Added isVerificationRequired method to SessionService (#22816)

- this gives us a defacto way to find out if we're in "required" mode
for 2FA
- this is better than checking the setting directly everywhere we need
to as we may change the implemnetation later

Author: ErisDS

ghost/core/core/server/services/auth/session/session-service.js

@@ -46,14 +46,15 @@ totp.options = {
  * @prop {(req: Req, res: Res) => Promise<void>} sendAuthCodeToUser
  * @prop {(req: Req, res: Res) => Promise<boolean>} verifyAuthCodeForUser
  * @prop {(req: Req, res: Res) => Promise<boolean>} isVerifiedSession
+ * @prop {() => boolean} isVerificationRequired
  */
 
 /**
  * @param {object} deps
  * @param {(req: Req, res: Res) => Promise<Session>} deps.getSession
  * @param {(data: {id: string}) => Promise<User>} deps.findUserById
  * @param {(req: Req) => string} deps.getOriginOfRequest
- * @param {(key: string) => string} deps.getSettingsCache
+ * @param {(key: 'require_email_mfa' | 'admin_session_secret' | 'title') => boolean | string} deps.getSettingsCache
  * @param {() => string} deps.getBlogLogo
  * @param {import('../../core/core/server/services/mail').GhostMailer} deps.mailer
  * @param {import('../../core/core/shared/labs')} deps.labs
@@ -96,6 +97,15 @@ module.exports = function createSessionService({
         }
     }
 
+    /**
+     * isVerificationRequired
+     * Determines if 2FA verification is required based on site settings
+     * @returns {boolean}
+     */
+    function isVerificationRequired() {
+        return getSettingsCache('require_email_mfa') === true;
+    }
+
     /**
      * createSessionForUser
      *
@@ -261,7 +271,7 @@ module.exports = function createSessionService({
             siteLogo: siteLogo,
             token: token,
             deviceDetails: await getDeviceDetails(session.user_agent, session.ip),
-            is2FARequired: getSettingsCache('require_email_mfa')
+            is2FARequired: this.isVerificationRequired()
         });
 
         try {
@@ -310,8 +320,7 @@ module.exports = function createSessionService({
     async function removeUserForSession(req, res) {
         const session = await getSession(req, res);
 
-        const requireMfa = getSettingsCache('require_email_mfa');
-        if (requireMfa) {
+        if (this.isVerificationRequired()) {
             session.verified = undefined;
         }
 
@@ -359,6 +368,7 @@ module.exports = function createSessionService({
         isVerifiedSession,
         sendAuthCodeToUser,
         verifyAuthCodeForUser,
-        generateAuthCodeForUser
+        generateAuthCodeForUser,
+        isVerificationRequired
     };
 };

ghost/core/test/unit/server/services/auth/session/SessionService.test.js

@@ -641,4 +641,43 @@ describe('SessionService', function () {
         should.equal(req.session.user_id, 'egg');
         should.equal(req.session.verified, undefined);
     });
+
+    describe('isVerificationRequired', function () {
+        let getSettingsCache;
+        beforeEach(function () {
+            getSettingsCache = sinon.stub();
+        });
+        it('returns true when require_email_mfa is true', async function () {
+            getSettingsCache.withArgs('require_email_mfa').returns(true);
+
+            const sessionService = SessionService({
+                getSettingsCache
+            });
+
+            const result = sessionService.isVerificationRequired();
+            should.equal(result, true);
+        });
+
+        it('returns false when require_email_mfa is false', async function () {
+            getSettingsCache.withArgs('require_email_mfa').returns(false);
+
+            const sessionService = SessionService({
+                getSettingsCache
+            });
+
+            const result = sessionService.isVerificationRequired();
+            should.equal(result, false);
+        });
+
+        it('returns false when require_email_mfa is not set', async function () {
+            getSettingsCache.withArgs('require_email_mfa').returns(undefined);
+
+            const sessionService = SessionService({
+                getSettingsCache
+            });
+
+            const result = sessionService.isVerificationRequired();
+            should.equal(result, false);
+        });
+    });
 });