feat: introduce mfa

backend/config/config.go

@@ -32,6 +32,8 @@ type Config struct {
 	Emails Emails `yaml:"emails" json:"emails,omitempty" koanf:"emails" jsonschema:"title=emails"`
 	// `log` configures application logging.
 	Log LoggerConfig `yaml:"log" json:"log,omitempty" koanf:"log" jsonschema:"title=log"`
+	// `mfa` configures how multi-factor-authentication behaves.
+	MFA MFA `yaml:"mfa" json:"mfa,omitempty" koanf:"mfa" jsonschema:"title=mfa"`
 	// Deprecated. See child properties for suggested replacements.
 	Passcode Passcode `yaml:"passcode" json:"passcode,omitempty" koanf:"passcode" jsonschema:"title=passcode"`
 	// `passkey` configures how passkeys  are acquired and used.

backend/config/config.yaml

@@ -29,6 +29,19 @@ email_delivery:
     port: "2500"
 log:
   log_health_and_metrics: true
+mfa:
+  acquire_on_login: false
+  acquire_on_registration: true
+  enabled: true
+  optional: true
+  security_keys:
+    attestation_preference: direct
+    authenticator_attachment: cross-platform
+    enabled: true
+    limit: 10
+    user_verification: discouraged
+  totp:
+    enabled: true
 passkey:
   enabled: true
   optional: true

backend/config/config_default.go

@@ -94,6 +94,10 @@ func DefaultConfig() *Config {
 		RateLimiter: RateLimiter{
 			Enabled: true,
 			Store:   RATE_LIMITER_STORE_IN_MEMORY,
+			OTPLimits: RateLimits{
+				Tokens:   3,
+				Interval: 1 * time.Minute,
+			},
 			PasswordLimits: RateLimits{
 				Tokens:   5,
 				Interval: 1 * time.Minute,
@@ -161,6 +165,22 @@ func DefaultConfig() *Config {
 			MinLength:             3,
 			MaxLength:             32,
 		},
+		MFA: MFA{
+			AcquireOnLogin:        false,
+			AcquireOnRegistration: true,
+			Enabled:               true,
+			Optional:              true,
+			SecurityKeys: SecurityKeys{
+				AttestationPreference:   "direct",
+				AuthenticatorAttachment: "cross-platform",
+				Enabled:                 true,
+				Limit:                   10,
+				UserVerification:        "discouraged",
+			},
+			TOTP: TOTP{
+				Enabled: true,
+			},
+		},
 		Debug: false,
 	}
 }

backend/config/config_mfa.go

@@ -0,0 +1,36 @@
+package config
+
+type SecurityKeys struct {
+	// `attestation_preference` is used to specify the preference regarding attestation conveyance during
+	// credential generation.
+	AttestationPreference string `yaml:"attestation_preference" json:"attestation_preference,omitempty" koanf:"attestation_preference" split_words:"true" jsonschema:"default=direct,enum=direct,enum=indirect,enum=none"`
+	// `authenticator_attachment`  is used to specify the preference regarding authenticator attachment during credential registration.
+	AuthenticatorAttachment string `yaml:"authenticator_attachment" json:"authenticator_attachment,omitempty" koanf:"authenticator_attachment" split_words:"true" jsonschema:"default=cross-platform,enum=platform,enum=cross-platform,enum=no_preference"`
+	// `enabled` determines whether security keys are eligible for multi-factor-authentication.
+	Enabled bool `yaml:"enabled" json:"enabled" koanf:"enabled" jsonschema:"default=true"`
+	// 'limit' determines the maximum number of security keys a user can register.
+	Limit int `yaml:"limit" json:"limit,omitempty" koanf:"limit" jsonschema:"default=10"`
+	// The setting applies to both WebAuthn registration and authentication ceremonies.
+	UserVerification string `yaml:"user_verification" json:"user_verification,omitempty" koanf:"user_verification" split_words:"true" jsonschema:"default=discouraged,enum=required,enum=preferred,enum=discouraged"`
+}
+
+type TOTP struct {
+	// `enabled` determines whether TOTP is eligible for multi-factor-authentication.
+	Enabled bool `yaml:"enabled" json:"enabled" koanf:"enabled" jsonschema:"default=true"`
+}
+
+type MFA struct {
+	// `acquire_on_login` configures if users are prompted creating an MFA credential on login.
+	AcquireOnLogin bool `yaml:"acquire_on_login" json:"acquire_on_login" koanf:"acquire_on_login" jsonschema:"default=false"`
+	// `acquire_on_registration` configures if users are prompted creating an MFA credential on registration.
+	AcquireOnRegistration bool `yaml:"acquire_on_registration" json:"acquire_on_registration" koanf:"acquire_on_registration" jsonschema:"default=true"`
+	// `enabled` determines whether multi-factor-authentication is enabled.
+	Enabled bool `yaml:"enabled" json:"enabled" koanf:"enabled" jsonschema:"default=true"`
+	// `optional` determines whether users must create an MFA credential when prompted. The MFA credential cannot be
+	// deleted if multi-factor-authentication is required (`optional: false`).
+	Optional bool `yaml:"optional" json:"optional" koanf:"optional" jsonschema:"default=true"`
+	// `security_keys` configures security key settings for multi-factor-authentication
+	SecurityKeys SecurityKeys `yaml:"security_keys" json:"security_keys,omitempty" koanf:"security_keys" jsonschema:"title=security_keys"`
+	// `totp` configures the TOTP (Time-Based One-Time-Password) method for multi-factor-authentication.
+	TOTP TOTP `yaml:"totp" json:"totp,omitempty" koanf:"totp" jsonschema:"title=totp"`
+}

