fix(tfa): extend expiration time for TFA setup state and improve error handling

Author: mjabascal10

backend/src/main/java/com/park/utmstack/service/tfa/EmailTfaService.java

@@ -86,7 +86,7 @@ public void generateChallenge(User user) {
         String secret = user.getTfaSecret();
         String code = tfaService.generateCode(secret);
 
-        TfaSetupState state = new TfaSetupState(secret, System.currentTimeMillis() + Constants.EXPIRES_IN_SECONDS * 1000);
+        TfaSetupState state = new TfaSetupState(secret, System.currentTimeMillis() + Constants.EXPIRES_IN_SECONDS * 1000 * 10);
         cache.storeState(user.getLogin(), TfaMethod.EMAIL, state);
 
         mailService.sendTfaVerificationCode(user, code);

backend/src/main/java/com/park/utmstack/service/tfa/TotpTfaService.java

@@ -64,13 +64,6 @@ public TfaVerifyResponse verifyCode(User user, String code) {
 
         boolean expired = tfaSetupState.isExpired();
         boolean valid = !expired && authenticator.authorize(tfaSetupState.getSecret(), Integer.parseInt(code)) && !code.equals(tfaSetupState.getLastUsedCode());
-
-        if(expired){
-            tfaSetupState.setLastUsedCode(code);
-            tfaSetupState.setExpiresAt(System.currentTimeMillis() + Constants.EXPIRES_IN_SECONDS * 1000);
-            cache.storeState(user.getLogin(), TfaMethod.TOTP, tfaSetupState);
-        }
-
         return new TfaVerifyResponse(
                 valid,
                 expired,
@@ -91,8 +84,9 @@ public void persistConfiguration(User user) throws Exception {
 
     @Override
     public void generateChallenge(User user) {
+        cache.clear(user.getLogin(), TfaMethod.TOTP);
         String secret = user.getTfaSecret();
-        TfaSetupState state = new TfaSetupState(secret, System.currentTimeMillis() + Constants.EXPIRES_IN_SECONDS * 1000);
+        TfaSetupState state = new TfaSetupState(secret, System.currentTimeMillis() + (Constants.EXPIRES_IN_SECONDS + 10) * 1000);
         cache.storeState(user.getLogin(), TfaMethod.TOTP, state);
     }
 

backend/src/main/java/com/park/utmstack/web/rest/tfa/TfaController.java

@@ -31,6 +31,7 @@
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.web.bind.annotation.*;
+import tech.jhipster.web.util.ResponseUtil;
 
 import java.util.List;
 import java.util.stream.Collectors;
@@ -62,7 +63,7 @@ public ResponseEntity<TfaInitResponse> initTfa(@RequestBody TfaInitRequest reque
             String msg = ctx + ": " + e.getMessage();
             log.error(msg);
             applicationEventService.createEvent(msg, ApplicationEventType.ERROR);
-            throw e;
+            return UtilResponse.buildInternalServerErrorResponse(msg);
         }
 
     }
@@ -74,11 +75,25 @@ public ResponseEntity<TfaVerifyResponse> verifyTfa(@RequestBody TfaVerifyRequest
             User user = userService.getCurrentUserLogin();
             TfaVerifyResponse response = tfaService.verifyCode(user, request);
             return ResponseEntity.ok(response);
+        } catch (Exception e) {
+            String msg = ctx + ": " + e.getMessage();
+            log.error(msg);
+            return UtilResponse.buildInternalServerErrorResponse(msg);
+        }
+    }
+
+    @GetMapping("/generate-challenge")
+    public ResponseEntity<Void> generateChallenge() {
+        final String ctx = CLASSNAME + ".generateChallenge";
+        try {
+            User user = userService.getCurrentUserLogin();
+            tfaService.generateChallenge(user);
+            return ResponseEntity.ok().build();
         } catch (Exception e) {
             String msg = ctx + ": " + e.getMessage();
             log.error(msg);
             applicationEventService.createEvent(msg, ApplicationEventType.ERROR);
-            throw e;
+            return UtilResponse.buildInternalServerErrorResponse(msg);
         }
     }
 
@@ -100,10 +115,6 @@ public ResponseEntity<Void> completeTfa(@RequestBody TfaSaveRequest request) {
                 }
             }
 
-
-
-
-
             tfaService.persistConfiguration(request.getMethod());
             User user = userService.getCurrentUserLogin();
             utmConfigurationParameterService.saveAllConfigParams(tfaParams);