Support one-time authorization code for form-based authentication mechanism

[michalvavrik]

• Implements non-JDBC part of the Enhance Form authentication to support one-time tokens #45977.

[github-actions]

🎊 PR Preview 0061772 has been successfully built and deployed to https://quarkus-pr-main-46974-preview.surge.sh/version/main/guides/

• Images of blog posts older than 3 months are not available.
• Newsletters older than 3 months are not available.

[michalvavrik]

Update: Windows failure seems like a bug (though don't see how it is related to changes here), I'll find it and fix it.

[michalvavrik]

Oh, it is failing because during merging I removed the fix I introduced to Quarkus main branch already, my bad, I'll drop it.

[sberyozkin]

Thanks @michalvavrik, I'll look a bit later.

[michalvavrik]

Thanks @michalvavrik, I'll look a bit later.

Thanks as well, no hurry, I expect this will take a longer discussion. But I think it is easier this way because it is less code to review and once this is in, JDBC part will be easy.

[sberyozkin]

@michalvavrik Thanks, I've started commenting and we can continue in the next few days, I suggest to set it Draft for now as I guess there will be a few more iterations

[michalvavrik]

As the PR is draft now, I'll be pushing changes continuously. I'll inform you with a PR comment once the PR is adapted to what we agreed in here and via email. Please ignore pushes until then.

[michalvavrik]

@sberyozkin your turn :-)

[sberyozkin]

This path can be made a default value, quarkus.http.auth.form.authentication-token.enabled=true should be enough for such a case. Also propose to shorten the property to authentication-token.redirect-path

[sberyozkin]

Would it be correct to name it FormAuthenticationTokenSender, with the one-time aspect highlighted in the docs ? Form authentication is the only built in mechanism that this interface can work with

[sberyozkin]

Suggested change

	final class OneTimeAuthTokenRequestHandler {
	final class FormAuthenticationTokenRequestHandler {

or, FormAuthenticationTokenHandler

[sberyozkin]

I propose to propose to replace ONE_TIME (and lower cases onetime) everywhere with Form (using the right case), in this case it might be AUTHENTICATION_TOKEN (since it in the FormEventType), not sure _REQUESTED is necessary

[sberyozkin]

Hi @michalvavrik, apologies for delaying reviewing it.

IMHO, it indeed looks better with the cookie.

I have a question, as it is not quite obvious to me from the PR.

1. At what point do you create a session cookie in the PR ? If it is created before the user has to submit the token back to Quarkus, then it is problematic, because the user is already having a session cookie, without completing 2-factor, and can probably cancel the form and just access some secured endpoint path.

This may already be done this way, please clarify, but the way I imagine it should is as follows, if Form 2FA is enabled:

• Redirect the user with the one time token cookie to the token submission form
• Once the user token submission has been confirmed, remove the token cookie, create the session cookie

Do you agree ? Sorry if it is how it is already implemented

Thanks

[MichalMaler]

Suggested change

	The form-based authentication mechanism supports two-factor authentication (2FA) with a one-time authentication token second-factor option.
	The form-based authentication mechanism supports two-factor authentication (2FA) with a one-time authentication token as a second-factor option.

[MichalMaler]

Suggested change

	When user submit a username and password to the `/j_security_check` POST location, they will get relocated to the `/authentication-token-form` page.
	After users post their username and password to `/j_security_check`, they are redirected to `/authentication-token-form`.

[MichalMaler]

Suggested change

	.Enable two-factor authentication
	* To enable 2FA, set the following properties:
	+

[MichalMaler]

Suggested change

	<1> Once the one-time authentication token has been generated, redirect to a page with an authentication token form.
	<1> After generating the one-time authentication token, redirect to the authentication token form.

[MichalMaler]

Hello Michal! Not sure if we need to use the <1> here. If not, I would just use the "+" above that sentence to glue and align it to that snippet above, and we should be good. It's a way to describe the aftermath of our earlier actions.

[MichalMaler]

Suggested change

	The `/authentication-token-form` page should allow users to submit the one-time authentication token sent to them.
	The `/authentication-token-form` page allows them to submit the one-time authentication token.

[MichalMaler]

Suggested change

	.Example form for authentication with a one-time authentication token
	.An example of an HTML form that submits a one-time authentication token

[MichalMaler]

Suggested change

	.Example one-time authentication token sender
	.An example of a CDI bean that sends the one-time authentication token by email

[MichalMaler]

Suggested change

	See the xref:mailer-reference.adoc[Quarkus Mailer Reference documentation] for more information about the mailer.
	For more information about the mailer, see the xref:mailer-reference.adoc[Quarkus Mailer reference documentation].

[MichalMaler]

Hey, @michalvavrik ! I just spotted this awesome PR and provided a few suggestions. Use them if you like it, or feel free to tweak them or drop them completely :)
Kind regards, Michal