Make 2FA providers stateful

This adds persistence to the Nextcloud server 2FA logic so that the server
knows which 2FA providers are enabled for a specific user at any time, even
when the provider is not available.

The `IStatefulProvider` interface was added as tagging interface for providers
that are compatible with this new API.

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

9 files changed, 471 insertions, 84 deletions

diff --git a/lib/composer/composer/autoload_classmap.php b/lib/composer/composer/autoload_classmap.php
index 77729886601..687128833b7 100644
--- a/lib/composer/composer/autoload_classmap.php
+++ b/lib/composer/composer/autoload_classmap.php
@@ -69,6 +69,7 @@ return array(
     'OCP\\Authentication\\LoginCredentials\\IStore' => $baseDir . '/lib/public/Authentication/LoginCredentials/IStore.php',
     'OCP\\Authentication\\TwoFactorAuth\\IProvider' => $baseDir . '/lib/public/Authentication/TwoFactorAuth/IProvider.php',
     'OCP\\Authentication\\TwoFactorAuth\\IProvidesCustomCSP' => $baseDir . '/lib/public/Authentication/TwoFactorAuth/IProvidesCustomCSP.php',
+    'OCP\\Authentication\\TwoFactorAuth\\IRegistry' => $baseDir . '/lib/public/Authentication/TwoFactorAuth/IRegistry.php',
     'OCP\\Authentication\\TwoFactorAuth\\TwoFactorException' => $baseDir . '/lib/public/Authentication/TwoFactorAuth/TwoFactorException.php',
     'OCP\\AutoloadNotAllowedException' => $baseDir . '/lib/public/AutoloadNotAllowedException.php',
     'OCP\\BackgroundJob' => $baseDir . '/lib/public/BackgroundJob.php',
@@ -425,7 +426,11 @@ return array(
     'OC\\Authentication\\Token\\PublicKeyToken' => $baseDir . '/lib/private/Authentication/Token/PublicKeyToken.php',
     'OC\\Authentication\\Token\\PublicKeyTokenMapper' => $baseDir . '/lib/private/Authentication/Token/PublicKeyTokenMapper.php',
     'OC\\Authentication\\Token\\PublicKeyTokenProvider' => $baseDir . '/lib/private/Authentication/Token/PublicKeyTokenProvider.php',
+    'OC\\Authentication\\TwoFactorAuth\\Db\\ProviderUserAssignmentDao' => $baseDir . '/lib/private/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDao.php',
     'OC\\Authentication\\TwoFactorAuth\\Manager' => $baseDir . '/lib/private/Authentication/TwoFactorAuth/Manager.php',
+    'OC\\Authentication\\TwoFactorAuth\\ProviderLoader' => $baseDir . '/lib/private/Authentication/TwoFactorAuth/ProviderLoader.php',
+    'OC\\Authentication\\TwoFactorAuth\\ProviderSet' => $baseDir . '/lib/private/Authentication/TwoFactorAuth/ProviderSet.php',
+    'OC\\Authentication\\TwoFactorAuth\\Registry' => $baseDir . '/lib/private/Authentication/TwoFactorAuth/Registry.php',
     'OC\\Avatar' => $baseDir . '/lib/private/Avatar.php',
     'OC\\AvatarManager' => $baseDir . '/lib/private/AvatarManager.php',
     'OC\\BackgroundJob\\Job' => $baseDir . '/lib/private/BackgroundJob/Job.php',
@@ -536,6 +541,7 @@ return array(
     'OC\\Core\\Command\\TwoFactorAuth\\Base' => $baseDir . '/core/Command/TwoFactorAuth/Base.php',
     'OC\\Core\\Command\\TwoFactorAuth\\Disable' => $baseDir . '/core/Command/TwoFactorAuth/Disable.php',
     'OC\\Core\\Command\\TwoFactorAuth\\Enable' => $baseDir . '/core/Command/TwoFactorAuth/Enable.php',
+    'OC\\Core\\Command\\TwoFactorAuth\\State' => $baseDir . '/core/Command/TwoFactorAuth/State.php',
     'OC\\Core\\Command\\Upgrade' => $baseDir . '/core/Command/Upgrade.php',
     'OC\\Core\\Command\\User\\Add' => $baseDir . '/core/Command/User/Add.php',
     'OC\\Core\\Command\\User\\Delete' => $baseDir . '/core/Command/User/Delete.php',
@@ -575,6 +581,7 @@ return array(
     'OC\\Core\\Migrations\\Version14000Date20180404140050' => $baseDir . '/core/Migrations/Version14000Date20180404140050.php',
     'OC\\Core\\Migrations\\Version14000Date20180516101403' => $baseDir . '/core/Migrations/Version14000Date20180516101403.php',
