Associate and Disassociate MFA factors for OOBSMS, OOBEmail and TOTP …

…Authenticator
jezzsantos · Nov 12, 2024 · f809a89 · f809a89
1 parent 5c2b560
commit f809a89
Show file tree

Hide file tree

Showing 72 changed files with 3,680 additions and 688 deletions.
diff --git a/docs/design-principles/0000-all-use-cases.md b/docs/design-principles/0000-all-use-cases.md
@@ -20,7 +20,7 @@ Legend:
 
 > This is sample subdomain, and is expected to be deleted when this product goes to production
 
-1. Register a new car <sup>$$$</sup>
+1. Register a new car <sup>$$</sup>
 2. Delete a car <sup>$$$</sup>
 3. Schedule the car for "maintenance" <sup>$$$</sup>
 4. Take a car "offline" <sup>$$$</sup>
@@ -130,7 +130,7 @@ Machines are the way that non-human entities can operate on the platform.
 
 Is the way a user can authenticate with the platform using a username and password.
 
-1. Authenticate the current user (with a password)
+1. Authenticate the current user (with a password), may include a second factor (i.e. MFA)
 2. Register a new person (with a password and with optional invitation)
 3. Confirm registration of a person (from email)
 4. Initiate a password reset
@@ -139,9 +139,21 @@ Is the way a user can authenticate with the platform using a username and passwo
 7. Reset password
 8. Fetch the registration confirmation token <sup>TSTO</sup>
 
+#### MFA
+
+Is the way you can use one or more second factors for authenticating with the platform for password protected accounts (above)
+
+1. Enable or disable MFA for the current user (using a username and password)
+2. Associate a second factor authenticator for use in authentication (e.g., OOB-SMS, OOB-Email, or TOTP for authenticator apps)
+3. Disassociate a second factor authenticator <sup>$$$</sup>
+4. List the associated MFA authenticators
+5. Confirm association to authenticator
+6. Challenge with associated authenticator
+7. Verify with an associated authenticator
+
 #### Single-Sign On
 
-Is the way that a user can authenticate with the platform using an external OAuth2 provider (like Google, Facebook, etc.)
+Is the way that a user can authenticate with the platform using an external OAuth2 provider (like with: Microsoft, Google, Facebook, etc.)
 
 1. Authenticate and (auto-register) a person from another OAuth2 provider (with an optional invitation)
 

diff --git a/iac/AzureSQLServer-Eventing-Seed.sql b/iac/AzureSQLServer-Eventing-Seed.sql
diff --git a/iac/AzureSQLServer-Seed-Eventing-Generic.sql b/iac/AzureSQLServer-Seed-Eventing-Generic.sql
@@ -49,16 +49,6 @@ GO
 
 IF EXISTS(SELECT *
           FROM sys.objects
-<<<<<<<< HEAD:iac/AzureSQLServer-Seed-Eventing-Generic.sql
-========
-          WHERE object_id = OBJECT_ID(N'[dbo].[Car]')
-            AND type in (N'U'))
-    DROP TABLE [dbo].[Car]
-GO
-
-IF EXISTS(SELECT *
-          FROM sys.objects
->>>>>>>> ca4fe6b (Split SQL seed files):iac/AzureSQLServer-ReadModels-Seed.sql
           WHERE object_id = OBJECT_ID(N'[dbo].[DomainEvent]')
             AND type in (N'U'))
     DROP TABLE [dbo].[DomainEvent]
@@ -99,6 +89,13 @@ IF EXISTS(SELECT *
     DROP TABLE [dbo].[Membership]
 GO
 
+IF EXISTS(SELECT *
+          FROM sys.objects
+          WHERE object_id = OBJECT_ID(N'[dbo].[MfaAuthenticator]')
+            AND type in (N'U'))
+    DROP TABLE [dbo].[MfaAuthenticator]
+GO
+
 IF EXISTS(SELECT *
           FROM sys.objects
           WHERE object_id = OBJECT_ID(N'[dbo].[Organization]')
@@ -239,42 +236,6 @@ CREATE INDEX UserId
          [UserId]
             );
 
