Feature/login post plugin

Api/ConfigInterface.php

@@ -0,0 +1,13 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Elgentos\Frontend2FA\Api;
+
+use Magento\Framework\App\Config\ScopeConfigInterface;
+
+interface ConfigInterface
+{
+    public function isEnabled(): bool;
+    public function getForced2faCustomerGroups(): array;
+}

Api/TfaCheckInterface.php

@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Elgentos\Frontend2FA\Api;
+
+use Magento\Framework\App\Config\ScopeConfigInterface;
+
+interface TfaCheckInterface
+{
+
+    const FRONTEND_2_FA_ACCOUNT_SETUP_ROUTE = 'customer_account_setup';
+    const FRONTEND_2_FA_ACCOUNT_AUTHENTICATE_ROUTE = 'customer_account_authenticate';
+    const CUSTOMER_ACCOUNT_LOGOUT_ROUTE = 'customer_account_logout';
+    const FRONTEND_2_FA_ACCOUNT_SETUP_PATH = 'customer/account/setup';
+    const FRONTEND_2_FA_ACCOUNT_AUTHENTICATE_PATH = 'customer/account/authenticate';
+
+    public function isCustomerInForced2faGroup(\Magento\Customer\Model\Customer $customer): bool;
+
+    public function is2faConfiguredForCustomer(\Magento\Customer\Model\Customer $customer): bool;
+
+    public function getAllowedRoutes(\Magento\Customer\Model\Customer $customer): array;
+
+}

Block/Authenticator.php

@@ -8,8 +8,9 @@
 
 namespace Elgentos\Frontend2FA\Block;
 
+use Elgentos\Frontend2FA\Api\ConfigInterface;
+use Elgentos\Frontend2FA\Api\TfaCheckInterface;
 use Elgentos\Frontend2FA\Model\GoogleAuthenticatorService;
-use Elgentos\Frontend2FA\Observer\TfaFrontendCheck;
 use Magento\Catalog\Model\Session as CatalogSession;
 use Magento\Customer\Model\Session;
 use Magento\Framework\View\Element\Template\Context;
@@ -18,10 +19,6 @@
 
 class Authenticator extends \Neyamtux\Authenticator\Block\Authenticator
 {
-    /**
-     * @var TfaFrontendCheck
-     */
-    public $observer;
     /**
      * @var Session
      */
@@ -42,7 +39,7 @@ class Authenticator extends \Neyamtux\Authenticator\Block\Authenticator
      * @param Context               $context
      * @param GoogleAuthenticator   $googleAuthenticator
      * @param CatalogSession        $session
-     * @param TfaFrontendCheck      $observer
+     * @param TfaCheckInterface     $tfaCheck
      * @param Session               $customerSession
      * @param StoreManagerInterface $storeManager
      * @param array                 $data
@@ -52,14 +49,14 @@ public function __construct(
         GoogleAuthenticator $googleAuthenticator,
         GoogleAuthenticatorService $googleAuthenticatorService,
         CatalogSession $session,
-        TfaFrontendCheck $observer,
+        private readonly TfaCheckInterface $tfaCheck,
         Session $customerSession,
         StoreManagerInterface $storeManager,
+        private readonly ConfigInterface $config,
         array $data = []
     ) {
         parent::__construct($context, $googleAuthenticator, $session, $data);
         $this->googleAuthenticatorService = $googleAuthenticatorService;
-        $this->observer = $observer;
         $this->customerSession = $customerSession;
         $this->storeManager = $storeManager;
     }
@@ -72,7 +69,11 @@ public function __construct(
     public function getQrCodeBase64Image()
     {
         // Replace non-alphanumeric characters with dashes; Google Authenticator does not like spaces in the title
-        $title = preg_replace('/[^a-z0-9]+/i', '-', $this->storeManager->getWebsite()->getName().' 2FA Login');
+        $title = sprintf("%s %s: %s",
+            $this->storeManager->getWebsite()->getName(),
+            '2FA',
+            $this->customerSession->getCustomer()->getEmail()
+        );
         $imageData = base64_encode($this->googleAuthenticatorService->getQrCodeEndroid($title, $this->_googleSecret));
 
