Refactor authorization configuration to enhance access control and add cancel link in TOTP forms (#8182)

#### What type of PR is this?

/kind improvement
/area core
/milestone 2.22.x

#### What this PR does / why we need it:

This PR refactors authorization configuration to enhance access control and add cancel link in TOTP forms.

So that we can cancel TOTP authentication by being able to redirect to logout page.

#### Which issue(s) this PR fixes:

Fixes #8172

#### Special notes for your reviewer:

1. Try to configure TOTP for your own account
2. Try to logout and login
3. Click the cancel link and you will be redirected to logout page
4. Try to click the logout button

#### Does this PR introduce a user-facing change?

```release-note
优化二步验证登录体验
```

Author: JohnNiang

application/src/main/java/run/halo/app/security/authorization/AuthorizationExchangeConfigurers.java

@@ -19,6 +19,7 @@
 import reactor.core.publisher.Mono;
 import run.halo.app.core.user.service.RoleService;
 import run.halo.app.security.authentication.SecurityConfigurer;
+import run.halo.app.security.authentication.twofactor.TwoFactorAuthentication;
 
 /**
  * Authorization exchange configurers.
@@ -61,13 +62,25 @@ SecurityConfigurer preAuthenticationAuthorizationConfigurer() {
             .hasRole(AuthorityUtils.SUPER_ROLE_NAME)
             .pathMatchers("/logout/impersonate")
             .hasAuthority(SwitchUserWebFilter.ROLE_PREVIOUS_ADMINISTRATOR)
+            .pathMatchers("/challenges/**")
+            .access((authentication, context) ->
+                authentication.map(TwoFactorAuthentication.class::isInstance)
+                    .map(AuthorizationDecision::new)
+                    .switchIfEmpty(Mono.fromSupplier(() -> new AuthorizationDecision(false)))
+            )
             .pathMatchers(
                 "/login/**",
-                "/challenges/**",
                 "/password-reset/**",
                 "/signup"
             )
-            .permitAll());
+            .permitAll()
+            .pathMatchers("/logout")
+            .access((authentication, context) ->
+                authentication.map(a -> !authenticationTrustResolver.isAnonymous(a))
+                    .map(AuthorizationDecision::new)
+                    .switchIfEmpty(Mono.fromSupplier(() -> new AuthorizationDecision(false)))
+            )
+        );
     }
 
     @Bean
@@ -76,10 +89,10 @@ SecurityConfigurer authenticatedAuthorizationConfigurer() {
         // Anonymous user is not allowed
         return http -> http.authorizeExchange(
             spec -> spec.pathMatchers(
-                "/console/**",
-                "/uc/**",
-                "/logout"
-            ).authenticated()
+                    "/console/**",
+                    "/uc/**"
+                )
+                .authenticated()
         );
     }
 

application/src/main/resources/templates/challenges/two-factor/totp.html

@@ -1,15 +1,26 @@
 <!doctype html>
 <html
     xmlns:th="https://www.thymeleaf.org"
-    th:replace="~{gateway_fragments/layout :: layout(title = |#{title} - ${site.title}|, head = null, body = ~{::body})}"
+    th:replace="~{gateway_fragments/layout :: layout(title = |#{title} - ${site.title}|, head = ~{::head}, body = ~{::body})}"
 >
     <th:block th:fragment="body">
-        <div class="gateway-wrapper">
+        <div class="gateway-wrapper totp-page-wrapper">
             <div th:replace="~{gateway_fragments/common::haloLogo}"></div>
             <div class="halo-form-wrapper">
                 <h1 class="form-title" th:text="#{title}"></h1>
                 <form th:replace="~{gateway_fragments/totp::form}"></form>
             </div>
         </div>
     </th:block>
+
+    <th:block th:fragment="head">
+        <style>
+            .totp-page-wrapper .cancel-link {
+                color: var(--color-link);
+                font-size: var(--text-sm);
+                text-decoration: none;
+                text-align: center;
+            }
+        </style>
+    </th:block>
 </html>

application/src/main/resources/templates/gateway_fragments/totp.html

@@ -27,4 +27,7 @@
     <div class="form-item">
         <button type="submit" th:text="#{form.submit}"></button>
     </div>
+    <div class="form-item">
+        <a th:href="@{/logout}" class="cancel-link" th:text="#{form.cancel}"></a>
+    </div>
 </form>

application/src/main/resources/templates/gateway_fragments/totp.properties

@@ -1,3 +1,4 @@
 form.messages.invalidError=错误的验证码
 form.code.label=验证码
-form.submit=验证
+form.submit=验证
+form.cancel=取消

application/src/main/resources/templates/gateway_fragments/totp_en.properties

@@ -1,3 +1,4 @@
 form.messages.invalidError=Invalid TOTP code
 form.code.label=TOTP Code
-form.submit=Verify
+form.submit=Verify
+form.cancel=Cancel

application/src/main/resources/templates/gateway_fragments/totp_es.properties

@@ -1,3 +1,4 @@
 form.messages.invalidError=Código de verificación incorrecto
 form.code.label=Código de Verificación
-form.submit=Verificar
+form.submit=Verificar
+form.cancel=Cancelar

application/src/main/resources/templates/gateway_fragments/totp_zh_TW.properties

@@ -1,3 +1,4 @@
 form.messages.invalidError=錯誤的驗證碼
 form.code.label=驗證碼
-form.submit=驗證
+form.submit=驗證
+form.cancel=取消