OTP FLOW Tweaks

.env.example

@@ -107,4 +107,6 @@ AUTH_ALLOWS_NATIVE_AUTH=1
 AUTH_ALLOWS_OTP=1
 AUTH_ALLOWS_NATIVE_AUTH_CONFIG=1
 MAIL_SEND_WELCOME_EMAIL=1
-DEFAULT_PROFILE_IMAGE=
+DEFAULT_PROFILE_IMAGE=
+
+AUTH_PASSWORD_RESET_LIFETIME=1800

app/Http/Controllers/Auth/ResetPasswordController.php

@@ -15,10 +15,7 @@
 use App\libs\Auth\Repositories\IUserPasswordResetRequestRepository;
 use App\Services\Auth\IUserService;
 use Auth\Exceptions\UserPasswordResetRequestVoidException;
-use Auth\Repositories\IUserRepository;
 use Illuminate\Support\Facades\Log;
-use Illuminate\Support\Facades\Redirect;
-use Illuminate\Support\Facades\URL;
 use Illuminate\Support\Facades\Validator;
 use Illuminate\Http\Request as LaravelRequest;
 use models\exceptions\EntityNotFoundException;

app/Http/Controllers/UserController.php

@@ -255,7 +255,8 @@ public function getAccount()
             return $this->ok(
                 [
                     'pic' => $user->getPic(),
-                    'full_name' => $user->getFullName()
+                    'full_name' => $user->getFullName(),
+                    'has_password_set' => $user->hasPasswordSet()
                 ]
             );
         } catch (ValidationException $ex) {

app/Jobs/GenerateOTPRegistrationReminder.php

@@ -0,0 +1,55 @@
+<?php namespace App\Jobs;
+/*
+ * Copyright 2024 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use App\Services\Auth\IUserService as IAuthUserService;
+use Auth\User;
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Foundation\Bus\Dispatchable;
+use Illuminate\Queue\InteractsWithQueue;
+use Illuminate\Queue\SerializesModels;
+use Illuminate\Support\Facades\Log;
+
+/**
+ * Class GenerateOTPRegistrationReminder
+ * @package App\Jobs
+ */
+final class GenerateOTPRegistrationReminder implements ShouldQueue
+{
+    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
+
+    private $user_id;
+
+    public function __construct(User $user)
+    {
+        $this->user_id = $user->getId();
+        Log::debug(sprintf("GenerateOTPRegistrationReminder::GenerateOTPRegistrationReminder user %s", $user->getEmail()));
+    }
+
+    /**
+     * @param IAuthUserService $service
+     * @return void
+     * @throws \Exception
+     */
+    public function handle(IAuthUserService $service)
+    {
+        Log::debug(sprintf("GenerateOTPRegistrationReminder::handle user %s", $this->user_id));
+        $service->sendOTPRegistrationReminder($this->user_id);
+    }
+
+    public function failed(\Throwable $exception)
+    {
+        Log::error($exception);
+    }
+}

app/Mail/OTPRegistrationReminderEmail.php

@@ -0,0 +1,44 @@
+<?php namespace App\Mail;
+/**
+ * Copyright 2024 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Illuminate\Support\Facades\Config;
+use Illuminate\Support\Facades\Log;
+
+/**
+ * Class OTPRegistrationReminderEmail
+ * @package App\Mail
+ */
+final class OTPRegistrationReminderEmail extends WelcomeNewUserEmail
+{
+    /**
+     * Build the message.
+     *
+     * @return $this
+     */
+    public function build()
+    {
+        $this->subject = sprintf('[%1$s] Remember to set your password', Config::get('app.app_name'));
+        $view = 'emails.oauth2_passwordless_otp_reg_reminder';
+
+        if (Config::get("app.tenant_name") == 'FNTECH') {
+            $view = 'emails.oauth2_passwordless_otp_reg_reminder_fn';
+        }
+
+        Log::debug(sprintf("OTPRegistrationReminderEmail::build to %s", $this->user_email));
+        return $this->from(Config::get("mail.from"))
+            ->to($this->user_email)
+            ->subject($this->subject)
+            ->view($view);
+    }
+}

app/Mail/WelcomeNewUserEmail.php

@@ -15,7 +15,6 @@
 use Illuminate\Bus\Queueable;
 use Illuminate\Mail\Mailable;
 use Illuminate\Queue\SerializesModels;
-use Illuminate\Contracts\Queue\ShouldQueue;
 use Illuminate\Support\Facades\Config;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\URL;
@@ -24,7 +23,7 @@
  * Class WelcomeNewUserEmail
  * @package App\Mail
  */
-final class WelcomeNewUserEmail extends Mailable
+class WelcomeNewUserEmail extends Mailable
 {
     use Queueable, SerializesModels;
 
