[SD-375] Added services and routesubscriber.

dpc-sdp · Oct 29, 2024 · 08395fa · 08395fa
1 parent f2abe73
commit 08395fa
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 7 deletions.
diff --git a/modules/tide_tfa/src/Controller/TideTfaUserController.php b/modules/tide_tfa/src/Controller/TideTfaUserController.php
@@ -15,7 +15,18 @@ class TideTfaUserController extends TfaUserControllerBase {
   /**
    * {@inheritdoc}
    */
-  protected function doResetPassLogin($uid, $timestamp, $hash, $request = NULL) {
+  public function doResetPassLogin($uid, $timestamp, $hash, $request = NULL) {
+    // Ensure a valid request object.
+    if (!$request) {
+      $request = \Drupal::request();
+    }
+
+    // Check if the PRLP module is enabled.
+    if (!\Drupal::moduleHandler()->moduleExists('prlp')) {
+      // If PRLP is not enabled, call the parent method.
+      return parent::doResetPassLogin($uid, $timestamp, $hash, $request);
+    }
+
     // Create an instance of PrlpController.
     $prlp_controller = new PrlpController(
       \Drupal::service('date.formatter'),
@@ -31,7 +42,8 @@ protected function doResetPassLogin($uid, $timestamp, $hash, $request = NULL) {
     $this->setUser($user);
 
     // Let Drupal core deal with the one time login,
-    // if Tfa is not enabled or current user can skip TFA while resetting password.
+    // if Tfa is not enabled or
+    // current user can skip TFA while resetting password.
     if ($this->isTfaDisabled() || $this->canSkipPassReset()) {
       // Use PRLP's resetPassLogin instead of the core function.
       return $prlp_controller->prlpResetPassLogin($request, $uid, $timestamp, $hash);
@@ -59,7 +71,8 @@ protected function doResetPassLogin($uid, $timestamp, $hash, $request = NULL) {
     if ($user->getLastLoginTime() && $current - $timestamp > $timeout) {
       $this->messenger()->addError($this->t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));
       return $this->redirect('user.pass');
-    } elseif ($user->isAuthenticated() && ($timestamp >= $user->getLastLoginTime()) && ($timestamp <= $current) && hash_equals($hash, user_pass_rehash($user, $timestamp))) {
+    }
+    elseif ($user->isAuthenticated() && ($timestamp >= $user->getLastLoginTime()) && ($timestamp <= $current) && hash_equals($hash, user_pass_rehash($user, $timestamp))) {
       if ($tfa_ready) {
         $this->session->migrate();
         $token = Crypt::randomBytesBase64(55);
@@ -79,10 +92,12 @@ protected function doResetPassLogin($uid, $timestamp, $hash, $request = NULL) {
           'query' => ['pass-reset-token' => $token],
           'absolute' => TRUE,
         ]);
-      } else {
+      }
+      else {
         if ($this->canLoginWithoutTfa($this->getLogger('tfa'))) {
           return $this->redirectToUserForm($user, $request, $timestamp);
-        } else {
+        }
+        else {
           return $this->redirect('<front>');
         }
       }
@@ -93,10 +108,10 @@ protected function doResetPassLogin($uid, $timestamp, $hash, $request = NULL) {
   }
 
   /**
-   * Determines if the user can skip two-factor authentication on password reset.
+   * Determines if the user can skip tfa on password reset.
    *
    * This function checks the TFA settings to see if the option to skip TFA
-   * during password reset is enabled. If enabled, users will not be required 
+   * during password reset is enabled. If enabled, users will not be required
    * to complete two-factor authentication when resetting their password.
    *
    * @return bool

diff --git a/modules/tide_tfa/src/Routing/TideTfaRouteSubscriber.php b/modules/tide_tfa/src/Routing/TideTfaRouteSubscriber.php
@@ -0,0 +1,30 @@
+<?php
+
+namespace Drupal\tide_tfa\Routing;
+
+use Drupal\Core\Routing\RouteSubscriberBase;
+use Symfony\Component\Routing\RouteCollection;
+
+/**
+ * Listens to the dynamic route events.
+ *
+ * Class TideTfaRouteSubscriber.
+ *
+ * @package Drupal\tide_tfa\Routing
+ */
+class TideTfaRouteSubscriber extends RouteSubscriberBase {
+
+  /**
+   * Alters existing routes for TFA user password reset login.
+   *
+   * @param \Symfony\Component\Routing\RouteCollection $collection
+   *   Route collection to be altered.
+   */
+  protected function alterRoutes(RouteCollection $collection) {
+    // Override the user reset pass login route to use TideTfaUserController.
+    if ($route = $collection->get('user.reset.login')) {
+      $route->setDefault('_controller', '\Drupal\tide_tfa\Controller\TideTfaUserController::doResetPassLogin');
+    }
+  }
+
+}
diff --git a/modules/tide_tfa/tide_tfa.module b/modules/tide_tfa/tide_tfa.module
@@ -11,6 +11,12 @@ use Drupal\Core\Form\FormStateInterface;
  * Implements hook_form_alter().
  */
 function tide_tfa_form_alter(&$form, FormStateInterface $form_state, $form_id) {
+  // [SD-375] Bypass tfa during reset pass for all users.
+  if ($form_id == 'tfa_settings_form') {
+    if (isset($form['reset_pass_skip_enabled'])) {
+      $form['reset_pass_skip_enabled']['#description'] = t('Allow TFA to be bypassed during password reset by the authenticated user.');
+    }
+  }
   if ($form_id == 'tfa_entry_form') {
     // [SD-294] Change the label of the 'Send' button.
     if (isset($form['actions']['send'])) {

diff --git a/modules/tide_tfa/tide_tfa.services.yml b/modules/tide_tfa/tide_tfa.services.yml
@@ -0,0 +1,5 @@
+services:
+  tide_tfa.route_subscriber:
+    class: Drupal\tide_tfa\Routing\TideTfaRouteSubscriber
+    tags:
+      - { name: event_subscriber }