Version 2.0

Making the complex simple

After reviewing and feedback we released 2.0 of the module. Please upgrade to this version!
When your mark this module as your favorite marketplace content you will receive notifications about new releases.

Breaking change:
- We removed the capability to use MFA from login.html (too complex)

Improvements:
- Max login attempts and Max MFA attempts can be configured with constants (default is 3)
- After these attempts the user will be blocked according to the Mendix platform default and is released after 5 minutes (but read https://docs.mendix.com/refguide/login-behavior)
- Improved logging message when user is blocked (so it's in line with unblocks by the Core runtime)

Changed components:
- SUB_MFA_Validate
- MultiFactorAuthLoginAction.java
- New contstants MaxLoginAttempts and MaxAttemptsMFA

Author: pimvdnoll

2fa.mpr

@@ -25,6 +25,8 @@ The MFA code is validated first and only then the module creates a user session
 
 [https://swimlanes.io/u/4o7jaAOjY](https://swimlanes.io/u/4o7jaAOjY)
 
+We depricated the login.html compatibility in commbination of MFA. This will make the code more simple and safer. 
+
 ## How did we prove that this module is secure?
 At the point in time after login in the first step:
 
@@ -39,7 +41,6 @@ Scenarios to cover:
 - Default login via login.html for accounts with MFA disabled.
 - Default login via widgets for accounts with MFA disabled.
 - Default login for webservice and REST accounts.
-- Login by a customized login.html with MFA enabled (login-with-mfa.html + login-mfa.js + Authenticator app code only. Not compatible code sent by SMS or E-mail).
 - Login by default widgets but extended with ability to enter MFA code with MFA enabled.
 - Native mobile login 
 
@@ -79,9 +80,7 @@ After startup configuration:
 
 4. Add snippet `SN_MFA_LoginPage` / `SN_Login_Native` to your login page
 
-5. If applicable move the `login-with-mfa.html` and `js/login-mfa.js` from the resources directory to your theme directory to support login actions with MFA from these pages.
-
-6. Set the constant `EnabledMFA` to true to get started!
+5. Set the constant `EnabledMFA` to true to get started!
 
 **Keep in mind when upgrading the module from the Appstore in the future:**
 
@@ -99,20 +98,6 @@ For native mobile we needed to change the sign in nanoflow activity to save the
 
 When extending the LoginAction class and trying to set parameters from this class in our extended class, we found out this was not possible in combination with the super.execute() method. We decided to use createSession. We have already validated the username and password in the first step and the MFA object can't be modified/created by the anonymous user (and is also checked twice).
 
-We also wanted the module to be compatible via a login.html variant and the custom login-with-mfa.html. Therefore, it is necessary to send the MFA code together with your username and password. We need to pass this MFA code through the header because the payload is stripped by the Core LoginAction functionality.
-
-Login-with-mfa.html:
-
-![alt text](https://github.com/appronto/multifactor-authentication/blob/main/Output/Signin.png?raw=true)
-
-Login-mfa.js:
-
-![alt text](https://github.com/appronto/multifactor-authentication/blob/main/Output/Signin2.png?raw=true)
-
-MultiFactorAuthLoginAction.java:
-
-![alt text](https://github.com/appronto/multifactor-authentication/blob/main/Output/Signin3.png?raw=true)
-
 ## Please report issues
 
 Have you found an issue or a vulnerability in this module, please reach out to [pim@appronto.nl](mailto:pim@appronto.nl). I will reward you with a nice goodie bag and will publish the new version to the Marketplace.