@@ -101,8 +100,10 @@ public function __construct
         if($user->createdByOTP()){
             $this->user_created_by_otp = true;
             $otp = $user->getCreatedByOtp();
-            $otp_redirect_url = $otp->getRedirectUrl();
-            $this->site_base_url = !empty($otp_redirect_url) ? parse_url($otp_redirect_url)['host'] : null;
+            if(!is_null($otp)) {
+                $otp_redirect_url = $otp->getRedirectUrl();
+                $this->site_base_url = !empty($otp_redirect_url) ? parse_url($otp_redirect_url)['host'] : null;
+            }
         }
 
         $this->reset_password_link = $reset_password_link;

app/Providers/EventServiceProvider.php

@@ -75,15 +75,15 @@ public function boot()
         Event::listen(UserEmailVerified::class, function($event)
         {
             $service   = App::make(IUserService::class);
-            if(is_null($service) || !$service instanceof IUserService) return;
+            if(!$service instanceof IUserService) return;
             $service->sendSuccessfulVerificationEmail($event->getUserId());
         });
 
         Event::listen(UserCreated::class, function($event)
         {
             // new user created
             $service = App::make(IUserService::class);
-            if(is_null($service) || !$service instanceof IUserService) return;
+            if(!$service instanceof IUserService) return;
             $service->initializeUser($event->getUserId());
         });
 

app/Services/Auth/IUserService.php

@@ -129,4 +129,11 @@ public function initializeUser(int $user_id):?User;
      * @throws \Exception
      */
     public function updateRegistrationRequest(int $id, array $payload):UserRegistrationRequest;
+
+    /**
+     * @param int $user_id
+     * @return void
+     * @throws \Exception
+     */
+    public function sendOTPRegistrationReminder(int $user_id);
 }

app/Services/Auth/UserService.php

@@ -23,6 +23,7 @@
 use App\libs\Auth\Repositories\ISpamEstimatorFeedRepository;
 use App\libs\Auth\Repositories\IUserPasswordResetRequestRepository;
 use App\libs\Auth\Repositories\IUserRegistrationRequestRepository;
+use App\Mail\OTPRegistrationReminderEmail;
 use App\Mail\UserEmailVerificationRequest;
 use App\Mail\UserEmailVerificationSuccess;
 use App\Mail\UserPasswordResetRequestMail;
@@ -499,7 +500,7 @@ public function sendSuccessfulVerificationEmail(int $user_id): ?User
         return $this->tx_service->transaction(function() use($user_id){
 
             $user = $this->user_repository->getById($user_id);
-            if(is_null($user) || !$user instanceof User) return null;
+            if(!$user instanceof User) return null;
 
             $reset_password_link = null;
 
@@ -527,7 +528,7 @@ public function initializeUser(int $user_id): ?User
         return $this->tx_service->transaction(function() use($user_id) {
             Log::debug(sprintf("UserService::initializeUser %s", $user_id));
             $user = $this->user_repository->getById($user_id);
-            if(is_null($user) || !$user instanceof User) return null;
+            if(!$user instanceof User) return null;
 
             if(!$user->isEmailVerified()) {
                 Log::debug(sprintf("UserService::initializeUser %s email not verified", $user_id));
@@ -560,4 +561,24 @@ public function initializeUser(int $user_id): ?User
             return $user;
         });
     }
+
+    /**
+     * @param int $user_id
+     * @return void
+     * @throws \Exception
+     */
+    public function sendOTPRegistrationReminder(int $user_id){
+        $this->tx_service->transaction(function() use($user_id) {
+            Log::debug(sprintf("UserService::sendOTPRegistrationReminder %s", $user_id));
+            $user = $this->user_repository->getById($user_id);
+            if( !$user instanceof User)
+                throw new EntityNotFoundException(sprintf("User %s not found.", $user_id));
+
+            if ($user->hasPasswordSet())
+                throw new ValidationException(sprintf("User %s already has password set.", $user->getId()));
+
+            $request = $this->generatePasswordResetRequest($user->getEmail());
+            Mail::queue(new OTPRegistrationReminderEmail($user, $request->getResetLink()));
+        });
+    }
 }

app/libs/Auth/AuthService.php

@@ -12,6 +12,7 @@
  * limitations under the License.
  **/
 
+use App\Jobs\GenerateOTPRegistrationReminder;
 use App\libs\OAuth2\Exceptions\ReloadSessionException;
 use App\libs\OAuth2\Repositories\IOAuth2OTPRepository;
 use App\Services\AbstractService;
@@ -206,7 +207,7 @@ public function loginWithOTP(OAuth2OTP $otpClaim, ?Client $client = null, bool $
                     )
                 );
 