         return 'data:image/png;base64,'.$imageData;
@@ -85,7 +86,7 @@ public function getQrCodeBase64Image()
      */
     public function getSetupFormAction()
     {
-        return $this->getUrl('frontend2fa/account/setup', ['_secure' => true]);
+        return $this->getUrl(TfaCheckInterface::FRONTEND_2_FA_ACCOUNT_SETUP_PATH, ['_secure' => true]);
     }
 
     /**
@@ -95,7 +96,7 @@ public function getSetupFormAction()
      */
     public function getAuthenticateFormAction()
     {
-        return $this->getUrl('frontend2fa/account/authenticate', ['_secure' => true]);
+        return $this->getUrl(TfaCheckInterface::FRONTEND_2_FA_ACCOUNT_AUTHENTICATE_PATH, ['_secure' => true]);
     }
 
     /**
@@ -109,6 +110,24 @@ public function is2faConfiguredForCustomer($customer = null)
             $customer = $this->customerSession->getCustomer();
         }
 
-        return $this->observer->is2faConfiguredForCustomer($customer);
+        return $this->tfaCheck->is2faConfiguredForCustomer($customer);
+    }
+
+    public function getCancelSetupUrl()
+    {
+        return '/customer/account/';
+    }
+
+    public function getCancel2faUrl()
+    {
+        return '/customer/account/logout/';
+    }
+
+    public function isInForcedGroup(): bool {
+        $customer = $this->customerSession->getCustomer();
+        return in_array(
+            $customer->getGroupId(),
+            $this->config->getForced2faCustomerGroups()
+        );
     }
 }

Controller/Account/Authenticate.php

@@ -75,9 +75,13 @@ public function execute()
         } else {
             $secret = $this->secretFactory->create()->load($this->_customerSession->getCustomerId(), 'customer_id')->getSecret();
             if ($this->_authenticateQRCode($secret, $post['code'])) {
-                $this->messageManager->addSuccessMessage(__('Two Factor Authentication successful'));
+                $redirectUrl = $this->_customerSession->getBefore2faUrl() ?? 'customer/account';
+                if (!str_contains($redirectUrl, 'checkout')) {
+                    $this->messageManager->addSuccessMessage(__('Two Factor Authentication successful'));
+                }
+
                 $this->_customerSession->set2faSuccessful(true);
-                $this->_redirect('customer/account');
+                $this->_redirect($redirectUrl);
             } else {
                 $this->messageManager->addErrorMessage(__('Two Factor Authentication code incorrect'));
                 $this->_customerSession->set2faSuccessful(false);

Model/Config.php

@@ -0,0 +1,39 @@
+<?php
+
+/**
+ * Copyright Youwe. All rights reserved.
+ * https://www.youweagency.com
+ */
+
+declare(strict_types=1);
+
+namespace Elgentos\Frontend2FA\Model;
+
+use Elgentos\Frontend2FA\Api\ConfigInterface;
+use Magento\Framework\App\Config\ScopeConfigInterface;
+
+class Config implements ConfigInterface
+{
+    const ELGENTOS_AUTHENTICATOR_GENERAL_ENABLE = 'elgentos_authenticator/general/enable';
+    const ELGENTOS_AUTHENTICATOR_GENERAL_FORCED_GROUPS = 'elgentos_authenticator/general/forced_groups';
+
+    public function __construct(
+        private readonly ScopeConfigInterface $config
+    ){
+
+    }
+
+    public function isEnabled(): bool
+    {
+        return $this->config->isSetFlag(
+            self::ELGENTOS_AUTHENTICATOR_GENERAL_ENABLE,
+            \Magento\Store\Model\ScopeInterface::SCOPE_STORE);
+    }
+
+    public function getForced2faCustomerGroups(): array
+    {
+        $forced2faCustomerGroups = $this->config->getValue(self::ELGENTOS_AUTHENTICATOR_GENERAL_FORCED_GROUPS, \Magento\Store\Model\ScopeInterface::SCOPE_STORE) ?? '';
+
+        return array_filter(array_map('trim', explode(',', $forced2faCustomerGroups)));
+    }
+}