     'OC\\Core\\Migrations\\Version14000Date20180518120534' => $baseDir . '/core/Migrations/Version14000Date20180518120534.php',
+    'OC\\Core\\Migrations\\Version14000Date20180522074438' => $baseDir . '/core/Migrations/Version14000Date20180522074438.php',
     'OC\\DB\\Adapter' => $baseDir . '/lib/private/DB/Adapter.php',
     'OC\\DB\\AdapterMySQL' => $baseDir . '/lib/private/DB/AdapterMySQL.php',
     'OC\\DB\\AdapterOCI8' => $baseDir . '/lib/private/DB/AdapterOCI8.php',
diff --git a/lib/composer/composer/autoload_static.php b/lib/composer/composer/autoload_static.php
index be9c71d8246..673f7b5c49b 100644
--- a/lib/composer/composer/autoload_static.php
+++ b/lib/composer/composer/autoload_static.php
@@ -99,6 +99,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
         'OCP\\Authentication\\LoginCredentials\\IStore' => __DIR__ . '/../../..' . '/lib/public/Authentication/LoginCredentials/IStore.php',
         'OCP\\Authentication\\TwoFactorAuth\\IProvider' => __DIR__ . '/../../..' . '/lib/public/Authentication/TwoFactorAuth/IProvider.php',
         'OCP\\Authentication\\TwoFactorAuth\\IProvidesCustomCSP' => __DIR__ . '/../../..' . '/lib/public/Authentication/TwoFactorAuth/IProvidesCustomCSP.php',
+        'OCP\\Authentication\\TwoFactorAuth\\IRegistry' => __DIR__ . '/../../..' . '/lib/public/Authentication/TwoFactorAuth/IRegistry.php',
         'OCP\\Authentication\\TwoFactorAuth\\TwoFactorException' => __DIR__ . '/../../..' . '/lib/public/Authentication/TwoFactorAuth/TwoFactorException.php',
         'OCP\\AutoloadNotAllowedException' => __DIR__ . '/../../..' . '/lib/public/AutoloadNotAllowedException.php',
         'OCP\\BackgroundJob' => __DIR__ . '/../../..' . '/lib/public/BackgroundJob.php',
@@ -455,7 +456,11 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
         'OC\\Authentication\\Token\\PublicKeyToken' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/PublicKeyToken.php',
         'OC\\Authentication\\Token\\PublicKeyTokenMapper' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/PublicKeyTokenMapper.php',
         'OC\\Authentication\\Token\\PublicKeyTokenProvider' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/PublicKeyTokenProvider.php',
+        'OC\\Authentication\\TwoFactorAuth\\Db\\ProviderUserAssignmentDao' => __DIR__ . '/../../..' . '/lib/private/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDao.php',
         'OC\\Authentication\\TwoFactorAuth\\Manager' => __DIR__ . '/../../..' . '/lib/private/Authentication/TwoFactorAuth/Manager.php',
+        'OC\\Authentication\\TwoFactorAuth\\ProviderLoader' => __DIR__ . '/../../..' . '/lib/private/Authentication/TwoFactorAuth/ProviderLoader.php',
+        'OC\\Authentication\\TwoFactorAuth\\ProviderSet' => __DIR__ . '/../../..' . '/lib/private/Authentication/TwoFactorAuth/ProviderSet.php',
+        'OC\\Authentication\\TwoFactorAuth\\Registry' => __DIR__ . '/../../..' . '/lib/private/Authentication/TwoFactorAuth/Registry.php',
         'OC\\Avatar' => __DIR__ . '/../../..' . '/lib/private/Avatar.php',
         'OC\\AvatarManager' => __DIR__ . '/../../..' . '/lib/private/AvatarManager.php',
         'OC\\BackgroundJob\\Job' => __DIR__ . '/../../..' . '/lib/private/BackgroundJob/Job.php',
@@ -566,6 +571,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
         'OC\\Core\\Command\\TwoFactorAuth\\Base' => __DIR__ . '/../../..' . '/core/Command/TwoFactorAuth/Base.php',
         'OC\\Core\\Command\\TwoFactorAuth\\Disable' => __DIR__ . '/../../..' . '/core/Command/TwoFactorAuth/Disable.php',
         'OC\\Core\\Command\\TwoFactorAuth\\Enable' => __DIR__ . '/../../..' . '/core/Command/TwoFactorAuth/Enable.php',
+        'OC\\Core\\Command\\TwoFactorAuth\\State' => __DIR__ . '/../../..' . '/core/Command/TwoFactorAuth/State.php',
