FEATURE: Add ability to cancel login attempt

Classes/Controller/LoginController.php

@@ -227,6 +227,29 @@ public function createSecondFactorAction(string $secret, string $secondFactorFro
         $this->redirect('index', 'Backend\Backend', 'Neos.Neos');
     }
 
+    /**
+     * @throws StopActionException
+     */
+    public function cancelLoginAction(): void
+    {
+        $this->secondFactorSessionStorageService->cancelLoginAttempt();
+
+        $this->redirect('index', 'Backend\Backend', 'Neos.Neos');
+    }
+
+    /**
+     * @return array
+     * @throws InvalidConfigurationTypeException
+     */
+    protected function getNeosSettings(): array
+    {
+        $configurationManager = $this->objectManager->get(ConfigurationManager::class);
+        return $configurationManager->getConfiguration(
+            ConfigurationManager::CONFIGURATION_TYPE_SETTINGS,
+            'Neos.Neos'
+        );
+    }
+
     /**
      * Check if the given token matches any registered second factor
      *
@@ -247,17 +270,4 @@ private function enteredTokenMatchesAnySecondFactor(string $enteredSecondFactor,
 
         return false;
     }
-
-    /**
-     * @return array
-     * @throws InvalidConfigurationTypeException
-     */
-    protected function getNeosSettings(): array
-    {
-        $configurationManager = $this->objectManager->get(ConfigurationManager::class);
-        return $configurationManager->getConfiguration(
-            ConfigurationManager::CONFIGURATION_TYPE_SETTINGS,
-            'Neos.Neos'
-        );
-    }
 }

Classes/Domain/AuthenticationStatus.php

@@ -2,9 +2,8 @@
 
 namespace Sandstorm\NeosTwoFactorAuthentication\Domain;
 
-// FIXME: Refactor to enum once we only support PHP >= 8.1
-class AuthenticationStatus
+enum AuthenticationStatus: string
 {
-    const AUTHENTICATION_NEEDED = 'AUTHENTICATION_NEEDED';
-    const AUTHENTICATED = 'AUTHENTICATED';
+    case AUTHENTICATION_NEEDED = 'AUTHENTICATION_NEEDED';
+    case AUTHENTICATED = 'AUTHENTICATED';
 }

Classes/Domain/Model/Dto/SecondFactorDto.php

@@ -17,17 +17,11 @@ public function __construct(SecondFactor $secondFactor, User $user = null)
         $this->secondFactor = $secondFactor;
     }
 
-    /**
-     * @return SecondFactor|string
-     */
     public function getSecondFactor(): SecondFactor
     {
         return $this->secondFactor;
     }
 
-    /**
-     * @return User
-     */
     public function getUser(): User
     {
         return $this->user;

Classes/Domain/Model/SecondFactor.php

@@ -3,10 +3,10 @@
 namespace Sandstorm\NeosTwoFactorAuthentication\Domain\Model;
 
 use DateTime;
-use Neos\Flow\Http\InvalidArgumentException;
-use Neos\Flow\Security\Account;
 use Doctrine\ORM\Mapping as ORM;
 use Neos\Flow\Annotations as Flow;
+use Neos\Flow\Http\InvalidArgumentException;
+use Neos\Flow\Security\Account;
 
 /**
  * Store the secrets needed for two factor authentication
@@ -48,57 +48,48 @@ class SecondFactor
      */
     protected DateTime|null $creationDate;
 
-    /**
-     * @return Account
-     */
+    public static function typeToString(int $type): string
+    {
+        switch ($type) {
+            case self::TYPE_TOTP:
+                return 'OTP';
+            case self::TYPE_PUBLIC_KEY:
+                return 'Public Key';
+            default:
+                throw new InvalidArgumentException('Unsupported second factor type with index ' . $type);
+        }
+    }
+
     public function getAccount(): Account
     {
         return $this->account;
     }
 
-    /**
-     * @param Account $account
-     */
     public function setAccount(Account $account): void
     {
         $this->account = $account;
     }
 
-    /**
-     * @return int
-     */
     public function getType(): int
     {
         return $this->type;
     }
 
