Nodarx/authentication_provider_mail
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
4b86d460851b6838de1b886f65ef6d07f2d2a3c1
authentication_provider_mail/lib/Provider.php
root 5ffa224a37 Initial commit
2026-02-10 19:49:19 -05:00

369 lines
11 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace KTXM\AuthenticationProviderMail;
use KTXF\Mail\Entity\Address;
use KTXF\Mail\Entity\IMessageBase;
use KTXF\Mail\Queue\SendOptions;
use KTXF\Mail\Service\IServiceBase;
use KTXF\Mail\Service\IServiceSend;
use KTXF\Security\Authentication\AuthenticationProviderAbstract;
use KTXF\Security\Authentication\ProviderContext;
use KTXF\Security\Authentication\ProviderResult;
use KTXM\AuthenticationProviderMail\Stores\ChallengeStore;
use KTXM\MailManager\Manager as MailManager;
use Psr\Log\LoggerInterface;
/**
* Email Challenge Authentication Provider
*
* Authenticates users by sending a one-time verification code to their email.
* Uses the mail manager system for sending verification emails.
*/
class Provider extends AuthenticationProviderAbstract
{
private const DEFAULT_CODE_TTL = 300; // 5 minutes
private const DEFAULT_DIGITS = 6;
public function __construct(
private readonly ChallengeStore $challengeStore,
private readonly MailManager $mailManager,
private readonly LoggerInterface $logger,
) {}
// =========================================================================
// Provider Implementation
// =========================================================================
public function type(): string
{
return 'authentication';
}
public function identifier(): string
{
return 'mail';
}
public function method(): string
{
return self::METHOD_CHALLENGE;
}
public function label(): string
{
return 'Email Code';
}
public function description(): string
{
return 'Authenticate using a one-time verification code sent to your email address.';
}
public function icon(): string
{
return 'mail';
}
/**
* Begin the email challenge
*
* Generates a verification code and sends it to the user's email.
*/
public function beginChallenge(ProviderContext $context): ProviderResult
{
$tenantId = $context->tenantId;
$userIdentity = $context->userIdentity; // Email address
if (empty($tenantId)) {
return ProviderResult::failed(
ProviderResult::ERROR_INTERNAL,
'Invalid tenant context'
);
}
if (empty($userIdentity)) {
return ProviderResult::failed(
ProviderResult::ERROR_INVALID_CREDENTIALS,
'Email address is required'
);
}
// Validate email format
if (!filter_var($userIdentity, FILTER_VALIDATE_EMAIL)) {
return ProviderResult::failed(
ProviderResult::ERROR_INVALID_CREDENTIALS,
'Invalid email address format'
);
}
// Check for existing pending challenge (rate limiting)
if ($this->challengeStore->hasPending($tenantId, $userIdentity)) {
// Allow resend but inform user
$this->logger->debug('Resending email challenge', [
'tenantId' => $tenantId,
]);
}
// Generate and store challenge
$ttl = $context->getConfig('code_ttl', self::DEFAULT_CODE_TTL);
$challenge = $this->challengeStore->create($tenantId, $userIdentity, $ttl);
// Send verification email
$emailResult = $this->sendVerificationEmail(
$tenantId,
$userIdentity,
$challenge['code'],
$challenge['expires'],
$context
);
if (!$emailResult['success']) {
// Invalidate the challenge since email failed
$this->challengeStore->invalidate($tenantId, $userIdentity);
$this->logger->error('Failed to send verification email', [
'tenantId' => $tenantId,
'error' => $emailResult['error'] ?? 'Unknown error',
]);
return ProviderResult::failed(
ProviderResult::ERROR_INTERNAL,
'Failed to send verification email'
);
}
$this->logger->info('Email challenge initiated', [
'tenantId' => $tenantId,
'expires' => $challenge['expires'],
]);
return ProviderResult::challenge(
[
'type' => 'email',
'message' => 'A verification code has been sent to your email address',
'digits' => self::DEFAULT_DIGITS,
'expires_in' => $ttl,
'masked_email' => $this->maskEmail($userIdentity),
],
[
'identity' => $userIdentity,
'challenge_expires' => $challenge['expires'],
]
);
}
/**
* Verify the email challenge code
*/
public function verifyChallenge(ProviderContext $context, string $code): ProviderResult
{
$tenantId = $context->tenantId;
$userIdentity = $context->userIdentity ?? $context->getMeta('identity');
if (empty($tenantId)) {
return ProviderResult::failed(
ProviderResult::ERROR_INTERNAL,
'Invalid tenant context'
);
}
if (empty($userIdentity)) {
return ProviderResult::failed(
ProviderResult::ERROR_INVALID_CREDENTIALS,
'Identity is required'
);
}
// Normalize code (remove spaces, dashes)
$code = preg_replace('/[\s\-]/', '', $code);