         'OC\\Core\\Command\\Upgrade' => __DIR__ . '/../../..' . '/core/Command/Upgrade.php',
         'OC\\Core\\Command\\User\\Add' => __DIR__ . '/../../..' . '/core/Command/User/Add.php',
         'OC\\Core\\Command\\User\\Delete' => __DIR__ . '/../../..' . '/core/Command/User/Delete.php',
@@ -605,6 +611,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
         'OC\\Core\\Migrations\\Version14000Date20180404140050' => __DIR__ . '/../../..' . '/core/Migrations/Version14000Date20180404140050.php',
         'OC\\Core\\Migrations\\Version14000Date20180516101403' => __DIR__ . '/../../..' . '/core/Migrations/Version14000Date20180516101403.php',
         'OC\\Core\\Migrations\\Version14000Date20180518120534' => __DIR__ . '/../../..' . '/core/Migrations/Version14000Date20180518120534.php',
+        'OC\\Core\\Migrations\\Version14000Date20180522074438' => __DIR__ . '/../../..' . '/core/Migrations/Version14000Date20180522074438.php',
         'OC\\DB\\Adapter' => __DIR__ . '/../../..' . '/lib/private/DB/Adapter.php',
         'OC\\DB\\AdapterMySQL' => __DIR__ . '/../../..' . '/lib/private/DB/AdapterMySQL.php',
         'OC\\DB\\AdapterOCI8' => __DIR__ . '/../../..' . '/lib/private/DB/AdapterOCI8.php',
diff --git a/lib/private/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDao.php b/lib/private/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDao.php
new file mode 100644
index 00000000000..5b3f2849433
--- /dev/null
+++ b/lib/private/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDao.php
@@ -0,0 +1,86 @@
+<?php
+
+declare(strict_types = 1);
+
+/**
+ * @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\Authentication\TwoFactorAuth\Db;
+
+use OCP\DB\QueryBuilder\IQueryBuilder;
+use OCP\IDBConnection;
+
+/**
+ * Data access object to query and assign (provider_id, uid, enabled) tuples of
+ * 2FA providers
+ */
+class ProviderUserAssignmentDao {
+
+	const TABLE_NAME = 'twofactor_providers';
+
+	/** @var IDBConnection */
+	private $conn;
+
+	public function __construct(IDBConnection $dbConn) {
+		$this->conn = $dbConn;
+	}
+
+	/**
+	 * Get all assigned provider IDs for the given user ID
+	 *
+	 * @return string[] where the array key is the provider ID (string) and the
+	 *                  value is the enabled state (bool)
+	 */
+	public function getState(string $uid): array {
+		$qb = $this->conn->getQueryBuilder();
+
+		$query = $qb->select('provider_id', 'enabled')
+			->from(self::TABLE_NAME)
+			->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid)));
+		$result = $query->execute();
+		$providers = [];
+		foreach ($result->fetchAll() as $row) {
+			$providers[$row['provider_id']] = 1 === (int) $row['enabled'];
+		}
+		$result->closeCursor();
+
+		return $providers;
+	}
+
+	/**
+	 * Persist a new/updated (provider_id, uid, enabled) tuple
+	 */
+	public function persist(string $providerId, string $uid, int $enabled) {
+		$qb = $this->conn->getQueryBuilder();
+
+		// TODO: concurrency? What if (providerId, uid) private key is inserted
+		//       twice at the same time?
+		$query = $qb->insert(self::TABLE_NAME)->values([
+			'provider_id' => $qb->createNamedParameter($providerId),
+			'uid' => $qb->createNamedParameter($uid),
+			'enabled' => $qb->createNamedParameter($enabled, IQueryBuilder::PARAM_INT),
+		]);
+
+		$query->execute();
+	}
+
+}
diff --git a/lib/private/Authentication/TwoFactorAuth/Manager.php b/lib/private/Authentication/TwoFactorAuth/Manager.php
index 933b86ffda5..0837ec339a5 100644
--- a/lib/private/Authentication/TwoFactorAuth/Manager.php
+++ b/lib/private/Authentication/TwoFactorAuth/Manager.php
@@ -1,5 +1,6 @@
 <?php
-declare(strict_types=1);
+
+declare(strict_types = 1);
 /**
  * @copyright Copyright (c) 2016, ownCloud, Inc.
  *
@@ -28,15 +29,12 @@ namespace OC\Authentication\TwoFactorAuth;
 