-    /**
-     * @return string
-     */
-    public function getTypeAsName(): string
+    public function setType(int $type): void
     {
-        return self::typeToString($this->getType());
+        $this->type = $type;
     }
 
-    /**
-     * @param int $type
-     */
-    public function setType(int $type): void
+    public function getTypeAsName(): string
     {
-        $this->type = $type;
+        return self::typeToString($this->getType());
     }
 
-    /**
-     * @return string
-     */
     public function getSecret(): string
     {
         return $this->secret;
     }
 
-    /**
-     * @param string $secret
-     */
     public function setSecret(string $secret): void
     {
         $this->secret = $secret;
@@ -118,16 +109,4 @@ public function __toString(): string
     {
         return $this->account->getAccountIdentifier() . " with " . self::typeToString($this->type);
     }
-
-    public static function typeToString(int $type): string
-    {
-        switch ($type) {
-            case self::TYPE_TOTP:
-                return 'OTP';
-            case self::TYPE_PUBLIC_KEY:
-                return 'Public Key';
-            default:
-                throw new InvalidArgumentException('Unsupported second factor type with index ' . $type);
-        }
-    }
 }

Classes/Http/Middleware/SecondFactorMiddleware.php

@@ -20,7 +20,9 @@
 
 class SecondFactorMiddleware implements MiddlewareInterface
 {
+    // TODO: duplication of information - actually there is quite some duplicated information here (like Controller Action names, Route config etc)
     const LOGGING_PREFIX = 'Sandstorm/NeosTwoFactorAuthentication: ';
+    const SECOND_FACTOR_PACKAGE_KEY = 'Sandstorm.NeosTwoFactorAuthentication';
     const SECOND_FACTOR_LOGIN_URI = '/neos/second-factor-login';
     const SECOND_FACTOR_SETUP_URI = '/neos/second-factor-setup';
 
@@ -146,6 +148,15 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
             return $handler->handle($request);
         }
 
+        $routingMatchResults = $request->getAttribute(ServerRequestAttributes::ROUTING_RESULTS) ?? [];
+        $requestAction = $routingMatchResults['@action'] ?? '';
+        $requestPackage = $routingMatchResults['@package'] ?? '';
+
+        // If login cancellation is requested - do it
+        if ($requestPackage === $this::SECOND_FACTOR_PACKAGE_KEY && $requestAction === 'cancelLogin') {
+            return $handler->handle($request);
+        }
+
         $account = $this->securityContext->getAccount();
 
         $isEnabledForAccount = $this->secondFactorService->isSecondFactorEnabledForAccount($account);

Classes/Service/SecondFactorSessionStorageService.php

@@ -21,24 +21,24 @@ class SecondFactorSessionStorageService
     /**
      * @throws SessionNotStartedException
      */
-    public function setAuthenticationStatus(string $authenticationStatus): void
+    public function setAuthenticationStatus(AuthenticationStatus $authenticationStatus): void
     {
         $this->sessionManager->getCurrentSession()->putData(
             self::SESSION_OBJECT_ID,
             [
-                self::SESSION_OBJECT_AUTH_STATUS => $authenticationStatus,
+                self::SESSION_OBJECT_AUTH_STATUS => $authenticationStatus->value,
             ]
         );
     }
 
     /**
      * @throws SessionNotStartedException
      */
-    public function getAuthenticationStatus(): string
+    public function getAuthenticationStatus(): AuthenticationStatus
     {
         $storageObject = $this->sessionManager->getCurrentSession()->getData(self::SESSION_OBJECT_ID);
 
-        return $storageObject[self::SESSION_OBJECT_AUTH_STATUS];
+        return AuthenticationStatus::from($storageObject[self::SESSION_OBJECT_AUTH_STATUS]);
     }
 