backend/config/config_rate_limiter.go

@@ -16,6 +16,8 @@ type RateLimiter struct {
 	Redis *RedisConfig `yaml:"redis_config" json:"redis_config,omitempty" koanf:"redis_config"`
 	// `passcode_limits` controls rate limits for passcode operations.
 	PasscodeLimits RateLimits `yaml:"passcode_limits" json:"passcode_limits,omitempty" koanf:"passcode_limits" split_words:"true"`
+	// `otp_limits` controls rate limits for OTP login attempts.
+	OTPLimits RateLimits `yaml:"otp_limits" json:"otp_limits,omitempty" koanf:"otp_limits" split_words:"true"`
 	// `password_limits` controls rate limits for password login operations.
 	PasswordLimits RateLimits `yaml:"password_limits" json:"password_limits,omitempty" koanf:"password_limits" split_words:"true"`
 	// `token_limits` controls rate limits for token exchange operations.

backend/crypto/jwk/manager_test.go

@@ -5,72 +5,50 @@ import (
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/teamhanko/hanko/backend/persistence/models"
+	"github.com/stretchr/testify/suite"
 	"github.com/teamhanko/hanko/backend/test"
 	"testing"
 )
 
-type mockJwkPersister struct {
-	jwks []models.Jwk
+func TestJWKManagerSuite(t *testing.T) {
+	s := new(jwkManagerSuite)
+	suite.Run(t, s)
 }
 
-func (m *mockJwkPersister) Get(i int) (*models.Jwk, error) {
-	for _, v := range m.jwks {
-		if v.ID == i {
-			return &v, nil
-		}
-	}
-	return nil, nil
+type jwkManagerSuite struct {
+	test.Suite
 }
 
-func (m *mockJwkPersister) GetAll() ([]models.Jwk, error) {
-	return m.jwks, nil
-}
-
-func (m *mockJwkPersister) GetLast() (*models.Jwk, error) {
-	index := len(m.jwks)
-	return &m.jwks[index-1], nil
-}
-
-func (m *mockJwkPersister) Create(jwk models.Jwk) error {
-	//increment id
-	index := len(m.jwks)
-	jwk.ID = index
-
-	m.jwks = append(m.jwks, jwk)
-	return nil
-}
-
-func TestDefaultManager(t *testing.T) {
+func (s *jwkManagerSuite) TestDefaultManager() {
 	keys := []string{"asfnoadnfoaegnq3094intoaegjnoadjgnoadng", "apdisfoaiegnoaiegnbouaebgn982"}
-	//persister := mockJwkPersister{jwks: []models.Jwk{}}
-	persister := test.NewJwkPersister(nil)
+
+	persister := s.Storage.GetJwkPersister()
 
 	dm, err := NewDefaultManager(keys, persister)
-	require.NoError(t, err)
+	require.NoError(s.T(), err)
 	all, err := persister.GetAll()
 
-	require.NoError(t, err)
-	assert.Equal(t, 2, len(all))
+	require.NoError(s.T(), err)
+	assert.Equal(s.T(), 2, len(all))
 
 	js, err := dm.GetPublicKeys()
-	require.NoError(t, err)
-	assert.Equal(t, 2, js.Len())
+	require.NoError(s.T(), err)
+	assert.Equal(s.T(), 2, js.Len())
 
 	sk, err := dm.GetSigningKey()
-	require.NoError(t, err)
+	require.NoError(s.T(), err)
 
 	token := jwt.New()
 	token.Set("Payload", "isJustFine")
 	signed, err := jwt.Sign(token, jwt.WithKey(jwa.RS256, sk))
-	require.NoError(t, err)
+	require.NoError(s.T(), err)
 
 	// Get Public Key of signing key
 	pk, err := sk.PublicKey()
-	require.NoError(t, err)
+	require.NoError(s.T(), err)
 