-                throw new AuthenticationException("Non existent OTP.");
+                throw new AuthenticationException("Non existent single-use code.");
             }
 
             $otp->logRedeemAttempt();
@@ -216,28 +217,28 @@ public function loginWithOTP(OAuth2OTP $otpClaim, ?Client $client = null, bool $
         return $this->tx_service->transaction(function () use ($otp, $otpClaim, $client, $remember) {
 
             if (!$otp->isAlive()) {
-                throw new AuthenticationException("OTP is expired.");
+                throw new AuthenticationException("Single-use code is expired.");
             }
 
             if (!$otp->isValid()) {
-                throw new AuthenticationException("OTP is not valid.");
+                throw new AuthenticationException("Single-use code is not valid.");
             }
 
             if ($otp->getValue() != $otpClaim->getValue()) {
-                throw new AuthenticationException("OTP mismatch.");
+                throw new AuthenticationException("Single-use code mismatch.");
             }
 
             if(!empty($otpClaim->getScope()) && !$otp->allowScope($otpClaim->getScope()))
-                throw new InvalidOTPException("OTP Requested scopes escalates former scopes.");
+                throw new InvalidOTPException("Single-use code requested scopes escalates former scopes.");
 
             if (($otp->hasClient() && is_null($client)) ||
                 ($otp->hasClient() && !is_null($client) && $client->getClientId() != $otp->getClient()->getClientId())) {
-                throw new AuthenticationException("OTP audience mismatch.");
+                throw new AuthenticationException("Single-use code audience mismatch.");
             }
 
             $user = $this->getUserByUsername($otp->getUserName());
-
-            if (is_null($user)) {
+            $new_user = is_null($user);
+            if ($new_user) {
                 // we need to create a new one ( auto register)
 
                 Log::debug(sprintf("AuthService::loginWithOTP user %s does not exists ...", $otp->getUserName()));
@@ -268,16 +269,20 @@ public function loginWithOTP(OAuth2OTP $otpClaim, ?Client $client = null, bool $
             foreach ($grants2Revoke as $otp2Revoke){
                 try {
                     Log::debug(sprintf("AuthService::loginWithOTP revoking otp %s ", $otp2Revoke->getValue()));
-                    if($otp2Revoke->getValue() !== $otpClaim->getValue())
+                    if ($otp2Revoke->getValue() !== $otpClaim->getValue())
                         $otp2Revoke->redeem();
-                }
-                catch (Exception $ex){
+                } catch (Exception $ex) {
                     Log::warning($ex);
                 }
             }
 
             Auth::login($user, $remember);
 
+            if (!$user->hasPasswordSet() && !$new_user) {
+                // trigger background job
+                GenerateOTPRegistrationReminder::dispatch($user);
+            }
+
             return $otp;
         });
     }

config/auth.php

@@ -99,10 +99,10 @@
     ],
 
     // in seconds
-    'password_reset_lifetime' => env('AUTH_PASSWORD_RESET_LIFETIME', 600),
+    'password_reset_lifetime' => env('AUTH_PASSWORD_RESET_LIFETIME', 1800),
     'password_min_length' => env('AUTH_PASSWORD_MIN_LENGTH', 8),
     'password_max_length' => env('AUTH_PASSWORD_MAX_LENGTH', 30),
-    'verification_email_lifetime' => env ("AUTH_VERIFICATION_EMAIL_LIFETIME", 600),
+    'verification_email_lifetime' => env("AUTH_VERIFICATION_EMAIL_LIFETIME", 600),
     'allows_native_auth' => env('AUTH_ALLOWS_NATIVE_AUTH', 1),
     'allows_native_on_config' => env('AUTH_ALLOWS_NATIVE_AUTH_CONFIG', 1),
     'allows_opt_auth' => env('AUTH_ALLOWS_OTP_AUTH', 1),

package.json

@@ -105,6 +105,7 @@
     "pure": "^2.85.0",
     "pwstrength-bootstrap": "^3.0.10",
     "react-google-recaptcha": "^2.1.0",
+    "react-otp-input": "^3.1.1",
     "react-password-strength-bar": "^0.4.0",
     "react-simplemde-editor": "^5.2.0",
     "simplemde": "^1.11.2",