 use BadMethodCallException;
 use Exception;
-use OC;
-use OC\App\AppManager;
-use OC_App;
 use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Token\IProvider as TokenProvider;
 use OCP\Activity\IManager;
-use OCP\AppFramework\QueryException;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\Authentication\TwoFactorAuth\IProvider;
+use OCP\Authentication\TwoFactorAuth\IRegistry;
 use OCP\IConfig;
 use OCP\ILogger;
 use OCP\ISession;
@@ -48,12 +46,13 @@ class Manager {
 
 	const SESSION_UID_KEY = 'two_factor_auth_uid';
 	const SESSION_UID_DONE = 'two_factor_auth_passed';
-	const BACKUP_CODES_APP_ID = 'twofactor_backupcodes';
-	const BACKUP_CODES_PROVIDER_ID = 'backup_codes';
 	const REMEMBER_LOGIN = 'two_factor_remember_login';
 
-	/** @var AppManager */
-	private $appManager;
+	/** @var ProviderLoader */
+	private $providerLoader;
+
+	/** @var IRegistry */
+	private $providerRegistry;
 
 	/** @var ISession */
 	private $session;
@@ -76,25 +75,11 @@ class Manager {
 	/** @var EventDispatcherInterface */
 	private $dispatcher;
 
-	/**
-	 * @param AppManager $appManager
-	 * @param ISession $session
-	 * @param IConfig $config
-	 * @param IManager $activityManager
-	 * @param ILogger $logger
-	 * @param TokenProvider $tokenProvider
-	 * @param ITimeFactory $timeFactory
-	 * @param EventDispatcherInterface $eventDispatcher
-	 */
-	public function __construct(AppManager $appManager,
-								ISession $session,
-								IConfig $config,
-								IManager $activityManager,
-								ILogger $logger,
-								TokenProvider $tokenProvider,
-								ITimeFactory $timeFactory,
-								EventDispatcherInterface $eventDispatcher) {
-		$this->appManager = $appManager;
+	public function __construct(ProviderLoader $providerLoader,
+		IRegistry $providerRegistry, ISession $session, IConfig $config,
+		IManager $activityManager, ILogger $logger, TokenProvider $tokenProvider,
+		ITimeFactory $timeFactory, EventDispatcherInterface $eventDispatcher) {
+		$this->providerLoader = $providerLoader;
 		$this->session = $session;
 		$this->config = $config;
 		$this->activityManager = $activityManager;
@@ -102,6 +87,7 @@ class Manager {
 		$this->tokenProvider = $tokenProvider;
 		$this->timeFactory = $timeFactory;
 		$this->dispatcher = $eventDispatcher;
+		$this->providerRegistry = $providerRegistry;
 	}
 
 	/**
@@ -112,7 +98,15 @@ class Manager {
 	 */
 	public function isTwoFactorAuthenticated(IUser $user): bool {
 		$twoFactorEnabled = ((int) $this->config->getUserValue($user->getUID(), 'core', 'two_factor_auth_disabled', 0)) === 0;
-		return $twoFactorEnabled && \count($this->getProviders($user)) > 0;
+
+		if (!$twoFactorEnabled) {
+			return false;
+		}
+
+		$providerStates = $this->providerRegistry->getProviderStates($user);
+		$enabled = array_filter($providerStates);
+
+		return $twoFactorEnabled && !empty($enabled);
 	}
 
 	/**
@@ -141,71 +135,96 @@ class Manager {
 	 * @return IProvider|null
 	 */
 	public function getProvider(IUser $user, string $challengeProviderId) {
-		$providers = $this->getProviders($user, true);
+		$providers = $this->getProviderSet($user)->getProviders();
 		return $providers[$challengeProviderId] ?? null;
 	}
 