 	// Parse and Verify
 	tokenParsed, err := jwt.Parse(signed, jwt.WithKey(jwa.RS256, pk))
-	assert.NoError(t, err)
-	assert.Equal(t, token, tokenParsed)
+	assert.NoError(s.T(), err)
+	assert.Equal(s.T(), token, tokenParsed)
 }

backend/dto/intern/WebauthnCredential.go

@@ -10,7 +10,7 @@ import (
 	"time"
 )
 
-func WebauthnCredentialToModel(credential *webauthn.Credential, userId uuid.UUID, backupEligible bool, backupState bool, authenticatorMetadata mapper.AuthenticatorMetadata) *models.WebauthnCredential {
+func WebauthnCredentialToModel(credential *webauthn.Credential, userId uuid.UUID, backupEligible, backupState, mfaOnly bool, authenticatorMetadata mapper.AuthenticatorMetadata) *models.WebauthnCredential {
 	now := time.Now().UTC()
 	aaguid, _ := uuid.FromBytes(credential.Authenticator.AAGUID)
 	credentialID := base64.RawURLEncoding.EncodeToString(credential.ID)
@@ -28,6 +28,7 @@ func WebauthnCredentialToModel(credential *webauthn.Credential, userId uuid.UUID
 		UpdatedAt:       now,
 		BackupEligible:  backupEligible,
 		BackupState:     backupState,
+		MFAOnly:         mfaOnly,
 	}
 
 	for _, name := range credential.Transport {

backend/dto/profile.go

@@ -2,24 +2,37 @@ package dto
 
 import (
 	"github.com/gofrs/uuid"
+	"github.com/teamhanko/hanko/backend/config"
 	"github.com/teamhanko/hanko/backend/persistence/models"
 	"time"
 )
 
+type MFAConfig struct {
+	AuthAppSetUp        bool `json:"auth_app_set_up"`
+	TOTPEnabled         bool `json:"totp_enabled"`
+	SecurityKeysEnabled bool `json:"security_keys_enabled"`
+}
+
 type ProfileData struct {
-	UserID              uuid.UUID                    `json:"user_id"`
-	WebauthnCredentials []WebauthnCredentialResponse `json:"passkeys,omitempty"`
-	Emails              []EmailResponse              `json:"emails,omitempty"`
-	Username            *Username                    `json:"username,omitempty"`
-	CreatedAt           time.Time                    `json:"created_at"`
-	UpdatedAt           time.Time                    `json:"updated_at"`
+	UserID       uuid.UUID                    `json:"user_id"`
+	Passkeys     []WebauthnCredentialResponse `json:"passkeys,omitempty"`
+	SecurityKeys []WebauthnCredentialResponse `json:"security_keys,omitempty"`
+	MFAConfig    MFAConfig                    `json:"mfa_config"`
+	Emails       []EmailResponse              `json:"emails,omitempty"`
+	Username     *Username                    `json:"username,omitempty"`
+	CreatedAt    time.Time                    `json:"created_at"`
+	UpdatedAt    time.Time                    `json:"updated_at"`
 }
 
-func ProfileDataFromUserModel(user *models.User) *ProfileData {
-	var webauthnCredentials []WebauthnCredentialResponse
+func ProfileDataFromUserModel(user *models.User, cfg *config.Config) *ProfileData {
+	var webauthnCredentials, securityKeys []WebauthnCredentialResponse
 	for _, webauthnCredentialModel := range user.WebauthnCredentials {
 		webauthnCredential := FromWebauthnCredentialModel(&webauthnCredentialModel)
-		webauthnCredentials = append(webauthnCredentials, *webauthnCredential)
+		if cfg.MFA.SecurityKeys.Enabled && webauthnCredentialModel.MFAOnly {
+			securityKeys = append(securityKeys, *webauthnCredential)
+		} else if cfg.Passkey.Enabled {
+			webauthnCredentials = append(webauthnCredentials, *webauthnCredential)
+		}
 	}
 
 	var emails []EmailResponse
@@ -29,11 +42,17 @@ func ProfileDataFromUserModel(user *models.User) *ProfileData {
 	}
 
 	return &ProfileData{
-		UserID:              user.ID,
-		WebauthnCredentials: webauthnCredentials,
-		Emails:              emails,
-		Username:            FromUsernameModel(user.Username),
-		CreatedAt:           user.CreatedAt,
-		UpdatedAt:           user.UpdatedAt,
+		UserID:       user.ID,
+		Passkeys:     webauthnCredentials,
+		SecurityKeys: securityKeys,
+		MFAConfig: MFAConfig{
+			AuthAppSetUp:        user.OTPSecret != nil,
+			TOTPEnabled:         cfg.MFA.Enabled && cfg.MFA.TOTP.Enabled,
+			SecurityKeysEnabled: cfg.MFA.Enabled && cfg.MFA.SecurityKeys.Enabled,
+		},
+		Emails:    emails,
+		Username:  FromUsernameModel(user.Username),
+		CreatedAt: user.CreatedAt,
+		UpdatedAt: user.UpdatedAt,
 	}
 }