Output/MFAmodule_Mx8188_v2_0.mpk

@@ -26,23 +26,16 @@ public class MultiFactorAuthLoginAction extends LoginAction{
 	private String currentSessionId;
 	public final static String USER_NAME_PARAM = "userName";
 	public final static String PASSWORD_PARAM = "password";
-	public final static String MFACODE_PARAM = "mfaCode";
 	private Map<String, ? extends Object> params;
 
-	
-	private mfamodule.proxies.MFA newMfaObject;
-
-	private String mfaCode;
 
 	public MultiFactorAuthLoginAction(Map<String, ? extends Object> params) {
 		super(Core.createSystemContext(), params);
 		this.params = params;
 		this.userName = (String) params.get(USER_NAME_PARAM);
 		this.password = (String) params.get(PASSWORD_PARAM);
 		this.currentSessionId = (String)params.get("currentSessionId");
-	    this.request = (IMxRuntimeRequest)params.get("request");
-	    this.mfaCode =  request.getHeader(MFACODE_PARAM);
-	    
+	    this.request = (IMxRuntimeRequest)params.get("request");   
 	}
 
 	@Override
@@ -61,26 +54,11 @@ public ISession execute() throws Exception {
 				//check if there is mfa for the user from the first call
 				userMfaObj = mfamodule.proxies.microflows.Microflows.dS_MFA_GET(oldSession.createContext());
 
-				if(userMfaObj != null && userMfaObj.getMendixObject().getMember(oldSession.createContext(),"Username").hasReadAccess(oldSession.createContext()) &&userMfaObj.getUsername() !=null) {
+				if(userMfaObj != null && userMfaObj.getMendixObject().getMember(oldSession.createContext(),"Username").hasReadAccess(oldSession.createContext()) && userMfaObj.getUsername() != null ) {
 					if ( mfamodule.proxies.microflows.Microflows.sUB_MFA_Validate(oldSession.createContext(), userMfaObj, userMfaObj.getUsername()) ) {
 						IUser user = Core.getUser(sysContext, userMfaObj.getUsername());
 						return Core.initializeSession(user, this.currentSessionId);
 					} 
-					else if (userMfaObj.getUsername() != null && userMfaObj.getUsername() != "") {
-						IUser user = Core.getUser(sysContext, userMfaObj.getUsername());
-						if(user != null) {
-							Object obj = (Integer)user.getMendixObject().getValue(sysContext,"FailedLogins")+1;
-							user.getMendixObject().setValue(sysContext,"FailedLogins",obj);
-							if ( (Integer)user.getMendixObject().getValue(sysContext,"FailedLogins") >= 3) {
-								user.getMendixObject().setValue(sysContext,"Blocked",true);
-								Core.commit(sysContext, user.getMendixObject());
-								_logNode.debug( "Custom MFA to much attempts FAILED: user '" + userMfaObj.getUsername() + "' blocked" );
-								throw new UserBlockedException("Custom MFA check: User '"+ userMfaObj.getUsername() + "' blocked");
-							}
-							Core.commit(sysContext, user.getMendixObject());
-						}
-						return oldSession;
-					}
 					else {
 						return oldSession;
 					}
@@ -117,54 +95,31 @@ else if (user.getUserRoleNames().isEmpty()) {
 		else if( !Core.authenticate(sysContext, user, this.password)) {	
 			Object obj = (Integer)user.getMendixObject().getValue(sysContext,"FailedLogins")+1;
 			user.getMendixObject().setValue(sysContext,"FailedLogins",obj);
-			if ( (Integer)user.getMendixObject().getValue(sysContext,"FailedLogins") >= 3) {
+			if ( (Integer)user.getMendixObject().getValue(sysContext,"FailedLogins") >= mfamodule.proxies.constants.Constants.getMaxLoginAttempts()) {
 				user.getMendixObject().setValue(sysContext,"Blocked",true);
 				Core.commit(sysContext, user.getMendixObject());
 				_logNode.debug( "Custom Login FAILED:  user '" + this.userName + "' blocked" );
+				Core.getLogger("Core").info( "User blocked: '" + this.userName + "'" );
+				if (oldSession != null) { Core.logout(oldSession); }
 				throw new UserBlockedException("Custom login: User '"+ this.userName + "' blocked");
 			}
 			Core.commit(sysContext, user.getMendixObject());
 			_logNode.debug( "Custom Login FAILED: invalid password for user '" + this.userName + "'." );
 			throw new AuthenticationRuntimeException(" Custom Login FAILED for user '" + this.userName + "'.");
 		}
-		
+
 		// from this point user+pass is validated:
-		if( mfamodule.proxies.constants.Constants.getEnabledMFA() && mfaCode != null && mfaCode != "" ) {
-			_logNode.debug("MFA enabled and code provided for  "+ this.userName);
-			IMendixObject newObj = Core.instantiate(sysContext, MFA.entityName);
-			newMfaObject = MFA.initialize(sysContext, newObj );
-			newMfaObject.setCode(mfaCode); 
-			newMfaObject.setUsername(this.userName); 
-			Core.commit(sysContext, newMfaObject.getMendixObject());
+		if ( oldSession != null && mfamodule.proxies.constants.Constants.getEnabledMFA() 
+				&& mfamodule.proxies.microflows.Microflows.sUB_MFA_Validate(oldSession.createContext(), userMfaObj, this.userName) ) {
 
