Add a TwoFactorException

A Two Factor third party App may throw a TwoFactorException()
with a more detailed error message in case the authentication fails.
The 2FA Controller will then display the message of this Exception
to the user.

Working on #26593

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

3 files changed, 63 insertions, 5 deletions

diff --git a/core/Controller/TwoFactorChallengeController.php b/core/Controller/TwoFactorChallengeController.php
index 34f0092bea8..13c87b7b0ab 100644
--- a/core/Controller/TwoFactorChallengeController.php
+++ b/core/Controller/TwoFactorChallengeController.php
@@ -26,6 +26,7 @@ namespace OC\Core\Controller;
 use OC\Authentication\TwoFactorAuth\Manager;
 use OC_User;
 use OC_Util;
+use OCP\Authentication\TwoFactorAuth\TwoFactorException;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\AppFramework\Http\TemplateResponse;
@@ -115,9 +116,12 @@ class TwoFactorChallengeController extends Controller {
 			$backupProvider = null;
 		}
 
+		$error_message = "";
 		if ($this->session->exists('two_factor_auth_error')) {
 			$this->session->remove('two_factor_auth_error');
 			$error = true;
+			$error_message = $this->session->get("two_factor_auth_error_message");
+			$this->session->remove('two_factor_auth_error_message');
 		} else {
 			$error = false;
 		}
@@ -125,6 +129,7 @@ class TwoFactorChallengeController extends Controller {
 		$tmpl->assign('redirect_url', $redirect_url);
 		$data = [
 			'error' => $error,
+			'error_message' => $error_message,
 			'provider' => $provider,
 			'backupProvider' => $backupProvider,
 			'logout_attribute' => $this->getLogoutAttribute(),
@@ -151,11 +156,21 @@ class TwoFactorChallengeController extends Controller {
 			return new RedirectResponse($this->urlGenerator->linkToRoute('core.TwoFactorChallenge.selectChallenge'));
 		}
 
-		if ($this->twoFactorManager->verifyChallenge($challengeProviderId, $user, $challenge)) {
-			if (!is_null($redirect_url)) {
-				return new RedirectResponse($this->urlGenerator->getAbsoluteURL(urldecode($redirect_url)));
+		try {
+			if ($this->twoFactorManager->verifyChallenge($challengeProviderId, $user, $challenge)) {
+				if (!is_null($redirect_url)) {
+					return new RedirectResponse($this->urlGenerator->getAbsoluteURL(urldecode($redirect_url)));
+				}
+				return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index'));
 			}
-			return new RedirectResponse(OC_Util::getDefaultPageUrl());
+		} catch (TwoFactorException $e) {
+			/*
+			 * The 2FA App threw an TwoFactorException. Now we display more
+			 * information to the user. The exception text is stored in the
+			 * session to be used in showChallenge()
+			 */
+			$this->session->set('two_factor_auth_error_message',
+				$e->getMessage());
 		}
 
 		$this->session->set('two_factor_auth_error', true);
diff --git a/core/templates/twofactorshowchallenge.php b/core/templates/twofactorshowchallenge.php
index 20b92be9520..4f3741b5dfe 100644
--- a/core/templates/twofactorshowchallenge.php
+++ b/core/templates/twofactorshowchallenge.php
@@ -3,6 +3,8 @@
 /** @var $_ array */
 /* @var $error boolean */
 $error = $_['error'];
+/* @var $error_message string */
+$error_message = $_['error_message'];
 /* @var $provider OCP\Authentication\TwoFactorAuth\IProvider */
 $provider = $_['provider'];
 /* @var $template string */
@@ -12,7 +14,11 @@ $template = $_['template'];
 <div class="warning">
 		<h2 class="two-factor-header"><?php p($provider->getDisplayName()); ?></h2>
 		<?php if ($error): ?>
-		<p><strong><?php p($l->t('Error while validating your second factor')); ?></strong></p>
+			<?php if($error_message): ?>
+				<p><strong><?php p($error_message); ?></strong></p>
+			<?php else: ?>
+				<p><strong><?php p($l->t('Error while validating your second factor')); ?></strong></p>
+			<?php endif; ?>
 		<?php endif; ?>
 		<?php print_unescaped($template); ?>
 </div>
diff --git a/lib/public/Authentication/TwoFactorAuth/TwoFactorException.php b/lib/public/Authentication/TwoFactorAuth/TwoFactorException.php
new file mode 100644
index 00000000000..5a06c63d5ce
--- /dev/null
+++ b/lib/public/Authentication/TwoFactorAuth/TwoFactorException.php
@@ -0,0 +1,37 @@
+<?php
+/**
+ * @author Cornelius Kölbel <cornelius.koelbel@netknights.it>
+ *
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ * User: cornelius
+ * Date: 14.11.16
+ */
+
+/*
+ * This is the public API of ownCloud. It defines an Exception a 2FA app can
+ * throw in case of an error. The 2FA Controller will catch this exception and
+ * display this error.
+ */
+
+// use OCP namespace for all classes that are considered public.
+// This means that they should be used by apps instead of the internal ownCloud classes
+namespace OCP\Authentication\TwoFactorAuth;
+
+/**
+ * Two Factor Authentication failed
+ * @since 9.2.0
+ */
+class TwoFactorException extends \Exception {}
\ No newline at end of file