Implemented Multi-factor Authentication for 1110-vue3

package.json

@@ -37,7 +37,9 @@
     "lodash": "4.17.21",
     "n64": "0.2.10",
     "pinia": "2.1.7",
+    "qrcode.vue": "3.6.0",
     "tiny-emitter": "2.1.0",
+    "totp-generator": "1.0.0",
     "vue": "^3.3.9",
     "vue-axios": "^3.5.2",
     "vue-i18n": "^9.2.2",

src/locales/en-US.json

@@ -1139,7 +1139,7 @@
     "username": "Username",
     "alert": {
       "unauthorizedMessage": "User unauthorized",
-      "message": "Invalid username or password"
+      "message": "Invalid credentials"
     },
     "modal": {
       "addNewAcfCertificate": "Add new ACF certificate",

src/store/modules/Authentication/AuthenticationStore.js

@@ -11,6 +11,8 @@ export const AuthenticationStore = defineStore('authentication', {
     unauthError: false,
     xsrfCookie: cookies.get('XSRF-TOKEN'),
     isAuthenticatedCookie: cookies.get('IsAuthenticated'),
+    isGenerateOtpRequired: false,
+    isGlobalMfaEnabled: false,
   }),
   getters: {
     loginPageDetailsGetter: (state) => state.loginPageDetails,
@@ -20,6 +22,8 @@ export const AuthenticationStore = defineStore('authentication', {
       //Change null to undefined once the cookies value able to get
       return state.xsrfCookie !== null || state.isAuthenticatedCookie == 'true';
     },
+    isGlobalMfaEnabledGetter: (state) => state.isGlobalMfaEnabled,
+    isGenerateOtpRequiredGetter: (state) => state.isGenerateOtpRequired,
     token: (state) => state.xsrfCookie,
   },
   actions: {
@@ -39,12 +43,33 @@ export const AuthenticationStore = defineStore('authentication', {
       this.xsrfCookie = null;
       this.isAuthenticatedCookie = undefined;
     },
-    login({ username, password }) {
+    login({ username, password, otpInfo }) {
+      this.isGenerateOtpRequired = false;
       this.authError = false;
       this.unauthError = false;
+      let requestBody = {};
+      if (otpInfo === '') {
+        requestBody = { UserName: username, Password: password };
+      } else {
+        requestBody = {
+          UserName: username,
+          Password: password,
+          Token: otpInfo,
+        };
+      }
       return api
-        .post('/login', { data: [username, password] })
-        .then(() => this.authSuccess())
+        .post('/redfish/v1/SessionService/Sessions', requestBody)
+        .then((response) => {
+          if (
+            response.data['@Message.ExtendedInfo'] &&
+            response.data['@Message.ExtendedInfo'][0].MessageId.endsWith(
+              'GenerateSecretKeyRequired',
+            )
+          ) {
+            this.isGenerateOtpRequired = true;
+          }
+          this.authSuccess();
+        })
         .catch((error) => {
           this.authError = true;
           throw new Error(error);
@@ -100,6 +125,7 @@ export const AuthenticationStore = defineStore('authentication', {
             acfWindowActive: data.ACFWindowActive,
           };
           this.setLoginPageDetails(loginPageDetails);
+          this.isGlobalMfaEnabled = data.MultiFactorAuthEnabled;
         })
         .catch((error) => console.log(error));
     },

