Security: add security.2fa_enable; hide 2FA UI & skip MFA when disabled

christianbeeznest · christianbeeznest · commit 13c46594dcae · 2025-09-23T23:05:26.000-05:00
diff --git a/src/CoreBundle/Controller/AccountController.php b/src/CoreBundle/Controller/AccountController.php
@@ -114,42 +114,44 @@ public function changePassword(
 
         if (!$user || !$user instanceof UserInterface) {
             $userId = $request->query->get('userId');
-            // error_log("User not logged in. Received userId from query: " . $userId);
 
             if (!$userId || !ctype_digit($userId)) {
-                // error_log("Access denied: Missing or invalid userId.");
                 throw $this->createAccessDeniedException('This user does not have access to this section.');
             }
 
             $user = $userRepository->find((int) $userId);
 
             if (!$user || !$user instanceof UserInterface) {
-                // error_log("Access denied: User not found with ID $userId");
                 throw $this->createAccessDeniedException('User not found or invalid.');
             }
-
-            // error_log("Loaded user by ID: " . $user->getId());
         }
 
+        // Global 2FA toggle: read either "security.2fa_enable" or fallback "2fa_enable"
+        $twoFaEnabledGlobally = 'true' === $settingsManager->getSetting('security.2fa_enable', true);
+
+        // When rotating password (forced update), we also hide the 2FA widget
         $isRotation = $request->query->getBoolean('rotate', false);
 
+        // Build the form; expose 2FA fields only if globally enabled and not rotating the password
         $form = $this->createForm(ChangePasswordType::class, [
             'enable2FA' => $user->getMfaEnabled(),
         ], [
             'user' => $user,
             'portal_name' => $settingsManager->getSetting('platform.institution'),
             'password_hasher' => $passwordHasher,
-            'enable_2fa_field' => !$isRotation,
+            'enable_2fa_field' => $twoFaEnabledGlobally && !$isRotation,
+            'global_2fa_enabled' => $twoFaEnabledGlobally,
         ]);
         $form->handleRequest($request);
 
         $session = $request->getSession();
         $qrCodeBase64 = null;
         $showQRCode = false;
 
-        // Build QR code preview if user opts to enable 2FA but hasn't saved yet
+        // Pre-generate QR preview only when 2FA is globally enabled and user opted-in but hasn't saved yet
         if (
-            $form->isSubmitted()
+            $twoFaEnabledGlobally
+            && $form->isSubmitted()
             && $form->has('enable2FA')
             && $form->get('enable2FA')->getData()
             && !$user->getMfaSecret()
@@ -186,35 +188,40 @@ public function changePassword(
                 if (!$csrfTokenManager->isTokenValid(new CsrfToken('change_password', $submittedToken))) {
                     $form->addError(new FormError($this->translator->trans('CSRF token is invalid. Please try again.')));
                 } else {
-                    $currentPassword = $form->get('currentPassword')->getData();
-                    $newPassword = $form->get('newPassword')->getData();
-                    $confirmPassword = $form->get('confirmPassword')->getData();
-                    $enable2FA = !$isRotation && $form->has('enable2FA')
-                        ? $form->get('enable2FA')->getData()
+                    $currentPassword  = $form->get('currentPassword')->getData();
+                    $newPassword      = $form->get('newPassword')->getData();
+                    $confirmPassword  = $form->get('confirmPassword')->getData();
+
+                    // Only consider the user's 2FA intent if the global toggle is ON and not rotating
+                    $enable2FA = $twoFaEnabledGlobally && !$isRotation && $form->has('enable2FA')
+                        ? (bool) $form->get('enable2FA')->getData()
                         : false;
 
-                    if ($enable2FA && !$user->getMfaSecret()) {
+                    // Handle 2FA activation (only when globally enabled)
+                    if ($twoFaEnabledGlobally && $enable2FA && !$user->getMfaSecret()) {
                         $secret = $session->get('temporary_mfa_secret');
-                        $encryptedSecret = $this->encryptTOTPSecret($secret, $_ENV['APP_SECRET']);
-                        $user->setMfaSecret($encryptedSecret);
-                        $user->setMfaEnabled(true);
-                        $user->setMfaService('TOTP');
-                        $userRepository->updateUser($user);
-
-                        $session->remove('temporary_mfa_secret');
-
-                        $this->addFlash('success', '2FA activated successfully.');
+                        if ($secret) {
+                            $encryptedSecret = $this->encryptTOTPSecret($secret, $_ENV['APP_SECRET']);
+                            $user->setMfaSecret($encryptedSecret);
+                            $user->setMfaEnabled(true);
+                            $user->setMfaService('TOTP');
+                            $userRepository->updateUser($user);
+                            $session->remove('temporary_mfa_secret');
 