 	/**
+	 * Check if the persistant mapping of enabled/disabled state of each available
+	 * provider is missing an entry and add it to the registry in that case.
+	 *
+	 * @todo remove in Nextcloud 17 as by then all providers should have been updated
+	 *
+	 * @param string[] $providerStates
+	 * @param IProvider[] $providers
 	 * @param IUser $user
-	 * @return IProvider|null the backup provider, if enabled for the given user
+	 * @return string[] the updated $providerStates variable
 	 */
-	public function getBackupProvider(IUser $user) {
-		$providers = $this->getProviders($user, true);
-		if (!isset($providers[self::BACKUP_CODES_PROVIDER_ID])) {
-			return null;
+	private function fixMissingProviderStates(array $providerStates,
+		array $providers, IUser $user): array {
+
+		foreach ($providers as $provider) {
+			if (isset($providerStates[$provider->getId()])) {
+				// All good
+				continue;
+			}
+
+			$enabled = $provider->isTwoFactorAuthEnabledForUser($user);
+			if ($enabled) {
+				$this->providerRegistry->enableProviderFor($provider, $user);
+			} else {
+				$this->providerRegistry->disableProviderFor($provider, $user);
+			}
+			$providerStates[$provider->getId()] = $enabled;
 		}
-		return $providers[self::BACKUP_CODES_PROVIDER_ID];
+
+		return $providerStates;
 	}
 
 	/**
-	 * Get the list of 2FA providers for the given user
-	 *
-	 * @param IUser $user
-	 * @param bool $includeBackupApp
-	 * @return IProvider[]
-	 * @throws Exception
+	 * @param array $states
+	 * @param IProvider $providers
 	 */
-	public function getProviders(IUser $user, bool $includeBackupApp = false): array {
-		$allApps = $this->appManager->getEnabledAppsForUser($user);
-		$providers = [];
+	private function isProviderMissing(array $states, array $providers): bool {
+		$indexed = [];
+		foreach ($providers as $provider) {
+			$indexed[$provider->getId()] = $provider;
+		}
 
-		foreach ($allApps as $appId) {
-			if (!$includeBackupApp && $appId === self::BACKUP_CODES_APP_ID) {
+		$missing = [];
+		foreach ($states as $providerId => $enabled) {
+			if (!$enabled) {
+				// Don't care
 				continue;
 			}
 
-			$info = $this->appManager->getAppInfo($appId);
-			if (isset($info['two-factor-providers'])) {
-				/** @var string[] $providerClasses */
-				$providerClasses = $info['two-factor-providers'];
-				foreach ($providerClasses as $class) {
-					try {
-						$this->loadTwoFactorApp($appId);
-						$provider = OC::$server->query($class);
-						$providers[$provider->getId()] = $provider;
-					} catch (QueryException $exc) {
-						// Provider class can not be resolved
-						throw new Exception("Could not load two-factor auth provider $class");
-					}
-				}
+			if (!isset($indexed[$providerId])) {
+				$missing[] = $providerId;
+				$this->logger->alert("two-factor auth provider '$providerId' failed to load",
+					[
+					'app' => 'core',
+				]);
 			}
 		}
 
-		return array_filter($providers, function ($provider) use ($user) {
-			/* @var $provider IProvider */
-			return $provider->isTwoFactorAuthEnabledForUser($user);
-		});
+		if (!empty($missing)) {
+			// There was at least one provider missing
+			$this->logger->alert(count($missing) . " two-factor auth providers failed to load", ['app' => 'core']);
+
+			return true;
+		}
+
+		// If we reach this, there was not a single provider missing
+		return false;
 	}
 
 	/**
-	 * Load an app by ID if it has not been loaded yet
+	 * Get the list of 2FA providers for the given user
 	 *
-	 * @param string $appId
+	 * @param IUser $user
+	 * @throws Exception
 	 */
-	protected function loadTwoFactorApp(string $appId) {
-		if (!OC_App::isAppLoaded($appId)) {
-			OC_App::loadApp($appId);
-		}
+	public function getProviderSet(IUser $user): ProviderSet {
+		$providerStates = $this->providerRegistry->getProviderStates($user);
+		$providers = $this->providerLoader->getProviders($user);
+
+		$fixedStates = $this->fixMissingProviderStates($providerStates, $providers, $user);
+		$isProviderMissing = $this->isProviderMissing($fixedStates, $providers);
+
+		$enabled = array_filter($providers, function (IProvider $provider) use ($fixedStates) {
+			return $fixedStates[$provider->getId()];
+		});
+		return new ProviderSet($enabled, $isProviderMissing);
 	}
 