src/store/modules/SecurityAndAccess/UserManagementStore.js

@@ -11,6 +11,9 @@ export const UserManagementStore = defineStore('userManagment', {
     accountLockoutThreshold: null,
     accountMinPasswordLength: null,
     accountMaxPasswordLength: null,
+    isGlobalMfaEnabled: false,
+    isCurrentUserMfaBypassed: false,
+    secretKeyInfo: null,
   }),
   getters: {
     allUsersGetter(state) {
@@ -34,6 +37,15 @@ export const UserManagementStore = defineStore('userManagment', {
         maxLength: state.accountMaxPasswordLength,
       };
     },
+    isGlobalMfaEnabledGetter(state) {
+      return state.isGlobalMfaEnabled;
+    },
+    isCurrentUserMfaBypassedGetter(state) {
+      return state.isCurrentUserMfaBypassed;
+    },
+    secretKeyInfoGetter(state) {
+      return state.secretKeyInfo;
+    },
   },
   actions: {
     async getUsers() {
@@ -42,8 +54,8 @@ export const UserManagementStore = defineStore('userManagment', {
         .then((response) =>
           response.data.Members.map((user) => user['@odata.id']),
         )
-        .then((userIds) => {
-          api
+        .then(async (userIds) => {
+          return await api
             .all(userIds.map((user) => api.get(user)))
             .then((users) => {
               const userData = users.map((user) => user.data);
@@ -62,9 +74,17 @@ export const UserManagementStore = defineStore('userManagment', {
         })
         .catch((error) => {
           console.log(error);
-          const message = i18n.global.t(
-            'pageUserManagement.toast.errorLoadUsers',
-          );
+          let message = '';
+          if (
+            error.response.data['@Message.ExtendedInfo'] &&
+            error.response.data['@Message.ExtendedInfo'][0].MessageId.endsWith(
+              'GenerateSecretKeyRequired',
+            )
+          ) {
+            message = 'otpRequired';
+          } else {
+            message = i18n.global.t('pageUserManagement.toast.errorLoadUsers');
+          }
           throw new Error(message);
         });
     },
@@ -76,6 +96,8 @@ export const UserManagementStore = defineStore('userManagment', {
           this.accountLockoutThreshold = data.AccountLockoutThreshold;
           this.accountMinPasswordLength = data.MinPasswordLength;
           this.accountMaxPasswordLength = data.MaxPasswordLength;
+          this.isGlobalMfaEnabled =
+            data.MultiFactorAuth?.GoogleAuthenticator?.Enabled;
         })
         .catch((error) => {
           console.log(error);
@@ -163,15 +185,16 @@ export const UserManagementStore = defineStore('userManagment', {
     }) {
       const data = {};
       const notReadOnly =
-        privilege !== 'ReadOnly' && currentUser.RoleId !== 'ReadOnly';
+        privilege !== 'ReadOnly' &&
+        (currentUser ? currentUser.RoleId !== 'ReadOnly' : true);
       if (username) data.UserName = username;
       if (password) data.Password = password;
       if (privilege && notReadOnly) {
         data.RoleId = privilege;
       } else if (
         privilege &&
         privilege === 'ReadOnly' &&
-        currentUser.RoleId !== 'ReadOnly'
+        (currentUser ? currentUser.RoleId !== 'ReadOnly' : true)
       ) {
         data.RoleId = privilege;
       }
@@ -218,7 +241,6 @@ export const UserManagementStore = defineStore('userManagment', {
       if (locked !== undefined) data.Locked = locked;
       return await api
         .patch(`/redfish/v1/AccountService/Accounts/${originalUsername}`, data)
-        .then(() => this.getUsers())
         .then(() =>
           i18n.global.t('pageUserManagement.toast.successUpdateUser', {
             username: originalUsername,
@@ -415,6 +437,161 @@ export const UserManagementStore = defineStore('userManagment', {
           throw new Error(message);
         });
     },
+
+    async updateGlobalMfa({ globalMfa }) {
+      this.isGlobalMfaEnabled = globalMfa;
+      const requestBody = {
+        MultiFactorAuth: {
+          GoogleAuthenticator: {
+            Enabled: globalMfa,
+          },
+        },
+      };
+      return await api
+        .patch('/redfish/v1/AccountService', requestBody)
+        .then(() => {
+          this.getUsers();
+          if (globalMfa) {
+            return i18n.global.t('pageUserManagement.toast.successEnableMfa');
+          } else {
+            return i18n.global.t('pageUserManagement.toast.successDisableMfa');