-<<<<<<<< HEAD:iac/AzureSQLServer-Seed-Eventing-Generic.sql
-========
-CREATE TABLE [dbo].[Car]
-(
-    [Id]                  [nvarchar](100) NOT NULL,
-    [LastPersistedAtUtc]  [datetime]      NULL,
-    [IsDeleted]           [bit]           NULL,
-    [LicenseJurisdiction] [nvarchar](max) NULL,
-    [LicenseNumber]       [nvarchar](max) NULL,
-    [ManagerIds]          [nvarchar](max) NULL,
-    [ManufactureMake]     [nvarchar](max) NULL,
-    [ManufactureModel]    [nvarchar](max) NULL,
-    [ManufactureYear]     [int]           NULL,
-    [OrganizationId]      [nvarchar](100) NULL,
-    [Status]              [nvarchar](100) NULL,
-    [VehicleOwnerId]      [nvarchar](100) NULL,
-) ON [PRIMARY]
-GO
-
-CREATE INDEX Id
-    ON [dbo].[Car]
-        (
-         [Id]
-            );
-CREATE INDEX OrganizationId
-    ON [dbo].[Car]
-        (
-         [OrganizationId]
-            );
-CREATE INDEX Status
-    ON [dbo].[Car]
-        (
-         [Status]
-            );
-
->>>>>>>> ca4fe6b (Split SQL seed files):iac/AzureSQLServer-ReadModels-Seed.sql
 CREATE TABLE [dbo].[DomainEvent]
 (
     [Id]                 [nvarchar](100) NOT NULL,
@@ -429,6 +390,28 @@ CREATE INDEX Id
          [Id]
             );
 
+CREATE TABLE [dbo].[MfaAuthenticator]
+(
+    [Id]                    [nvarchar](100) NOT NULL,
+    [LastPersistedAtUtc]    [datetime]      NULL,
+    [IsDeleted]             [bit]           NULL,
+    [BarCodeUri]            [nvarchar](max) NULL,
+    [IsActive]              [bit]           NULL,
+    [OobChannelValue]       [nvarchar](max) NULL,
+    [OobCode]               [nvarchar](max) NULL,
+    [PasswordCredentialId]  [nvarchar](100) NULL,
+    [Secret]                [nvarchar](max) NULL,
+    [Type]                  [nvarchar](max) NULL,
+    [UserId]                [nvarchar](100) NULL,
+) ON [PRIMARY]
+GO
+
+CREATE INDEX Id
+    ON [dbo].[MfaAuthenticator]
+        (
+         [Id]
+            );
+
 CREATE TABLE [dbo].[Organization]
 (
     [Id]                    [nvarchar](100) NOT NULL,
@@ -464,7 +447,6 @@ CREATE TABLE [dbo].[PasswordCredential]
     [IsMfaEnabled]                  [bit]           NULL,
     [MfaAuthenticationExpiresAt]    [datetime]      NULL,
     [MfaAuthenticationToken]        [nvarchar](max) NULL,
-    [MfaAuthenticators]             [int]           NULL,
     [MfaCanBeDisabled]              [bit]           NULL,
     [PasswordResetToken]            [nvarchar](450) NULL,
     [RegistrationVerificationToken] [nvarchar](max) NULL,

diff --git a/iac/AzureSQLServer-Snapshotting-Seed.sql b/iac/AzureSQLServer-Snapshotting-Seed.sql
diff --git a/src/ApiHost1/appsettings.json b/src/ApiHost1/appsettings.json
@@ -11,6 +11,9 @@
   "DomainServices": {
     "TenantSettingService": {
       "AesSecret": "V7z5SZnhHRa7z68adsvazQjeIbSiWWcR+4KuAUikhe0=::u4ErEVotb170bM8qKWyT8A=="
+    },
+    "MfaService": {
+      "IssuerName": "SaaStack"
     }
   },
   "ApplicationServices": {

diff --git a/src/Application.Interfaces/UsageConstants.cs b/src/Application.Interfaces/UsageConstants.cs
@@ -26,6 +26,7 @@ public static class Properties
         public const string DefaultOrganizationId = "DefaultOrganizationId";
         public const string Duration = "Duration";
         public const string EmailAddress = "EmailAddress";
+        public const string Enabled = "Enabled";
         public const string EndPoint = "EndPoint";
         public const string HttpMethod = "Method";
         public const string HttpPath = "Path";
@@ -47,6 +48,7 @@ public static class Properties
         public const string UsedById = "UserId";
         public const string UserAgent = "UserAgent";
         public const string UserIdOverride = "UserIdOverride";
+        public const string MfaAuthenticatorType = "MfaAuthenticatorType";
     }
 
