[ CDM-243 ] [ CDM-245 ] Orcid Provider MFA Support & Token response mfa key

src/main/java/us/kbase/auth2/lib/Authentication.java

@@ -745,13 +745,19 @@ public void forceResetAllPasswords(final IncomingToken token)
 
 	private NewToken login(final UserName userName, final TokenCreationContext tokenCtx)
 			throws AuthStorageException {
+		return login(userName, tokenCtx, false);
+	}
+
+	private NewToken login(final UserName userName, final TokenCreationContext tokenCtx, 
+			final Boolean mfaAuthenticated) throws AuthStorageException {
 		final NewToken nt = new NewToken(StoredToken.getBuilder(
-					TokenType.LOGIN, randGen.randomUUID(), userName)
-				.withLifeTime(clock.instant(),
-						cfg.getAppConfig().getTokenLifetimeMS(TokenLifetimeType.LOGIN))
-				.withContext(tokenCtx)
-				.build(),
-				randGen.getToken());
+				TokenType.LOGIN, randGen.randomUUID(), userName)
+			.withLifeTime(clock.instant(),
+					cfg.getAppConfig().getTokenLifetimeMS(TokenLifetimeType.LOGIN))
+			.withContext(tokenCtx)
+			.withMfaAuthenticated(mfaAuthenticated)
+			.build(),
+			randGen.getToken());
 		storage.storeToken(nt.getStoredToken(), nt.getTokenHash());
 		setLastLogin(userName);
 		logInfo("Logged in user {} with token {}",
@@ -905,7 +911,9 @@ public NewToken createToken(
 		final NewToken nt = new NewToken(StoredToken.getBuilder(tokenType, id, au.getUserName())
 				.withLifeTime(clock.instant(), life)
 				.withContext(tokenCtx)
-				.withTokenName(tokenName).build(),
+				.withTokenName(tokenName)
+				.withMfaAuthenticated(null) // Agent/Dev/Serv tokens don't have MFA status
+				.build(),
 				randGen.getToken());
 		storage.storeToken(nt.getStoredToken(), nt.getTokenHash());
 		logInfo("User {} created {} token {}", au.getUserName().getName(), tokenType, id);
@@ -2043,6 +2051,7 @@ public NewToken testModeCreateToken(
 		final NewToken nt = new NewToken(StoredToken.getBuilder(tokenType, id, userName)
 				.withLifeTime(clock.instant(), TEST_MODE_DATA_LIFETIME_MS)
 				.withNullableTokenName(tokenName)
+				.withMfaAuthenticated(null) // Test mode tokens don't have MFA status
 				.build(),
 				randGen.getToken());
 		storage.testModeStoreToken(nt.getStoredToken(), nt.getTokenHash());
@@ -2339,7 +2348,9 @@ public NewToken login(
 						linked, u.get().getUserName().getName());
 			}
 		}
-		return login(u.get().getUserName(), tokenCtx);
+		final Boolean mfaStatus = ri.get().getDetails() != null ? 
+				ri.get().getDetails().getMfaAuthenticated() : null;
+		return login(u.get().getUserName(), tokenCtx, mfaStatus);
 	}
 
 	private Optional<RemoteIdentity> getIdentity(
@@ -3142,6 +3153,7 @@ public long getSuggestedTokenCacheTime() throws AuthStorageException {
 		return cfg.getAppConfig().getTokenLifetimeMS(TokenLifetimeType.EXT_CACHE);
 	}
 
+
 	/** Get the external configuration without providing any credentials.
 	 * 
 	 * This method should not be exposed in a public API.

src/main/java/us/kbase/auth2/lib/identity/RemoteIdentityDetails.java

@@ -10,6 +10,7 @@ public class RemoteIdentityDetails {
 	private final String username;
 	private final String fullname;
 	private final String email;
+	private final Boolean mfaAuthenticated;
 
 	/** Create a new set of details.
 	 * @param username the user name of the identity.
@@ -20,6 +21,22 @@ public RemoteIdentityDetails(
 			final String username,
 			final String fullname,
 			final String email) {
+		this(username, fullname, email, null);
+	}
+
+	/** Create a new set of details.
+	 * @param username the user name of the identity.
+	 * @param fullname the full name of the identity. Null is acceptable.
+	 * @param email the email address of the identity. Null is acceptable.
+	 * @param mfaAuthenticated whether the user authenticated using multi-factor authentication.
+	 * True if MFA was used, false if password only, null if MFA status is unknown or not 
+	 * supported by the provider.
+	 */
+	public RemoteIdentityDetails(
+			final String username,
+			final String fullname,
+			final String email,
+			final Boolean mfaAuthenticated) {
 		super();
 		if (username == null || username.trim().isEmpty()) {
 			throw new IllegalArgumentException(
@@ -36,6 +53,7 @@ public RemoteIdentityDetails(
 		} else {
 			this.email = email.trim();
 		}
+		this.mfaAuthenticated = mfaAuthenticated;
 	}
 