     /**
@@ -50,4 +50,15 @@ public function initializeTwoFactorSessionObject(): void
             self::setAuthenticationStatus(AuthenticationStatus::AUTHENTICATION_NEEDED);
         }
     }
+
+    /**
+     * When the user requests to cancel the login attempt, we destroy the current session to get out
+     * of the state between "logged in with username/password" and "fully authenticated with second factor".
+     */
+    public function cancelLoginAttempt(): void
+    {
+        if ($this->sessionManager->getCurrentSession()->hasKey(self::SESSION_OBJECT_ID)) {
+            $this->sessionManager->getCurrentSession()->destroy('Termination requested by user.');
+        }
+    }
 }

Configuration/Routes.yaml

@@ -36,3 +36,12 @@
       '@action': 'createSecondFactor'
       '@format': 'html'
   httpMethods: ['POST']
+
+- name: 'Sandstorm Two Factor Authentication - Cancel Login'
+  uriPattern: 'neos/second-factor-cancel-login'
+  defaults:
+      '@package': 'Sandstorm.NeosTwoFactorAuthentication'
+      '@controller': 'Login'
+      '@action': 'cancelLogin'
+      '@format': 'html'
+  httpMethods: ['POST']

Resources/Private/Fusion/Presentation/Components/LoginSecondFactorStep.fusion

@@ -9,7 +9,11 @@ prototype(Sandstorm.NeosTwoFactorAuthentication:Component.LoginSecondFactorStep)
     }
 
     renderer = afx`
-        <Neos.Fusion.Form:Form form.target.action="checkSecondFactor" form.target.controller="Login">
+        <Neos.Fusion.Form:Form
+            attributes.class="neos-two-factor__authentication-form"
+            form.target.action="checkSecondFactor"
+            form.target.controller="Login"
+        >
             <fieldset>
                 <div class="neos-controls">
                     <Neos.Fusion.Form:Input
@@ -25,12 +29,32 @@ prototype(Sandstorm.NeosTwoFactorAuthentication:Component.LoginSecondFactorStep)
                 </div>
 
                 <div class="neos-actions">
-                    <Neos.Fusion.Form:Button attributes.class="neos-span5 neos-pull-right neos-button neos-login-btn">
+                    <Neos.Fusion.Form:Button
+                        attributes.id="submitLogin"
+                        attributes.class="neos-span5 neos-pull-right neos-button neos-login-btn"
+                    >
                         {I18n.id('login').value('Login').package('Neos.Neos').source('Main').translate()}
                     </Neos.Fusion.Form:Button>
-                    <Neos.Fusion.Form:Button attributes.class="neos-span5 neos-pull-right neos-button neos-login-btn neos-disabled neos-hidden">
+                    <Neos.Fusion.Form:Button
+                        attributes.id="submitLoginIndicator"
+                        attributes.class="neos-span5 neos-pull-right neos-button neos-login-btn neos-disabled neos-hidden"
+                    >
                         {I18n.id('authenticating').value('Authenticating').package('Neos.Neos').source('Main').translate()} <span class="neos-ellipsis"></span>
                     </Neos.Fusion.Form:Button>
+                    <Neos.Fusion.Form:Button
+                        attributes.id="cancelLogin"
+                        attributes.formaction="/neos/second-factor-cancel-login"
+                        attributes.formnovalidate="true"
+                        attributes.class="neos-span5 neos-pull-right neos-button neos-login-btn neos-button-warning"
+                    >
+                        {I18n.id('cancel').value('Cancel').package('Neos.Neos').source('Main').translate()}
+                    </Neos.Fusion.Form:Button>
+                    <Neos.Fusion.Form:Button
+                        attributes.id="cancelLoginIndicator"
+                        attributes.class="neos-span5 neos-pull-right neos-button neos-login-btn neos-disabled neos-hidden neos-button-warning"
+                    >
+                        {I18n.id('cancel').value('Cancel').package('Neos.Neos').source('Main').translate()} <span class="neos-ellipsis"></span>
+                    </Neos.Fusion.Form:Button>
                 </div>
 
                 <Neos.Fusion:Loop items={props.flashMessages} itemName="flashMessage">

Resources/Private/Fusion/Presentation/Pages/LoginSecondFactorPage.fusion

@@ -90,9 +90,22 @@ prototype(Sandstorm.NeosTwoFactorAuthentication:Page.LoginSecondFactorPage) < pr
                 </div>
 
