feat(security): add TFA exemption header for bypassing two-factor authentication

mjabascal10 · mjabascal10 · commit 009932c8e68a · 2025-12-09T09:46:35.000-06:00
diff --git a/backend/src/main/java/com/park/utmstack/config/Constants.java b/backend/src/main/java/com/park/utmstack/config/Constants.java
@@ -146,6 +146,8 @@ public final class Constants {
     public static final String API_KEY_HEADER = "Utm-Api-Key";
     public static final List<String> API_ENDPOINT_IGNORE = Collections.emptyList();
 
+    public static final String TFA_EXEMPTION_HEADER = "X-Bypass-TFA";
+
 
     private Constants() {
     }
diff --git a/backend/src/main/java/com/park/utmstack/security/jwt/TokenProvider.java b/backend/src/main/java/com/park/utmstack/security/jwt/TokenProvider.java
@@ -1,6 +1,7 @@
 package com.park.utmstack.security.jwt;
 
 
+import com.park.utmstack.config.Constants;
 import com.park.utmstack.security.AuthoritiesConstants;
 import com.park.utmstack.util.CipherUtil;
 import io.jsonwebtoken.*;
@@ -16,10 +17,12 @@
 import org.springframework.stereotype.Component;
 import tech.jhipster.config.JHipsterProperties;
 
+import javax.servlet.http.HttpServletRequest;
 import java.security.Key;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Date;
+import java.util.Optional;
 import java.util.stream.Collectors;
 
 @Component
@@ -116,4 +119,16 @@ public boolean validateToken(String authToken) {
         }
         return false;
     }
+
+    public boolean canBypassTwoFactorAuth(HttpServletRequest request) {
+        boolean tfaExemptionRequested = Boolean.parseBoolean(request.getHeader(Constants.TFA_EXEMPTION_HEADER));
+
+        boolean forceTfaAuth = Boolean.parseBoolean(
+                Optional.ofNullable(System.getenv(Constants.PROP_TFA_ENABLE)).orElse("true")
+        );
+
+        return tfaExemptionRequested || !forceTfaAuth;
+    }
+
+
 }
diff --git a/backend/src/main/java/com/park/utmstack/web/rest/UserJWTController.java b/backend/src/main/java/com/park/utmstack/web/rest/UserJWTController.java
@@ -77,7 +77,8 @@ public ResponseEntity<JWTToken> authorize(@Valid @RequestBody LoginVM loginVM, H
                 throw new TooMuchLoginAttemptsException(String.format("Authentication blocked: IP %s exceeded login attempt threshold", ip));
             }
 
-            boolean authenticated = !Boolean.parseBoolean(Constants.CFG.get(Constants.PROP_TFA_ENABLE));
+            boolean isTfaExempted = this.tokenProvider.canBypassTwoFactorAuth(request);
+            boolean authenticated = !Boolean.parseBoolean(Constants.CFG.get(Constants.PROP_TFA_ENABLE)) || isTfaExempted;
 
             UsernamePasswordAuthenticationToken authenticationToken =
                     new UsernamePasswordAuthenticationToken(loginVM.getUsername(), loginVM.getPassword());

Original file line number	Diff line number	Diff line change
`@@ -146,6 +146,8 @@ public final class Constants {`
`146`	`146`	`public static final String API_KEY_HEADER = "Utm-Api-Key";`
`147`	`147`	`public static final List<String> API_ENDPOINT_IGNORE = Collections.emptyList();`
`148`	`148`
	`149`	`+ public static final String TFA_EXEMPTION_HEADER = "X-Bypass-TFA";`
	`150`	`+`
`149`	`151`
`150`	`152`	`private Constants() {`
`151`	`153`	`}`
Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,8 @@ public ResponseEntity<JWTToken> authorize(@Valid @RequestBody LoginVM loginVM, H`
`77`	`77`	`throw new TooMuchLoginAttemptsException(String.format("Authentication blocked: IP %s exceeded login attempt threshold", ip));`
`78`	`78`	`}`
`79`	`79`
`80`		`- boolean authenticated = !Boolean.parseBoolean(Constants.CFG.get(Constants.PROP_TFA_ENABLE));`
	`80`	`+ boolean isTfaExempted = this.tokenProvider.canBypassTwoFactorAuth(request);`
	`81`	`+ boolean authenticated = !Boolean.parseBoolean(Constants.CFG.get(Constants.PROP_TFA_ENABLE)) \|\| isTfaExempted;`
`81`	`82`
`82`	`83`	`UsernamePasswordAuthenticationToken authenticationToken =`
`83`	`84`	`new UsernamePasswordAuthenticationToken(loginVM.getUsername(), loginVM.getPassword());`