-                        return $this->redirectToRoute('chamilo_core_account_home');
+                            $this->addFlash('success', $this->translator->trans('2FA activated successfully.'));
+                            return $this->redirectToRoute('chamilo_core_account_home');
+                        }
                     }
 
-                    if (!$isRotation && !$enable2FA && $user->getMfaEnabled()) {
+                    // Handle 2FA deactivation from the form (only visible if global is ON; safe to guard too)
+                    if ($twoFaEnabledGlobally && !$isRotation && !$enable2FA && $user->getMfaEnabled()) {
                         $user->setMfaEnabled(false);
                         $user->setMfaSecret(null);
                         $userRepository->updateUser($user);
-                        $this->addFlash('success', '2FA disabled successfully.');
+                        $this->addFlash('success', $this->translator->trans('2FA disabled successfully.'));
                     }
 
+                    // Password change flow (unchanged)
                     if ($newPassword || $confirmPassword || $currentPassword) {
                         if (!$userRepository->isPasswordValid($user, $currentPassword)) {
                             $form->get('currentPassword')->addError(new FormError(
@@ -228,15 +235,11 @@ public function changePassword(
                             $user->setPlainPassword($newPassword);
                             $user->setPasswordUpdatedAt(new DateTimeImmutable());
                             $userRepository->updateUser($user);
-                            $this->addFlash('success', 'Password updated successfully.');
+                            $this->addFlash('success', $this->translator->trans('Password updated successfully.'));
 
-                            // Re-login if the user was not logged
+                            // Re-login if the user was not logged in (edge case when rotating from link)
                             if (!$this->getUser()) {
-                                $token = new UsernamePasswordToken(
-                                    $user,
-                                    'main',
-                                    $user->getRoles()
-                                );
+                                $token = new UsernamePasswordToken($user, 'main', $user->getRoles());
                                 $tokenStorage->setToken($token);
                                 $request->getSession()->set('_security_main', serialize($token));
                             }
diff --git a/src/CoreBundle/DataFixtures/SettingsCurrentFixtures.php b/src/CoreBundle/DataFixtures/SettingsCurrentFixtures.php
@@ -1326,6 +1326,11 @@ public static function getExistingSettings(): array
                 ],
             ],
             'security' => [
+                [
+                    'name' => '2fa_enable',
+                    'title' => 'Enable 2FA',
+                    'comment' => "Add fields in the password update page to enable 2FA using a TOTP authenticator app. When disabled globally, users won't see 2FA fields and won't be prompted for 2FA at login, even if they had enabled it previously.",
+                ],
                 [
                     'name' => 'filter_terms',
                     'title' => 'Filter terms',
diff --git a/src/CoreBundle/Form/ChangePasswordType.php b/src/CoreBundle/Form/ChangePasswordType.php
@@ -47,6 +47,7 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
             ])
         ;
 
+        // Show 2FA fields only when allowed by controller/options
         if ($options['enable_2fa_field']) {
             $builder->add('enable2FA', CheckboxType::class, [
                 'label' => 'Enable two-factor authentication (2FA)',
@@ -72,7 +73,7 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
             $newPassword = $form->get('newPassword')->getData();
             $confirmPassword = $form->get('confirmPassword')->getData();
             $enable2FA = $form->has('enable2FA')
-                ? $form->get('enable2FA')->getData()
+                ? (bool) $form->get('enable2FA')->getData()
                 : false;
             $code = $form->has('confirm2FACode')
                 ? $form->get('confirm2FACode')->getData()
@@ -96,7 +97,8 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
                 }
             }
 
-            if ($form->has('confirm2FACode')) {
+            // Guard 2FA validation behind the global toggle AND presence of the field
+            if ($options['global_2fa_enabled'] === true && $form->has('confirm2FACode')) {
                 if ($user->getMfaEnabled() || $enable2FA) {
                     if (empty($code)) {
                         $form->get('confirm2FACode')->addError(new FormError('The 2FA code is required.'));
@@ -131,13 +133,14 @@ public function buildForm(FormBuilderInterface $builder, array $options): void
     public function configureOptions(OptionsResolver $resolver): void
     {
         $resolver->setDefaults([
-            'csrf_protection' => true,
-            'csrf_field_name' => '_token',
-            'csrf_token_id' => 'change_password',
-            'enable_2fa_field' => true,
-            'user' => null,
-            'portal_name' => 'Chamilo',
-            'password_hasher' => null,
+            'csrf_protection'   => true,
+            'csrf_field_name'   => '_token',
+            'csrf_token_id'     => 'change_password',
+            'enable_2fa_field'  => true,
+            'global_2fa_enabled'=> true,
+            'user'              => null,
+            'portal_name'       => 'Chamilo',
+            'password_hasher'   => null,
         ]);
     }
 
