{{$t('Use passkey instead')}}</button>
         </p>
+        <p class="af-2fa-multiple-actions text-center text-red-500 text-xs" v-if="sessionsIdsToResolve.length > 1"> You are confirming {{ sessionsIdsToResolve.length }} actions</p>
       </div>
 
       <div v-else-if="modalMode === 'passkey'" class="af-two-factor-modal-passkeys flex flex-col gap-4 relative bg-white dark:bg-gray-700 rounded-lg shadow p-6 w-full max-w-md">
@@ -89,6 +89,7 @@
           {{$t('Having trouble?')}}
           <button type="button" class="af-2fa-switch-to-totp text-lightPrimary dark:text-white hover:underline cursor-pointer" @click="modalMode = 'totp'">{{$t('Use TOTP instead')}}</button>
         </p>
+        <p class="af-2fa-multiple-actions text-center text-red-500 text-xs" v-if="sessionsIdsToResolve.length > 1"> You are confirming {{ sessionsIdsToResolve.length }} actions</p>
       </div>
     </div>
   </template>
@@ -103,8 +104,9 @@
   import { Link, Button } from '@/afcl';
   import { IconShieldOutline } from '@iconify-prerendered/vue-flowbite';
   import { getPasskey } from './utils.js' 
-  import adminforth from '@/adminforth';
-
+  import { useAdminforth } from '@/adminforth';
+  import websocket from '@/websocket';
+  import type { AdminUser } from '@/types/Common';
 
   type TwoFaConfirmationResult = { mode: 'totp'; result: string } | { mode: 'passkey'; result: Record<string, any> };
 
@@ -120,7 +122,76 @@
   }
   const props = defineProps<{
     autoFinishLogin?: boolean
+    adminUser?: AdminUser
   }>();
+
+  const { alert } = useAdminforth();
+
+  const isAwaiting2FAResult = ref(false);
+  let allowAddNewSessions = true;
+  const ALLOW_NEW_SESSIONS_PERIOD = 1000;
+  const sessionsIdsToResolve = ref<string[]>([]);
+
+  watch(isAwaiting2FAResult, (awaiting) => {
+    if (awaiting) {
+      allowAddNewSessions = true;
+      setTimeout(() => {
+        if (isAwaiting2FAResult.value) {
+          allowAddNewSessions = false;
+        }
+      }, ALLOW_NEW_SESSIONS_PERIOD);
+    }
+  });
+  
+  watch( props, () => {
+    if (props.adminUser) {
+      websocket.unsubscribeByPrefix(`/user2fa/`);
+      websocket.subscribe(`/user2fa/${props.adminUser.pk}`, async (data: {sessionId: string}) => {
+        if (!allowAddNewSessions) {
+          alert({message: 'Some process or user tries to add new actions to confirm. Action was blocked', variant: 'warning'});
+          return;
+        }
+        sessionsIdsToResolve.value.push(data.sessionId);
+        let confirmationResult;
+        if (isAwaiting2FAResult.value) {
+          return;
+        }
+        try {
+          isAwaiting2FAResult.value = true;
+          confirmationResult = await window.adminforthTwoFaModal.get2FaConfirmationResult();
+        } catch (error) {
+          console.error('Error during 2FA confirmation:', error);
+        }
+        isAwaiting2FAResult.value = false;
+        try {
+          const response = await callAdminForthApi({
+            method: "POST",
+            path: "/plugin/passkeys/resolveVerifyAuto",
+            body: { confirmationResult, sessionsIds: sessionsIdsToResolve.value }
+          });
+          if (!response.ok && response.error === 'No session ID or confirmation result'){
+            alert({message: 'Verification session finished or cancelled.', variant: 'warning'});
+          } else if (!response.ok) {
+            alert({message: 'Verification failed', variant: 'danger'});
+          } else if (response.ok) {
+            alert({message: 'Verification successful', variant: 'success'});
+          }
+          sessionsIdsToResolve.value = [];
+        } catch (error) {
+          console.error('Error resolving automatic 2FA verification:', error);
+        }
+        allowAddNewSessions = true;
+      });
+      websocket.subscribe(`/user2fa/${props.adminUser.pk}-resolve`, async (data: {sessionId: string}) => {
+        if (sessionsIdsToResolve.value.includes(data.sessionId) && rejectFn && modelShow.value) {
+          onCancel();
+          sessionsIdsToResolve.value = sessionsIdsToResolve.value.filter(id => id !== data.sessionId);
+        }
+      });
+    }
+  })
+
+
   const emit = defineEmits<{
     (e: 'resolved', payload: any): void
     (e: 'rejected', err?: any): void

custom/package.json

@@ -6,7 +6,7 @@
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "keywords": [],
-  "author": "",
+  "author": "DevForth (https://devforth.io)",
   "license": "ISC",
   "description": "",
   "dependencies": {

index.ts

@@ -141,15 +141,40 @@ export default class TwoFactorsAuthPlugin extends AdminForthPlugin {
     return false;
   }
 