 	/**
@@ -272,7 +291,7 @@ class Manager {
 		try {
 			$this->activityManager->publish($activity);
 		} catch (BadMethodCallException $e) {
-			$this->logger->warning('could not publish backup code creation activity', ['app' => 'core']);
+			$this->logger->warning('could not publish activity', ['app' => 'core']);
 			$this->logger->logException($e, ['app' => 'core']);
 		}
 	}
diff --git a/lib/private/Authentication/TwoFactorAuth/ProviderLoader.php b/lib/private/Authentication/TwoFactorAuth/ProviderLoader.php
new file mode 100644
index 00000000000..bd20cd12949
--- /dev/null
+++ b/lib/private/Authentication/TwoFactorAuth/ProviderLoader.php
@@ -0,0 +1,88 @@
+<?php
+
+/**
+ * @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\Authentication\TwoFactorAuth;
+
+use Exception;
+use OC;
+use OC_App;
+use OCP\App\IAppManager;
+use OCP\AppFramework\QueryException;
+use OCP\Authentication\TwoFactorAuth\IProvider;
+use OCP\IUser;
+
+class ProviderLoader {
+
+	const BACKUP_CODES_APP_ID = 'twofactor_backupcodes';
+
+	/** @var IAppManager */
+	private $appManager;
+
+	public function __construct(IAppManager $appManager) {
+		$this->appManager = $appManager;
+	}
+
+	/**
+	 * Get the list of 2FA providers for the given user
+	 *
+	 * @return IProvider[]
+	 * @throws Exception
+	 */
+	public function getProviders(IUser $user): array {
+		$allApps = $this->appManager->getEnabledAppsForUser($user);
+		$providers = [];
+
+		foreach ($allApps as $appId) {
+			$info = $this->appManager->getAppInfo($appId);
+			if (isset($info['two-factor-providers'])) {
+				/** @var string[] $providerClasses */
+				$providerClasses = $info['two-factor-providers'];
+				foreach ($providerClasses as $class) {
+					try {
+						$this->loadTwoFactorApp($appId);
+						$provider = OC::$server->query($class);
+						$providers[$provider->getId()] = $provider;
+					} catch (QueryException $exc) {
+						// Provider class can not be resolved
+						throw new Exception("Could not load two-factor auth provider $class");
+					}
+				}
+			}
+		}
+
+		return $providers;
+	}
+
+	/**
+	 * Load an app by ID if it has not been loaded yet
+	 *
+	 * @param string $appId
+	 */
+	protected function loadTwoFactorApp(string $appId) {
+		if (!OC_App::isAppLoaded($appId)) {
+			OC_App::loadApp($appId);
+		}
+	}
+
+}
diff --git a/lib/private/Authentication/TwoFactorAuth/ProviderSet.php b/lib/private/Authentication/TwoFactorAuth/ProviderSet.php
new file mode 100644
index 00000000000..60e967ba546
--- /dev/null
+++ b/lib/private/Authentication/TwoFactorAuth/ProviderSet.php
@@ -0,0 +1,71 @@
+<?php
+
+/**
+ * @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\Authentication\TwoFactorAuth;
+
+use OCP\Authentication\TwoFactorAuth\IProvider;
+
+/**
+ * Contains all two-factor provider information for the two-factor login challenge
+ */
+class ProviderSet {
+
+	/** @var IProvider */
+	private $providers;
+
+	/** @var bool */
+	private $providerMissing;
+
+	/**
+	 * @param IProvider[] $providers
+	 * @param bool $providerMissing
+	 */
+	public function __construct(array $providers, bool $providerMissing) {
+		$this->providers = [];
+		foreach ($providers as $provider) {
+			$this->providers[$provider->getId()] = $provider;
+		}
+		$this->providerMissing = $providerMissing;
+	}
+
+	/**
+	 * @param string $providerId
+	 * @return IProvider|null
+	 */
+	public function getProvider(string $providerId) {
+		return $this->providers[$providerId] ?? null;
+	}
+
+	/**
+	 * @return IProvider[]
+	 */
+	public function getProviders(): array {
+		return $this->providers;
+	}
+
+	public function isProviderMissing(): bool {
+		return $this->providerMissing;
+	}
+
+}
diff --git a/lib/private/Authentication/TwoFactorAuth/Registry.php b/lib/private/Authentication/TwoFactorAuth/Registry.php
new file mode 100644
index 00000000000..0cfb052440e
--- /dev/null
+++ b/lib/private/Authentication/TwoFactorAuth/Registry.php
@@ -0,0 +1,55 @@
+<?php
+
+declare(strict_types = 1);
+
+/**
+ * @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\Authentication\TwoFactorAuth;
+
+use OC\Authentication\TwoFactorAuth\Db\ProviderUserAssignmentDao;
+use OCP\Authentication\TwoFactorAuth\IProvider;
+use OCP\Authentication\TwoFactorAuth\IRegistry;
+use OCP\IUser;
+
+class Registry implements IRegistry {
+
+	/** @var ProviderUserAssignmentDao */
+	private $assignmentDao;
+
+	public function __construct(ProviderUserAssignmentDao $assignmentDao) {
+		$this->assignmentDao = $assignmentDao;
+	}
+
+	public function getProviderStates(IUser $user): array {
+		return $this->assignmentDao->getState($user->getUID());
+	}
+
+	public function enableProviderFor(IProvider $provider, IUser $user) {
+		$this->assignmentDao->persist($provider->getId(), $user->getUID(), 1);
+	}
+
+	public function disableProviderFor(IProvider $provider, IUser $user) {
+		$this->assignmentDao->persist($provider->getId(), $user->getUID(), 0);
+	}
+
+}
diff --git a/lib/private/Server.php b/lib/private/Server.php
index 31f088ea718..7824638b212 100644
--- a/lib/private/Server.php
+++ b/lib/private/Server.php
@@ -412,18 +412,7 @@ class Server extends ServerContainer implements IServerContainer {
 		});
 		$this->registerAlias('UserSession', \OCP\IUserSession::class);
 