Model/GoogleAuthenticatorService.php

@@ -3,6 +3,8 @@
 namespace Elgentos\Frontend2FA\Model;
 
 use Endroid\QrCode\QrCode;
+use Endroid\QrCode\Writer\PngWriter;
+use Endroid\QrCode\Encoding\Encoding;
 
 class GoogleAuthenticatorService extends \Neyamtux\Authenticator\Lib\PHPGangsta\GoogleAuthenticator
 {
@@ -27,12 +29,11 @@ public function getQrCodeEndroid($name, $secret, $title = null, $params = [])
         }
         $qrCode = new QrCode($text);
         $qrCode->setSize($size);
-        $qrCode->setWriterByName('png');
         $qrCode->setMargin(0);
-        $qrCode->setEncoding('UTF-8');
+        $qrCode->setEncoding(new Encoding('UTF-8'));
         $qrCode->setSize($size);
-        $qrCode->setText($text);
 
-        return $qrCode->writeString();
+        $writer = new PngWriter();
+        return $writer->write($qrCode)->getString();
     }
 }

Model/TfaCheck.php

@@ -0,0 +1,57 @@
+<?php
+
+/**
+ * Copyright Youwe. All rights reserved.
+ * https://www.youweagency.com
+ */
+
+declare(strict_types=1);
+
+namespace Elgentos\Frontend2FA\Model;
+
+use Elgentos\Frontend2FA\Api\ConfigInterface;
+use Elgentos\Frontend2FA\Api\TfaCheckInterface;
+use Elgentos\Frontend2FA\Model\SecretFactory;
+
+class TfaCheck implements TfaCheckInterface
+{
+    public function __construct(
+        private readonly SecretFactory $secretFactory,
+        private readonly ConfigInterface $config
+    )
+    {
+
+    }
+
+    public function isCustomerInForced2faGroup(\Magento\Customer\Model\Customer $customer):bool
+    {
+        return in_array($customer->getGroupId(), $this->config->getForced2faCustomerGroups());
+    }
+
+
+    public function is2faConfiguredForCustomer(\Magento\Customer\Model\Customer $customer): bool
+    {
+        $secret = $this->secretFactory->create()->load($customer->getId(), 'customer_id');
+        if ($secret->getId() && $secret->getSecret()) {
+            return true;
+        }
+
+        return false;
+    }
+
+    public function getAllowedRoutes(\Magento\Customer\Model\Customer $customer): array
+    {
+        // When 2FA is configured, the customer needs to authenticate
+        if ($this->is2faConfiguredForCustomer($customer)) {
+            $routes = [self::FRONTEND_2_FA_ACCOUNT_AUTHENTICATE_ROUTE];
+        } else {
+            $routes = [self::FRONTEND_2_FA_ACCOUNT_SETUP_ROUTE];
+        }
+
+        // Customer should always be able to log out
+        $routes[] = self::CUSTOMER_ACCOUNT_LOGOUT_ROUTE;
+
+        return $routes;
+    }
+
+}

Observer/CustomerLogoutObserver.php

@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Elgentos\Frontend2FA\Observer;
+
+use Magento\Customer\Model\Session;
+use Magento\Framework\Event\ObserverInterface;
+
+class CustomerLogoutObserver implements ObserverInterface
+{
+    public function __construct(
+        private readonly Session $customerSession
+    ) {
+    }
+    public function execute(\Magento\Framework\Event\Observer $observer)
+    {
+        $this->customerSession->set2faSuccessful(false);
+    }
+}