+          }
+        })
+        .catch((error) => {
+          this.isGlobalMfaEnabled = !globalMfa;
+          console.log('error', error);
+          this.getAccountSettings();
+          if (globalMfa) {
+            throw new Error(
+              i18n.global.t('pageUserManagement.toast.errorEnableMfa'),
+            );
+          } else {
+            throw new Error(
+              i18n.global.t('pageUserManagement.toast.errorDisableMfa'),
+            );
+          }
+        });
+    },
+
+    async clearSetSecretKey(mfaObject) {
+      return await api
+        .post(mfaObject['@odata.id'] + '/Actions/ManagerAccount.ClearSecretKey')
+        .then(() => {
+          this.getUsers();
+          return i18n.global.t(
+            'pageUserManagement.toast.successClearSecretKey',
+          );
+        })
+        .catch((error) => {
+          this.getUsers();
+          console.log('error', error);
+          throw new Error(
+            i18n.global.t('pageUserManagement.toast.errorClearSecretKey'),
+          );
+        });
+    },
+    async updateMfaBypass(mfaObject) {
+      const requestBody = {
+        MFABypass: {
+          BypassTypes: mfaObject.mfa ? ['GoogleAuthenticator'] : ['None'],
+        },
+      };
+      return await api
+        .patch(mfaObject['@odata.id'], requestBody)
+        .then(() => {
+          if (mfaObject.mfa) {
+            return i18n.global.t(
+              'pageUserManagement.toast.successEnableMfaBypass',
+            );
+          } else {
+            return i18n.global.t(
+              'pageUserManagement.toast.successDisableMfaBypass',
+            );
+          }
+        })
+        .catch((error) => {
+          this.getUsers();
+          console.log('error', error);
+          if (mfaObject.mfa) {
+            throw new Error(
+              i18n.global.t('pageUserManagement.toast.errorEnableMfaBypass'),
+            );
+          } else {
+            throw new Error(
+              i18n.global.t('pageUserManagement.toast.errorDisableMfaBypass'),
+            );
+          }
+        });
+    },
+    async updateMfaBypassNewUser({ userData, mfaByPass }) {
+      const requestBody = {
+        MFABypass: {
+          BypassTypes: mfaByPass ? ['GoogleAuthenticator'] : ['None'],
+        },
+      };
+      return await api
+        .patch(
+          `/redfish/v1/AccountService/Accounts/${userData.username}`,
+          requestBody,
+        )
+        .then(() => this.getUsers())
+        .catch((error) => {
+          console.log('error', error);
+          if (mfaByPass) {
+            throw new Error(
+              i18n.global.t('pageUserManagement.toast.errorEnableMfaBypass'),
+            );
+          } else {
+            throw new Error(
+              i18n.global.t('pageUserManagement.toast.errorDisableMfaBypass'),
+            );
+          }
+        });
+    },
+    async checkCurrentUserMfaBypassed({ uri }) {
+      api.get(uri).then(({ data }) => {
+        this.isCurrentUserMfaBypassed = data?.MFABypass?.BypassTypes.includes(
+          'GoogleAuthenticator',
+        );
+      });
+    },
+    async clearSecretKey() {
+      this.secretKeyInfo = null;
+      return;
+    },
+    async generateSecretKey() {
+      const currentUsername = localStorage.getItem('storedUsername');
+      return api
+        .post(
+          `redfish/v1/AccountService/Accounts/${currentUsername}/Actions/ManagerAccount.GenerateSecretKey`,
+        )
+        .then(({ data }) => {
+          this.secretKeyInfo = data?.SecretKey;
+        })
+        .catch((error) => {
+          console.log('error', error);
+          throw new Error(error);
+        });
+    },
+
+    async verifyRegisterTotp({ otpValue }) {
+      const requestBody = {
+        TimeBasedOneTimePassword: otpValue,
+      };
+      const currentUsername = localStorage.getItem('storedUsername');
+      return await api
+        .post(
+          `/redfish/v1/AccountService/Accounts/${currentUsername}/Actions/ManagerAccount.VerifyTimeBasedOneTimePassword`,
+          requestBody,
+        )
+        .then(() => {
+          this.getUsers();
+          return i18n.global.t('pageUserManagement.toast.successEnableMfa');
+        })
+        .catch(() => {
+          throw new Error(i18n.global.t('pageUserManagement.toast.errorOtp'));
+        });
+    },
   },
 });