// Verify the challenge
$result = $this->challengeStore->verify($tenantId, $userIdentity, $code);
if (!$result['success']) {
$this->logger->debug('Email challenge verification failed', [
'tenantId' => $tenantId,
'error' => $result['error'] ?? 'Unknown',
]);
return ProviderResult::failed(
ProviderResult::ERROR_FACTOR_FAILED,
$result['error'] ?? 'Invalid verification code'
);
}
$this->logger->info('Email challenge verified successfully', [
'tenantId' => $tenantId,
]);
return ProviderResult::success([
'identity' => $userIdentity,
'provider' => $this->identifier(),
'verified_email' => $userIdentity,
]);
}
/**
* Direct verify (not typically used for email, but implemented for interface)
*/
public function verify(ProviderContext $context, string $secret): ProviderResult
{
return $this->verifyChallenge($context, $secret);
}
// =========================================================================
// Email Sending
// =========================================================================
/**
* Send the verification email
*/
private function sendVerificationEmail(
string $tenantId,
string $recipientEmail,
string $code,
int $expires,
ProviderContext $context
): array {
try {
// Get the default system mail service
$service = $this->mailManager->serviceFindByAddress(
$tenantId,
null,
'authentication@system'
);
if ($service instanceof IServiceSend === false) {
return [
'success' => false,
'error' => 'No mail service configured',
];
}
// Build the message
$message = $service->messageFresh();
$message->setTo([new Address($recipientEmail)]);
$message->setSubject('Your verification code');
// Format code with spaces for readability (123 456)
$formattedCode = wordwrap($code, 3, ' ', true);
// Calculate remaining time
$remainingMinutes = ceil(($expires - time()) / 60);
// Build email body
$textBody = $this->buildTextBody($formattedCode, (int)$remainingMinutes);
$htmlBody = $this->buildHtmlBody($formattedCode, (int)$remainingMinutes);
$message->setBodyText($textBody);
$message->setBodyHtml($htmlBody);
// Send immediately (2FA is time-sensitive)
$this->mailManager->send(
$tenantId,
null,
$message,
new SendOptions(immediate: true)
);
return ['success' => true];
} catch (\Throwable $e) {
$this->logger->error('Email send failed', [
'error' => $e->getMessage(),
'trace' => $e->getTraceAsString(),
]);
return [
'success' => false,
'error' => $e->getMessage(),
];
}
}
/**
* Build plain text email body
*/
private function buildTextBody(string $code, int $minutes): string
{
return <<<TEXT
Your verification code is: $code
This code will expire in $minutes minute(s).
If you did not request this code, please ignore this email.
---
This is an automated message. Please do not reply.
TEXT;
}
/**
* Build HTML email body
*/
private function buildHtmlBody(string $code, int $minutes): string
{
return <<<HTML
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Verification Code</title>
</head>
<body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif; background-color: #f5f5f5; margin: 0; padding: 20px;">
<div style="max-width: 480px; margin: 0 auto; background-color: #ffffff; border-radius: 8px; padding: 40px; box-shadow: 0 2px 4px rgba(0,0,0,0.1);">
<h1 style="color: #333333; font-size: 24px; margin: 0 0 20px 0; text-align: center;">
Verification Code
</h1>
<p style="color: #666666; font-size: 16px; margin: 0 0 30px 0; text-align: center;">
Enter the following code to verify your identity:
</p>
<div style="background-color: #f0f0f0; border-radius: 8px; padding: 20px; text-align: center; margin: 0 0 30px 0;">
<span style="font-family: 'Monaco', 'Menlo', 'Courier New', monospace; font-size: 32px; font-weight: bold; letter-spacing: 4px; color: #333333;">
$code
</span>
</div>
<p style="color: #999999; font-size: 14px; margin: 0 0 20px 0; text-align: center;">
This code will expire in <strong>$minutes minute(s)</strong>.
</p>
<hr style="border: none; border-top: 1px solid #eeeeee; margin: 30px 0;">
<p style="color: #999999; font-size: 12px; margin: 0; text-align: center;">
If you did not request this code, please ignore this email.
</p>
</div>
</body>
</html>
HTML;
}
/**
* Mask email address for display
*/
private function maskEmail(string $email): string
{
$parts = explode('@', $email);
if (count($parts) !== 2) {
return '***@***';
}
$local = $parts[0];
$domain = $parts[1];
// Show first 2 chars of local part
$maskedLocal = substr($local, 0, 2) . str_repeat('*', max(3, strlen($local) - 2));
// Show domain
return $maskedLocal . '@' . $domain;
}
}
Reference in New Issue View Git Blame Copy Permalink