                 <script>{"
-                                    document.querySelector('form').addEventListener('submit', function() {
-                                        document.querySelector('.neos-login-btn').classList.toggle('neos-hidden');
-                                        document.querySelector('.neos-login-btn.neos-disabled').classList.toggle('neos-hidden');
+                                    document.querySelector('form').addEventListener('submit', function(event) {
+                                        if (event.submitter && event.submitter.id === 'cancelLogin') {
+                                            event.target.querySelector('#submitLogin').disabled = 'disabled';
+                                            event.target.querySelector('#cancelLogin').disabled = 'disabled';
+
+                                            event.target.querySelector('#submitLogin').classList.add('neos-disabled');
+                                            event.target.querySelector('#cancelLogin').classList.add('neos-hidden');
+                                            event.target.querySelector('#cancelLoginIndicator').classList.remove('neos-hidden');
+                                        } else {
+                                            event.target.querySelector('#submitLogin').disabled = 'disabled';
+                                            event.target.querySelector('#cancelLogin').disabled = 'disabled';
+
+                                            event.target.querySelector('#submitLogin').classList.add('neos-hidden');
+                                            event.target.querySelector('#cancelLogin').classList.add('neos-disabled');
+                                            event.target.querySelector('#submitLoginIndicator').classList.remove('neos-hidden');
+                                        }
                                     });
                                     try {
                                         document.querySelector('form[name=\"login\"] input[name=\"lastVisitedNode\"]').value = sessionStorage.getItem('Neos.Neos.lastVisitedNode');

Resources/Private/Fusion/Presentation/Pages/SetupSecondFactorPage.fusion

@@ -77,7 +77,10 @@ prototype(Sandstorm.NeosTwoFactorAuthentication:Page.SetupSecondFactorPage) < pr
 
                                 <div class="neos-login-body neos">
                                     <Sandstorm.NeosTwoFactorAuthentication:Component.LoginFlashMessages flashMessages={props.flashMessages} />
-                                    <Neos.Fusion.Form:Form form.target.action="setupSecondFactor">
+                                    <Neos.Fusion.Form:Form
+                                        attributes.class="neos-two-factor__authentication-form"
+                                        form.target.action="setupSecondFactor"
+                                    >
                                         <div class="neos-control-group">
                                             <img src={qrCode} style="width: 100%; max-width: 400px"/>
                                         </div>
@@ -162,6 +165,13 @@ prototype(Sandstorm.NeosTwoFactorAuthentication:Page.SetupSecondFactorPage) < pr
                                             <Neos.Fusion.Form:Button attributes.class="neos-span5 neos-pull-right neos-button neos-login-btn">
                                                 {I18n.id('module.new.submit-otp').package('Sandstorm.NeosTwoFactorAuthentication').source('Backend').translate()}
                                             </Neos.Fusion.Form:Button>
+                                            <Neos.Fusion.Form:Button
+                                                attributes.formaction="/neos/second-factor-cancel-login"
+                                                attributes.formnovalidate="true"
+                                                attributes.class="neos-span5 neos-pull-right neos-button neos-login-btn neos-button-warning"
+                                            >
+                                                {I18n.id('cancel').value('Cancel').package('Neos.Neos').source('Main').translate()}
+                                            </Neos.Fusion.Form:Button>
                                         </div>
                                     </Neos.Fusion.Form:Form>
                                 </div>

Resources/Public/Styles/Login.css

@@ -159,3 +159,18 @@
 .neos-two-factor__secret-wrapper ::-webkit-scrollbar-track {
   background-color: initial;
 }
+
+.neos-two-factor__authentication-form .neos-actions {
+    display: flex;
+    flex-direction: column;
+    gap: 8px;
+}
+
+.neos-two-factor__authentication-form .neos-actions button {
+    margin-left: 0;
+}
+
+.neos-two-factor__authentication-form .neos-actions button.neos-login-btn.neos-button-warning {
+    background-color: #F89406;
+    color: #fff;
+}