Merge pull request #63 from ellaisys/51-implementing-mfa

51 implementing SMS MFA
ellaisys · Jun 23, 2023 · 03b3e53 · 03b3e53
2 parents ca3547c + 6ab6062
commit 03b3e53
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 12 deletions.
diff --git a/README_MFA.md b/README_MFA.md
@@ -1,16 +1,26 @@
 ## **MFA Functionality**
-The library currently provides only the MFA for the Software Token. The SMS based TOPT is still under development and shall be released shortly.
+The library currently provides the MFA for the Software Token and SMS based TOPT.
 
 ## **Configurations**
 The package provides a trait that you can add to your controller to make the MFA methods running.
-
 - Ellaisys\Cognito\Auth\RegisterMFA
 
+Also, configure below keys into the .env file to change the default setting. 
+ - The **AWS_COGNITO_MFA_SETUP** should be set to MFA_ENABLED to enable the MFA feature. The default value is MFA_NONE resulting into disabled MFA functionality. 
+ - The **AWS_COGNITO_MFA_TYPE** can have values SOFTWARE_TOKEN_MFA (default) for the Software Token and SMS_MFA for the SMS based TOTP. The configuration to send out the SMS needs to be carried out in AWS and costs additional as per the AWS SNS pricing standards.
+
+```php
+
+    AWS_COGNITO_MFA_SETUP="MFA_ENABLED"
+    AWS_COGNITO_MFA_TYPE="SOFTWARE_TOKEN_MFA"
+
+```
+
 ## **Features**
 - [Login (MFA Enabled)](#login)
-- [Activate MFA](#activate-mfa)
-- [Verify MFA Token](#verify-mfa)
-- [Deactivate MFA](#deactivate-mfa)
+- [Activate MFA](#activate-mfa-software-token-only)
+- [Verify MFA Token](#verify-mfa-software-token-only)
+- [Deactivate MFA](#deactivate-mfa-software-token-only)
 - [Enable MFA](#enabledisable-mfa)
 - [Disable MFA](#enabledisable-mfa)
 
@@ -63,10 +73,10 @@ The first step for the web application is same for MFA enabled / disabled implem
 
 ```
 
-### **Activate MFA**
-The activate process allows the user to configure the MFA. In case of a Software Token MFA setting on the mobile device, a key or the scan code will make it easy to consume the MFA using any of the authenticator applications (i.e. Google Authentictor OR Microsoft Authenticator).
+### **Activate MFA (Software Token Only)**
+The activate process allows the user to configure the Software MFA. To configure the Software Token MFA setting on the mobile device, a key or the scan code (easy to consume), is available for use on any of the authenticator applications (i.e. Google Authentictor OR Microsoft Authenticator).
 
-The process completes when the code is verified using the [Verified MFA](#verify-mfa) step.
+The process completes when the code is verified using the [Verified MFA](#verify-mfa-software-token-only) step.
 
 #### Web and API based Approach
 The function call looks as shown below. Just reference the the method activateMFA, with the guard name as a parameter, in the trait that you added above in configuration. This shall activate the Software MFA token.
@@ -98,7 +108,7 @@ and the web response, you can design a page like this to show the code for activ
 
 <img src="./assets/images/web_application_activate.png" width="50%" alt="cognito mfa activate for web"/>
 
-### **Verify MFA**
+### **Verify MFA (Software Token Only)**
 In order to complete the activation process, the verification is an essential step. As part of this verification process, you need to enter the code (available in the authenticator application) while submitting the request. Depending upon the web or api controller, the impementation needs to be updated. The response will be HTTP Status Code 200.
 
 ```php
@@ -116,7 +126,7 @@ In order to complete the activation process, the verification is an essential st
 ```
 
 
-### **Deactivate MFA**
+### **Deactivate MFA (Software Token Only)**
 In order to deactivate the MFA for a user, this process can be called to deactivate the MFA. In most practical situations, you can skip this implementation. This uses the access token for deactivation.
 
 In order to enable/disable another user based on your RBAC implementation, you can use the [Enable/Diable Feature](#enabledisable-mfa)
@@ -136,7 +146,7 @@ In order to enable/disable another user based on your RBAC implementation, you c
 ```
 
 ### **Enable/Disable MFA**
-This feature allows the admin user to enable/disable an user's mfa using an email address. The developer shall need to implement the RBAC to ensure that this feature is not misused.
+This feature allows the admin user to enable/disable an user's mfa (both Software Token and SMS) using an email address. The developer shall need to implement the RBAC to ensure that this feature is not misused.
 
 Below methods in the trait help to enable or disable the MFA returning the HTTP Success Code.
 

diff --git a/src/AwsCognitoClient.php b/src/AwsCognitoClient.php
@@ -707,7 +707,7 @@ protected function adminRespondToAuthChallenge(string $challengeName, string $se
             //Set challenge response
             $challengeResponse=['USERNAME' => $username];
             switch ($challengeName) {
-                case 'SMS_MFA_CODE':
+                case 'SMS_MFA':
                     $challengeResponse = array_merge($challengeResponse, [
                         'SMS_MFA_CODE' => $challengeValue
                     ]);

diff --git a/src/Guards/CognitoSessionGuard.php b/src/Guards/CognitoSessionGuard.php
@@ -141,6 +141,16 @@ protected function hasValidCredentials($user, $credentials)
                         ];
                         break;
 
+                    case 'SMS_MFA':
+                        $this->challengeData = [
+                            'status' => $result['ChallengeName'],
+                            'session_token' => $result['Session'],
+                            'challenge_params' => $result['ChallengeParameters'],
+                            'username' => $credentials[$this->keyUsername],
+                            'user' => serialize($user)
+                        ];
+                        break;
+
                     default:
                         if (in_array($result['ChallengeName'], config('cognito.forced_challenge_names'))) {
                             $this->challengeName = $result['ChallengeName'];
@@ -184,6 +194,7 @@ public function attempt(array $credentials = [], $remember = false)
                 if (!empty($this->challengeName)) {
                     switch ($this->challengeName) {
                         case 'SOFTWARE_TOKEN_MFA':
+                        case 'SMS_MFA':
                             //Get Session and store details
                             $session = $this->getSession();
                             $session->invalidate();

diff --git a/src/Guards/CognitoTokenGuard.php b/src/Guards/CognitoTokenGuard.php
@@ -115,6 +115,16 @@ protected function hasValidCredentials($user, array $credentials, bool $remember
                             'user' => serialize($user)
                         ];
                         break;
+
+                    case 'SMS_MFA':
+                        $this->claim = [
+                            'status' => $result['ChallengeName'],
+                            'session' => $result['Session'],
+                            'challenge_params' => $result['ChallengeParameters'],
+                            'username' => $credentials[$this->keyUsername],
+                            'user' => serialize($user)
+                        ];
+                        break;
 
                     default:
                         if (in_array($result['ChallengeName'], config('cognito.forced_challenge_names'))) {
@@ -253,6 +263,7 @@ private function login($user)
         if ($claim && is_array($claim) && $claim['status']) {
             switch ($claim['status']) {
                 case 'SOFTWARE_TOKEN_MFA':
+                case 'SMS_MFA':
                     unset($claim['username']);
                     unset($claim['user']);
                     break;