diff --git a/src/CoreBundle/Migrations/Schema/V200/Version20250923224100.php b/src/CoreBundle/Migrations/Schema/V200/Version20250923224100.php
@@ -0,0 +1,96 @@
+<?php
+
+
+declare(strict_types=1);
+
+namespace Chamilo\CoreBundle\Migrations\Schema\V200;
+
+use Chamilo\CoreBundle\Migrations\AbstractMigrationChamilo;
+use Doctrine\DBAL\Schema\Schema;
+
+final class Version20250923224100 extends AbstractMigrationChamilo
+{
+    public function getDescription(): string
+    {
+        return 'Insert or update platform setting title/comment for security 2FA global toggle (2fa_enable).';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $settings = [
+            [
+                'name' => '2fa_enable',
+                'title' => 'Enable 2FA',
+                'comment' => "Add fields in the password update page to enable 2FA using a TOTP authenticator app. When disabled globally, users won't see 2FA fields and won't be prompted for 2FA at login, even if they had enabled it previously.",
+                'category' => 'security',
+                'default' => 'false',
+            ],
+        ];
+
+        foreach ($settings as $setting) {
+            $variable = addslashes($setting['name']);
+            $title = addslashes($setting['title']);
+            $comment = addslashes($setting['comment']);
+            $category = addslashes($setting['category']);
+            $default = addslashes($setting['default']);
+
+            $sqlCheck = \sprintf(
+                "SELECT COUNT(*) AS count
+                 FROM settings
+                 WHERE variable = '%s'
+                   AND subkey IS NULL
+                   AND access_url = 1",
+                $variable
+            );
+
+            $stmt = $this->connection->executeQuery($sqlCheck);
+            $result = $stmt->fetchAssociative();
+
+            if ($result && (int) $result['count'] > 0) {
+                $this->addSql(\sprintf(
+                    "UPDATE settings
+                     SET title = '%s',
+                         comment = '%s',
+                         category = '%s'
+                     WHERE variable = '%s'
+                       AND subkey IS NULL
+                       AND access_url = 1",
+                    $title,
+                    $comment,
+                    $category,
+                    $variable
+                ));
+                $this->write(\sprintf('Updated setting: %s', $setting['name']));
+            } else {
+                $this->addSql(\sprintf(
+                    "INSERT INTO settings
+                        (variable, subkey, type, category, selected_value, title, comment, access_url_changeable, access_url_locked, access_url)
+                     VALUES
+                        ('%s', NULL, NULL, '%s', '%s', '%s', '%s', 1, 0, 1)",
+                    $variable,
+                    $category,
+                    $default,
+                    $title,
+                    $comment
+                ));
+                $this->write(\sprintf('Inserted setting: %s', $setting['name']));
+            }
+        }
+    }
+
+    public function down(Schema $schema): void
+    {
+        $variables = ['2fa_enable'];
+
+        foreach ($variables as $variable) {
+            $this->addSql(\sprintf(
+                "DELETE FROM settings
+                 WHERE variable = '%s'
+                   AND subkey IS NULL
+                   AND access_url = 1",
+                addslashes($variable)
+            ));
+            $this->write(\sprintf('Removed setting: %s.', $variable));
+        }
+    }
+}
diff --git a/src/CoreBundle/Settings/SecuritySettingsSchema.php b/src/CoreBundle/Settings/SecuritySettingsSchema.php
@@ -43,6 +43,7 @@ public function buildSettings(AbstractSettingsBuilder $builder): void
             'anonymous_autoprovisioning' => 'false',
             'access_to_personal_file_for_all' => 'false',
             'password_rotation_days' => '0',
+            '2fa_enable' => 'false',
         ]);
 
         $allowedTypes = [
@@ -80,6 +81,7 @@ public function buildForm(FormBuilderInterface $builder): void
             ->add('anonymous_autoprovisioning', YesNoType::class)
             ->add('access_to_personal_file_for_all', YesNoType::class)
             ->add('password_rotation_days', TextType::class)
+            ->add('2fa_enable', YesNoType::class)
         ;
 
         $this->updateFormFieldsFromSettingsInfo($builder);
