Merge pull request mesutpiskin#103 from ktiass/main

Fix CVE vulnerabilities, enforce OTP verification during setup, and add max attempts protection

Author: mesutpiskin

Dockerfile

@@ -9,7 +9,7 @@ COPY src ./src
 RUN mvn clean package -DskipTests
 
 # Stage 2: Create the Keycloak image
-FROM quay.io/keycloak/keycloak:26.0.0
+FROM quay.io/keycloak/keycloak:26.5.3
 
 # Copy the provider JAR from the builder stage
 COPY --from=builder /app/target/keycloak-2fa-email-authenticator-*.jar /opt/keycloak/providers/

pom.xml

@@ -5,7 +5,7 @@
 
     <artifactId>keycloak-2fa-email-authenticator</artifactId>
     <groupId>com.mesutpiskin.keycloak</groupId>
-    <version>26.1.1</version>
+    <version>26.2.0</version>
     <modelVersion>4.0.0</modelVersion>
     <packaging>jar</packaging>
 
@@ -14,10 +14,27 @@
         <java.version>21</java.version>
         <maven.compiler.source>${java.version}</maven.compiler.source>
         <maven.compiler.target>${java.version}</maven.compiler.target>
-        <keycloak.version>26.0.0</keycloak.version>
+        <keycloak.version>26.5.3</keycloak.version>
+        <sendgrid.version>4.10.3</sendgrid.version>
+        <aws-sdk.version>2.30.31</aws-sdk.version>
+        <junit-jupiter.version>5.11.4</junit-jupiter.version>
+        <mockito.version>5.15.2</mockito.version>
+        <maven-surefire.plugin.version>3.5.2</maven-surefire.plugin.version>
         <maven-jar.plugin.version>3.4.2</maven-jar.plugin.version>
     </properties>
 
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>software.amazon.awssdk</groupId>
+                <artifactId>bom</artifactId>
+                <version>${aws-sdk.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <dependency>
             <groupId>org.keycloak</groupId>
@@ -43,39 +60,43 @@
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter</artifactId>
-            <version>5.10.0</version>
+            <version>${junit-jupiter.version}</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-core</artifactId>
-            <version>5.5.0</version>
+            <version>${mockito.version}</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-junit-jupiter</artifactId>
-            <version>5.5.0</version>
+            <version>${mockito.version}</version>
             <scope>test</scope>
         </dependency>
 
         <!-- SendGrid Email Service Provider -->
         <dependency>
             <groupId>com.sendgrid</groupId>
             <artifactId>sendgrid-java</artifactId>
-            <version>4.10.2</version>
+            <version>${sendgrid.version}</version>
         </dependency>
 
         <!-- AWS SES Email Service Provider -->
         <dependency>
             <groupId>software.amazon.awssdk</groupId>
             <artifactId>ses</artifactId>
-            <version>2.20.26</version>
         </dependency>
     </dependencies>
 
     <build>
         <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>${maven-surefire.plugin.version}</version>
+            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-jar-plugin</artifactId>

src/main/java/com/mesutpiskin/keycloak/auth/email/EmailAuthenticatorForm.java

@@ -55,6 +55,7 @@ public class EmailAuthenticatorForm extends AbstractUsernameFormAuthenticator
         implements CredentialValidator<EmailAuthenticatorCredentialProvider> {
 
     protected static final Logger logger = Logger.getLogger(EmailAuthenticatorForm.class);
+    private static final String CODE_ATTEMPTS = "emailCodeAttempts";
 
     /**
      * Initiates the authentication process by presenting the email OTP challenge to
@@ -277,14 +278,29 @@ private boolean isValidCodeContext(AuthenticationFlowContext context, UserModel
         if (codeContext.submittedCode().equals(codeContext.storedCode()))
             return true;
 
-        // AuthenticationExecutionModel execution = context.getExecution();
-        // if (execution.isRequired()) {
         context.getEvent().user(user).error(Errors.INVALID_USER_CREDENTIALS);
-        Response challengeResponse = challenge(context, Messages.INVALID_ACCESS_CODE, EmailConstants.CODE);
-        context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse);
-        // } else if (execution.isConditional() || execution.isAlternative()) {
-        // context.attempted();
-        // }
+
+        AuthenticationSessionModel session = context.getAuthenticationSession();
+        int attempts = incrementAttempts(session);
+
+        AuthenticatorConfigModel config = context.getAuthenticatorConfig();
+        Map<String, String> configValues = config != null && config.getConfig() != null
+                ? config.getConfig()
+                : Map.of();
+        int maxAttempts = resolvePositiveInt(configValues, EmailConstants.MAX_ATTEMPTS,
+                EmailConstants.DEFAULT_MAX_ATTEMPTS);
+
+        if (attempts >= maxAttempts) {
+            resetEmailCode(context);
+            LoginFormsProvider form = prepareForm(context, null);
+            form.setAttribute("maxAttemptsReached", true);
+            applyFormMessage(form, "email-authenticator-too-many-attempts", EmailConstants.CODE);
+            Response challengeResponse = form.createForm("email-code-form.ftl");
+            context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse);
+        } else {
+            Response challengeResponse = challenge(context, Messages.INVALID_ACCESS_CODE, EmailConstants.CODE);
+            context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, challengeResponse);
+        }
         return false;
     }
 
@@ -327,7 +343,6 @@ private void applyFormMessage(LoginFormsProvider form, String messageKey, String
         }
     }
 
-    @Override
     protected String disabledByBruteForceError() {
         return Messages.INVALID_ACCESS_CODE;
     }
@@ -337,6 +352,21 @@ private void resetEmailCode(AuthenticationFlowContext context) {
         session.removeAuthNote(EmailConstants.CODE);
         session.removeAuthNote(EmailConstants.CODE_TTL);
         session.removeAuthNote(EmailConstants.CODE_RESEND_AVAILABLE_AFTER);
+        session.removeAuthNote(CODE_ATTEMPTS);
+    }
+
+    private int incrementAttempts(AuthenticationSessionModel session) {
+        String raw = session.getAuthNote(CODE_ATTEMPTS);
+        int attempts = 1;
+        if (raw != null) {
+            try {
+                attempts = Integer.parseInt(raw) + 1;
+            } catch (NumberFormatException ignored) {
+                // corrupt value, start over
+            }
+        }
+        session.setAuthNote(CODE_ATTEMPTS, Integer.toString(attempts));
+        return attempts;
     }
 
     @Override

src/main/java/com/mesutpiskin/keycloak/auth/email/EmailAuthenticatorFormFactory.java

@@ -103,7 +103,10 @@ public List<ProviderConfigProperty> getConfigProperties() {
                         ProviderConfigProperty.BOOLEAN_TYPE, String.valueOf(EmailConstants.DEFAULT_SIMULATION_MODE)),
                 new ProviderConfigProperty(EmailConstants.RESEND_COOLDOWN, "Resend Cooldown (seconds)",
                         "The minimum number of seconds a user must wait before requesting a new code.",
-                        ProviderConfigProperty.STRING_TYPE, String.valueOf(EmailConstants.DEFAULT_RESEND_COOLDOWN)));
+                        ProviderConfigProperty.STRING_TYPE, String.valueOf(EmailConstants.DEFAULT_RESEND_COOLDOWN)),
+                new ProviderConfigProperty(EmailConstants.MAX_ATTEMPTS, "Max Code Attempts",
+                        "The maximum number of invalid code attempts before the code is invalidated and a new one must be requested.",
+                        ProviderConfigProperty.STRING_TYPE, String.valueOf(EmailConstants.DEFAULT_MAX_ATTEMPTS)));
     }
 
     @Override