+  private pending = new Map<string, (value: any) => void>();
+
+  private waitForResponse(id: string): Promise<any> {
+    return new Promise((resolve) => {
+      this.pending.set(id, resolve);
+    });
+  }
+
+  private resolveResponse(id: string, data: any) {
+    const resolve = this.pending.get(id);
+    if (resolve) {
+      resolve(data);
+      this.pending.delete(id);
+    }
+  }
+
+  public async verifyAuto(adminUser: AdminUser) {
+    const sessionId = crypto.randomUUID();
+    const jwt = this.adminforth.auth.issueJWT({sessionId, adminUserPk: adminUser.pk}, 'auto2FA', '5m');
+    this.adminforth.websocket.publish(`/user2fa/${adminUser.pk}`, { sessionId: jwt });
+    const result = await this.waitForResponse(jwt);
+    this.adminforth.websocket.publish(`/user2fa/${adminUser.pk}-resolve`, { sessionId: jwt });
+    return result;
+  }
+
   public async verify(
     confirmationResult: Record<string, any>,
     opts?: { adminUser?: AdminUser; userPk?: string; cookies?: any, response?: IAdminForthHttpResponse, extra?: HttpExtra }
   ): Promise<{ ok: true } | { error: string }> {
     if (!confirmationResult) return { error: "Confirmation result is required" };
     if (!opts.adminUser) return { error: "Admin user is required" };
     if (!opts.userPk) return    { error: "User PK is required" };
-    const cookies = opts.extra.cookies || opts.cookies;
-    const response = opts.extra.response || opts.response;
+    const cookies = opts.extra?.cookies || opts.cookies;
+    const response = opts.extra?.response || opts.response;
     if (this.options.usersFilterToApply) {
       const res = this.options.usersFilterToApply(opts.adminUser);
       if ( res === false ) {
@@ -753,7 +778,7 @@ export default class TwoFactorsAuthPlugin extends AdminForthPlugin {
       method: 'POST',
       path: `/plugin/passkeys/registerPasskeyRequest`,
       noAuth: false,
-      handler: async ({ body, adminUser, response, cookies, extra }) => {
+      handler: async ({ body, adminUser, response, cookies, headers }) => {
         const mode = body?.mode;
 
         const confirmationResult = body?.confirmationResult;
@@ -762,7 +787,9 @@ export default class TwoFactorsAuthPlugin extends AdminForthPlugin {
           userPk: adminUser.pk, 
           cookies: cookies,
           response: response,
-          extra: { ...extra }
+          extra: {
+            headers,
+          } as HttpExtra
         });
         if (!verificationResult || !('ok' in verificationResult)) {
           return { ok: false, error: 'error' in verificationResult ? verificationResult.error : 'Verification failed' };
@@ -1049,5 +1076,55 @@ export default class TwoFactorsAuthPlugin extends AdminForthPlugin {
         }
       }
     });
+    server.endpoint({
+      method: 'POST',
+      path: `/plugin/passkeys/resolveVerifyAuto`,
+      noAuth: false,
+      handler: async ({ body, adminUser, response, cookies, headers }) => {
+        const sessionsIds = body?.sessionsIds;
+        const confirmationResult = body?.confirmationResult;
+        const idsToResolve = sessionsIds;
+
+        const resolveAllIdsAsFailed = (message) => {
+          for (const id of idsToResolve) {
+            this.resolveResponse(id, { ok: false, error: message });
+          }
+          return { ok: false, error: message };
+        }
+
+        if (!(sessionsIds) || !confirmationResult) {
+          return(resolveAllIdsAsFailed('Confirmation window was closed or did not return required data'));
+        }
+
+        for (const id of idsToResolve) {
+          const validationResult = await this.adminforth.auth.verify(id, 'auto2FA', false);
+          if (!validationResult) {
+            return(resolveAllIdsAsFailed('Invalid session ID or confirmation result'));
+          }
+          if (validationResult.adminUserPk !== adminUser.pk) {
+            return(resolveAllIdsAsFailed('Session does not belong to the authenticated user'));
+          }
+        }
+
+        const verificationResult = await this.verify(confirmationResult, {
+          adminUser: adminUser,
+          userPk: adminUser.pk, 
+          cookies: cookies,
+          response: response,
+          extra: {
+            headers: headers,            
+          } as HttpExtra
+        });
+        if ( !verificationResult || !('ok' in verificationResult) ) {
+          return(resolveAllIdsAsFailed('Verification failed'));
+        }
+        if ('ok' in verificationResult && verificationResult.ok){
+          for (const id of idsToResolve) {
+            this.resolveResponse(id, { ok: true, passkeyConfirmed: verificationResult });
+          }
+          return { ok: true };
+        }
+      }
+    });
   }
 }

package.json

@@ -7,7 +7,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "homepage": "https://adminforth.dev/docs/tutorial/Plugins/TwoFactorsAuth/",
+  "homepage": "https://adminforth.dev/docs/tutorial/Plugins/two-factors-auth/",
   "repository": {
     "type": "git",
     "url": "https://github.com/devforth/adminforth-two-factors-auth.git"
@@ -21,14 +21,14 @@
     "two-factors-auth",
     "2fa"
   ],
-  "author": "devforth",
-  "license": "ISC",
+  "author": "DevForth (https://devforth.io)",
+  "license": "MIT",
   "dependencies": {
     "@simplewebauthn/server": "^13.2.1",
     "node-2fa": "^2.0.3"
   },
   "peerDependencies": {
-    "adminforth": "^2.24.0"
+    "adminforth": "^2.42.0"
   },
   "devDependencies": {
     "@types/node": "^22.10.7",