     public static class Events
@@ -77,6 +79,9 @@ public static class Generic
                 public const string UserLogin = "User Login";
                 public const string UserLogout = "User Logout";
                 public const string UserPasswordForgotten = "User Password Forgotten";
+                public const string UserPasswordMfaEnabled = "User MFA Enabled";
+                public const string UserPasswordMfaAssociated = "User MFA Associated";
+                public const string UserPasswordMfaDisassociated = "User MFA Disassociated";
                 public const string UserPasswordReset = "User Password Reset";
                 public const string UserProfileChanged = "User Profile Updated";
             }

diff --git a/src/Application.Resources.Shared/PasswordCredential.cs b/src/Application.Resources.Shared/PasswordCredential.cs
@@ -16,11 +16,31 @@ public class PasswordCredentialConfirmation
     public required string Url { get; set; }
 }
 
-[Flags]
-public enum PasswordCredentialAuthenticators
+public enum PasswordCredentialMfaAuthenticatorType
 {
-    None = 0, // No Authenticator is required
+    None = 0,
+    RecoveryCodes = 1, // Recovery codes
     OobSms = 2, // Code is sent "Out of Band" in an SMS message 
-    OobEmail = 4, // Code is sent "Out of Band" in an email message
-    TotpAuthenticator = 8 // "Time-based One Time Password" is generated by a supported authenticator App
+    OobEmail = 3, // Code is sent "Out of Band" in an email message
+    TotpAuthenticator = 4 // "Time-based One Time Password" is generated by a supported authenticator App
+}
+
+public class PasswordCredentialMfaAuthenticator : IIdentifiableResource
+{
+    public bool IsActive { get; set; }
+
+    public required PasswordCredentialMfaAuthenticatorType Type { get; set; }
+
+    public required string Id { get; set; }
+}
+
+public class AssociatedPasswordCredentialMfaAuthenticator
+{
+    public string? BarCodeUri { get; set; }
+
+    public string? OobCode { get; set; }
+
+    public required List<string> RecoveryCodes { get; set; } = new();
+
+    public required PasswordCredentialMfaAuthenticatorType Type { get; set; }
 }
diff --git a/src/CarsDomain/CarRoot.cs b/src/CarsDomain/CarRoot.cs
@@ -168,7 +168,7 @@ protected override Result<Error> OnStateChanged(IDomainEvent @event, bool isReco
             {
                 Unavailabilities.Remove(deleted.UnavailabilityId.ToId());
                 Recorder.TraceDebug(null, "Car {Id} has had unavailability {UnavailabilityId} removed", Id,
-                    deleted.RootId);
+                    deleted.UnavailabilityId);
                 return Result.Ok;
             }
 

diff --git a/src/Domain.Events.Shared/Identities/PasswordCredentials/Created.cs b/src/Domain.Events.Shared/Identities/PasswordCredentials/Created.cs
@@ -1,6 +1,5 @@
 using Domain.Common;
 using Domain.Common.ValueObjects;
-using Domain.Shared.Identities;
 using JetBrains.Annotations;
 
 namespace Domain.Events.Shared.Identities.PasswordCredentials;
@@ -16,11 +15,9 @@ public Created()
     {
     }
 
-    public required bool MfaCanBeDisabled { get; set; }
-
     public required bool IsMfaEnabled { get; set; }
 
-    public required MfaAuthenticators MfaAuthenticators { get; set; }
+    public required bool MfaCanBeDisabled { get; set; }
 
     public required string UserId { get; set; }
 }
diff --git a/src/Domain.Events.Shared/Identities/PasswordCredentials/MfaAuthenticationInitiated.cs b/src/Domain.Events.Shared/Identities/PasswordCredentials/MfaAuthenticationInitiated.cs
@@ -1,6 +1,5 @@
 using Domain.Common;
 using Domain.Common.ValueObjects;
-using Domain.Shared.Identities;
 using JetBrains.Annotations;
 
 namespace Domain.Events.Shared.Identities.PasswordCredentials;
@@ -20,7 +19,5 @@ public MfaAuthenticationInitiated()
 
     public required string AuthenticationToken { get; set; }
 
-    public required MfaAuthenticators Authenticators { get; set; }
-
     public required string UserId { get; set; }
 }