-		$this->registerService(\OC\Authentication\TwoFactorAuth\Manager::class, function (Server $c) {
-			return new \OC\Authentication\TwoFactorAuth\Manager(
-				$c->getAppManager(),
-				$c->getSession(),
-				$c->getConfig(),
-				$c->getActivityManager(),
-				$c->getLogger(),
-				$c->query(IProvider::class),
-				$c->query(ITimeFactory::class),
-				$c->query(EventDispatcherInterface::class)
-			);
-		});
+		$this->registerAlias(\OCP\Authentication\TwoFactorAuth\IRegistry::class, \OC\Authentication\TwoFactorAuth\Registry::class);
 
 		$this->registerAlias(\OCP\INavigationManager::class, \OC\NavigationManager::class);
 		$this->registerAlias('NavigationManager', \OCP\INavigationManager::class);
diff --git a/lib/public/Authentication/TwoFactorAuth/IRegistry.php b/lib/public/Authentication/TwoFactorAuth/IRegistry.php
new file mode 100644
index 00000000000..5013892d402
--- /dev/null
+++ b/lib/public/Authentication/TwoFactorAuth/IRegistry.php
@@ -0,0 +1,65 @@
+<?php
+
+declare(strict_types = 1);
+
+/**
+ * @copyright 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @author 2018 Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCP\Authentication\TwoFactorAuth;
+
+use OCP\IUser;
+
+/**
+ * Nextcloud 2FA provider registry for stateful 2FA providers
+ * 
+ * This service keeps track of which providers are currently active for a specific
+ * user. Stateful 2FA providers (IStatefulProvider) must use this service to save
+ * their enabled/disabled state.
+ *
+ * @since 14.0.0
+ */
+interface IRegistry {
+
+	/**
+	 * Get a key-value map of providers and their enabled/disabled state for
+	 * the given user.
+	 *
+	 * @since 14.0.0
+	 * @return string[] where the array key is the provider ID (string) and the
+	 *                  value is the enabled state (bool)
+	 */
+	public function getProviderStates(IUser $user): array;
+
+	/**
+	 * Enable the given 2FA provider for the given user
+	 *
+	 * @since 14.0.0
+	 */
+	public function enableProviderFor(IProvider $provider, IUser $user);
+
+	/**
+	 * Disable the given 2FA provider for the given user
+	 *
+	 * @since 14.0.0
+	 */
+	public function disableProviderFor(IProvider $provider, IUser $user);
+}