-			if ( mfamodule.proxies.microflows.Microflows.sUB_MFA_Validate(sysContext, newMfaObject,  this.userName) ) {
-				_logNode.debug("Validated code for "+ this.userName);
-				return super.execute();
-			}
-			else {
-				_logNode.debug( "Custom MFA code validation FAILED: mfa check for user '" + this.userName + "' with code '"+mfaCode+"'." );
-				Object obj = (Integer)user.getMendixObject().getValue(sysContext,"FailedLogins")+1;
-				user.getMendixObject().setValue(sysContext,"FailedLogins",obj);
-				if ( (Integer)user.getMendixObject().getValue(sysContext,"FailedLogins") >= 3) {
-					user.getMendixObject().setValue(sysContext,"Blocked",true);
-					Core.commit(sysContext, user.getMendixObject());
-					_logNode.debug( "Custom MFA to much attempts FAILED: user '" + this.userName + "' blocked" );
-					throw new UserBlockedException("Custom MFA check: User '"+ this.userName + "' blocked");
+				if( !mfamodule.proxies.microflows.Microflows.sUB_MFA_UserDisabledCheck(sysContext, this.userName) ) {
+					_logNode.debug("MFA enabled and Mendix session available ready for "+ this.userName);
+					return oldSession;
+				}
+				else {
+					_logNode.debug("MFA enabled and Mendix session available redirect for "+ this.userName);
+					return super.execute();
 				}
-				Core.commit(sysContext, user.getMendixObject());
-				throw new AuthenticationRuntimeException(" Custom Login FAILED for user '" + this.userName + "'.");
-			}
-		}
-		else if (oldSession != null && mfamodule.proxies.constants.Constants.getEnabledMFA() 
-				&& mfamodule.proxies.microflows.Microflows.sUB_MFA_Validate(oldSession.createContext(), userMfaObj, this.userName)) {
-			if( !mfamodule.proxies.microflows.Microflows.sUB_MFA_UserDisabledCheck(sysContext, this.userName) ) {
-				_logNode.debug("MFA enabled and Mendix session available ready voor MFA for "+ this.userName);
-				return oldSession;
-			}
-			else {
-				_logNode.debug("MFA enabled and Mendix session available redirect for "+ this.userName);
-				return super.execute();
-			}
 		}
 		else if( mfamodule.proxies.constants.Constants.getEnabledMFA() 
 				&& !mfamodule.proxies.microflows.Microflows.sUB_MFA_UserDisabledCheck(sysContext, this.userName) ) {

README.md

@@ -19,4 +19,14 @@ public static java.lang.String getLognode()
 	{
 		return (java.lang.String)Core.getConfiguration().getConstantValue("MFAmodule.Lognode");
 	}
+
+	public static java.lang.Long getMaxAttemptsMFA()
+	{
+		return (java.lang.Long)Core.getConfiguration().getConstantValue("MFAmodule.MaxAttemptsMFA");
+	}
+
+	public static java.lang.Long getMaxLoginAttempts()
+	{
+		return (java.lang.Long)Core.getConfiguration().getConstantValue("MFAmodule.MaxLoginAttempts");
+	}
 }