 	/** Get the user name for the identity.
@@ -57,13 +75,22 @@ public String getFullname() {
 	public String getEmail() {
 		return email;
 	}
+
+	/** Get whether the user authenticated using multi-factor authentication.
+	 * @return true if the user authenticated with MFA, false if not, null if MFA status 
+	 * is unknown or not supported by the provider.
+	 */
+	public Boolean getMfaAuthenticated() {
+		return mfaAuthenticated;
+	}
 
 	@Override
 	public int hashCode() {
 		final int prime = 31;
 		int result = 1;
 		result = prime * result + ((email == null) ? 0 : email.hashCode());
 		result = prime * result + ((fullname == null) ? 0 : fullname.hashCode());
+		result = prime * result + ((mfaAuthenticated == null) ? 0 : mfaAuthenticated.hashCode());
 		result = prime * result + ((username == null) ? 0 : username.hashCode());
 		return result;
 	}
@@ -94,6 +121,13 @@ public boolean equals(Object obj) {
 		} else if (!fullname.equals(other.fullname)) {
 			return false;
 		}
+		if (mfaAuthenticated == null) {
+			if (other.mfaAuthenticated != null) {
+				return false;
+			}
+		} else if (!mfaAuthenticated.equals(other.mfaAuthenticated)) {
+			return false;
+		}
 		if (username == null) {
 			if (other.username != null) {
 				return false;
@@ -113,6 +147,8 @@ public String toString() {
 		builder.append(fullname);
 		builder.append(", email=");
 		builder.append(email);
+		builder.append(", mfaAuthenticated=");
+		builder.append(mfaAuthenticated);
 		builder.append("]");
 		return builder.toString();
 	}

src/main/java/us/kbase/auth2/lib/storage/mongo/Fields.java

@@ -97,6 +97,8 @@ public class Fields {
 	public static final String IDENTITIES_NAME = "fullname";
 	/** The email address of the identity. */
 	public static final String IDENTITIES_EMAIL = "email";
+	/** Whether the identity was authenticated with multi-factor authentication. */
+	public static final String IDENTITIES_MFA = "mfa";
 
 	/* **************
 	 * token fields
@@ -135,6 +137,8 @@ public class Fields {
 	public static final String TOKEN_CUSTOM_KEY = "k";
 	/** A value for a custom context key / value pair. */
 	public static final String TOKEN_CUSTOM_VALUE = "v";
+	/** Whether the token was created with multi-factor authentication. */
+	public static final String TOKEN_MFA_AUTHENTICATED = "mfaauth";
 
 	/* ************************
 	 * temporary session data fields

src/main/java/us/kbase/auth2/lib/storage/mongo/MongoStorage.java

@@ -871,7 +871,8 @@ private void storeToken(final String collection, final StoredToken token, final
 				.append(Fields.TOKEN_DEVICE, ctx.getDevice().orElse(null))
 				.append(Fields.TOKEN_IP, ctx.getIpAddress().isPresent() ?
 						ctx.getIpAddress().get().getHostAddress() : null)
-				.append(Fields.TOKEN_CUSTOM_CONTEXT, toCustomContextList(ctx.getCustomContext()));
+				.append(Fields.TOKEN_CUSTOM_CONTEXT, toCustomContextList(ctx.getCustomContext()))
+				.append(Fields.TOKEN_MFA_AUTHENTICATED, token.getMfaAuthenticated());
 		try {
 			db.getCollection(collection).insertOne(td);
 		} catch (MongoWriteException mwe) {
@@ -969,6 +970,7 @@ private StoredToken getToken(final Document t) throws AuthStorageException {
 						t.getDate(Fields.TOKEN_EXPIRY).toInstant())
 				.withNullableTokenName(getTokenName(t.getString(Fields.TOKEN_NAME)))
 				.withContext(toTokenCreationContext(t))
+				.withMfaAuthenticated(t.getBoolean(Fields.TOKEN_MFA_AUTHENTICATED))
 				.build();
 	}
 
@@ -1596,7 +1598,8 @@ private void updateIdentity(final RemoteIdentity remoteID)
 		final Document update = new Document("$set",
 				new Document(pre + Fields.IDENTITIES_USER, rid.getUsername())
 				.append(pre + Fields.IDENTITIES_EMAIL, rid.getEmail())
-				.append(pre + Fields.IDENTITIES_NAME, rid.getFullname()));
+				.append(pre + Fields.IDENTITIES_NAME, rid.getFullname())
+				.append(pre + Fields.IDENTITIES_MFA, rid.getMfaAuthenticated()));
 		try {
 			// id might have been unlinked, so we just assume
 			// the update worked. If it was just unlinked we don't care.
@@ -1729,7 +1732,8 @@ private Document toDocument(final RemoteIdentity id) {
 				.append(Fields.IDENTITIES_PROV_ID, id.getRemoteID().getProviderIdentityId())
 				.append(Fields.IDENTITIES_USER, rid.getUsername())
 				.append(Fields.IDENTITIES_NAME, rid.getFullname())
-				.append(Fields.IDENTITIES_EMAIL, rid.getEmail());
+				.append(Fields.IDENTITIES_EMAIL, rid.getEmail())
+				.append(Fields.IDENTITIES_MFA, rid.getMfaAuthenticated());
 	}
 
 	@Override
@@ -1789,7 +1793,8 @@ private Set<RemoteIdentity> toIdentities(final List<Document> ids) {
 			final RemoteIdentityDetails det = new RemoteIdentityDetails(
 					i.getString(Fields.IDENTITIES_USER),
 					i.getString(Fields.IDENTITIES_NAME),
-					i.getString(Fields.IDENTITIES_EMAIL));
+					i.getString(Fields.IDENTITIES_EMAIL),
+					i.getBoolean(Fields.IDENTITIES_MFA));
 			ret.add(new RemoteIdentity(rid, det));
 		}
 		return ret;

src/main/java/us/kbase/auth2/lib/token/StoredToken.java

@@ -23,6 +23,7 @@ public class StoredToken {
 	private final UserName userName;
 	private final Instant creationDate;
 	private final Instant expirationDate;
+	private final Boolean mfaAuthenticated;
 
 	private StoredToken(
 			final UUID id,
@@ -31,7 +32,8 @@ private StoredToken(
 			final UserName userName,
 			final TokenCreationContext context,
 			final Instant creationDate,
-			final Instant expirationDate) {
+			final Instant expirationDate,
+			final Boolean mfaAuthenticated) {
 		// this stuff is here just in case naughty users use casting to skip a builder step
 		requireNonNull(creationDate, "created");
 		// no way to test this one
@@ -43,6 +45,7 @@ private StoredToken(
 		this.expirationDate = expirationDate;
 		this.creationDate = creationDate;
 		this.id = id;
+		this.mfaAuthenticated = mfaAuthenticated;
 	}
 
 	/** Get the type of the token.
@@ -93,6 +96,13 @@ public Instant getCreationDate() {
 	public Instant getExpirationDate() {
 		return expirationDate;
 	}
+
+	/** Get whether the token was created with multi-factor authentication.
+	 * @return true if the token was created with MFA, false if not, null if unknown.
+	 */
+	public Boolean getMfaAuthenticated() {
+		return mfaAuthenticated;
+	}
 
 	@Override
 	public int hashCode() {
@@ -105,6 +115,7 @@ public int hashCode() {
 		result = prime * result + ((tokenName == null) ? 0 : tokenName.hashCode());
 		result = prime * result + ((type == null) ? 0 : type.hashCode());
 		result = prime * result + ((userName == null) ? 0 : userName.hashCode());
+		result = prime * result + ((mfaAuthenticated == null) ? 0 : mfaAuthenticated.hashCode());
 		return result;
 	}
 
@@ -165,6 +176,13 @@ public boolean equals(Object obj) {
 		} else if (!userName.equals(other.userName)) {
 			return false;
 		}
+		if (mfaAuthenticated == null) {
+			if (other.mfaAuthenticated != null) {
+				return false;
+			}
+		} else if (!mfaAuthenticated.equals(other.mfaAuthenticated)) {
+			return false;
+		}
 		return true;
 	}
 
@@ -224,6 +242,12 @@ public interface OptionalsStep {
 		 */
 		OptionalsStep withContext(TokenCreationContext context);
 
+		/** Specify whether the token was created with multi-factor authentication.
+		 * @param mfaAuthenticated true if MFA was used, false if not, null if unknown.
+		 * @return this builder.
+		 */
+		OptionalsStep withMfaAuthenticated(Boolean mfaAuthenticated);
+
 		/** Build the token.
 		 * @return a new StoredToken.
 		 */
@@ -239,6 +263,7 @@ private static class Builder implements LifeStep, OptionalsStep {
 		private final UserName userName;
 		private Instant creationDate;
 		private Instant expirationDate;
+		private Boolean mfaAuthenticated;
 
 		private Builder(final TokenType type, final UUID id, final UserName userName) {
 			requireNonNull(type, "type");
@@ -269,10 +294,16 @@ public OptionalsStep withContext(final TokenCreationContext context) {
 			return this;
 		}
 
+		@Override
+		public OptionalsStep withMfaAuthenticated(final Boolean mfaAuthenticated) {
+			this.mfaAuthenticated = mfaAuthenticated;
+			return this;
+		}
+
 		@Override
 		public StoredToken build() {
 			return new StoredToken(id, type, tokenName, userName, context,
-					creationDate, expirationDate);
+					creationDate, expirationDate, mfaAuthenticated);
 		}
 
 		@Override