Add 2fa to login activity

Fixes #328

Author: addshore

app/src/main/java/fr/free/nrw/commons/MWApi.java

@@ -10,48 +10,79 @@
  */
 public class MWApi extends org.mediawiki.api.MWApi {
 
+    /** We don't actually use this but need to pass it in requests */
+    private static String LOGIN_RETURN_TO_URL = "https://commons.wikimedia.org";
+
     public MWApi(String apiURL, AbstractHttpClient client) {
         super(apiURL, client);
     }
 
     /**
      * @param username String
      * @param password String
-     * @return String On success: "PASS"
-     *                   continue: "2FA" (More information required for 2FA)
-     *                   failure: A failure message code (defined by mediawiki)
-     *                   misc:    genericerror-UI, genericerror-REDIRECT, genericerror-RESTART
+     * @return String as returned by this.getErrorCodeToReturn()
      * @throws IOException On api request IO issue
      */
     public String login(String username, String password) throws IOException {
-
-        /** Request a login token to be used later to log in. */
-        ApiResult tokenData = this.action("query")
-                .param("action", "query")
-                .param("meta", "tokens")
-                .param("type", "login")
+        String token = this.getLoginToken();
+        ApiResult loginApiResult = this.action("clientlogin")
+                .param("rememberMe", "1")
+                .param("username", username)
+                .param("password", password)
+                .param("logintoken", token)
+                .param("loginreturnurl", LOGIN_RETURN_TO_URL)
                 .post();
-        String token = tokenData.getString("/api/query/tokens/@logintoken");
+        return this.getErrorCodeToReturn( loginApiResult );
+    }
 
-        /** Actually log in. */
-        ApiResult loginData = this.action("clientlogin")
+    /**
+     * @param username String
+     * @param password String
+     * @param twoFactorCode String
+     * @return String as returned by this.getErrorCodeToReturn()
+     * @throws IOException On api request IO issue
+     */
+    public String login(String username, String password, String twoFactorCode) throws IOException {
+        String token = this.getLoginToken();//TODO cache this instead of calling again when 2FAing
+        ApiResult loginApiResult = this.action("clientlogin")
                 .param("rememberMe", "1")
                 .param("username", username)
                 .param("password", password)
                 .param("logintoken", token)
-                .param("loginreturnurl", "http://example.com/")//TODO return to url?
+                .param("logincontinue", "1")
+                .param("OATHToken", twoFactorCode)
                 .post();
-        String status = loginData.getString("/api/clientlogin/@status");
 
+        return this.getErrorCodeToReturn( loginApiResult );
+    }
+
+    private String getLoginToken() throws IOException {
+        ApiResult tokenResult = this.action("query")
+                .param("action", "query")
+                .param("meta", "tokens")
+                .param("type", "login")
+                .post();
+        return tokenResult.getString("/api/query/tokens/@logintoken");
+    }
+
+    /**
+     * @param loginApiResult ApiResult Any clientlogin api result
+     * @return String On success: "PASS"
+     *                   continue: "2FA" (More information required for 2FA)
+     *                   failure: A failure message code (defined by mediawiki)
+     *                   misc:    genericerror-UI, genericerror-REDIRECT, genericerror-RESTART
+     */
+    private String getErrorCodeToReturn( ApiResult loginApiResult ) {
+        String status = loginApiResult.getString("/api/clientlogin/@status");
         if (status.equals("PASS")) {
             this.isLoggedIn = true;
             return status;
         } else if (status.equals("FAIL")) {
-            return loginData.getString("/api/clientlogin/@messagecode");
+            return loginApiResult.getString("/api/clientlogin/@messagecode");
         } else if (
                 status.equals("UI")
-                && loginData.getString("/api/clientlogin/requests/_v/@id").equals("TOTPAuthenticationRequest")
-                && loginData.getString("/api/clientlogin/requests/_v/@provider").equals("Two-factor authentication (OATH).")
+                        && loginApiResult.getString("/api/clientlogin/requests/_v/@id").equals("TOTPAuthenticationRequest")
+                        && loginApiResult.getString("/api/clientlogin/requests/_v/@provider").equals("Two-factor authentication (OATH).")
                 ) {
             return "2FA";
         }
@@ -60,5 +91,4 @@ public String login(String username, String password) throws IOException {
         return "genericerror-" + status;
     }
 
-
 }

app/src/main/java/fr/free/nrw/commons/auth/LoginActivity.java

@@ -48,13 +48,15 @@ public class LoginActivity extends AccountAuthenticatorActivity {
     Button signupButton;
     EditText usernameEdit;
     EditText passwordEdit;
+    EditText twoFactorEdit;
     ProgressDialog dialog;
 
     private class LoginTask extends AsyncTask<String, String, String> {
 
         Activity context;
         String username;
         String password;
+        String twoFactorCode = "";
 
         @Override
         protected void onPostExecute(String result) {
@@ -107,20 +109,20 @@ protected void onPostExecute(String result) {
                 } else if (result.toLowerCase().contains("nosuchuser".toLowerCase()) || result.toLowerCase().contains("noname".toLowerCase())) {
                     // Matches nosuchuser, nosuchusershort, noname
                     response = R.string.login_failed_username;
-                    passwordEdit.setText("");
-
+                    emptySensitiveEditFields();
                 } else if (result.toLowerCase().contains("wrongpassword".toLowerCase())) {
                     // Matches wrongpassword, wrongpasswordempty
                     response = R.string.login_failed_password;
-                    passwordEdit.setText("");
+                    emptySensitiveEditFields();
                 } else if (result.toLowerCase().contains("throttle".toLowerCase())) {
                     // Matches unknown throttle error codes
                     response = R.string.login_failed_throttled;
                 } else if (result.toLowerCase().contains("userblocked".toLowerCase())) {
                     // Matches login-userblocked
                     response = R.string.login_failed_blocked;
                 } else if (result.equals("2FA")){
-                    response = R.string.login_failed_2fa_not_supported;
+                    twoFactorEdit.setVisibility(View.VISIBLE);
+                    response = R.string.login_failed_2fa_needed;
                 } else {
                     // Occurs with unhandled login failure codes
                     Timber.d("Login failed with reason: %s", result);
@@ -131,6 +133,11 @@ protected void onPostExecute(String result) {
             }
         }
 
+        private void emptySensitiveEditFields() {
+            passwordEdit.setText("");
+            twoFactorEdit.setText("");
+        }
+
         @Override
         protected void onPreExecute() {
             super.onPreExecute();
@@ -150,8 +157,16 @@ protected void onPreExecute() {
         protected String doInBackground(String... params) {
             username = params[0];
             password = params[1];
+            if(params.length > 2) {
+                twoFactorCode = params[2];
+            }
+
             try {
-                return app.getApi().login(username, password);
+                if(twoFactorCode.isEmpty()) {
+                    return app.getApi().login(username, password);
+                } else {
+                    return app.getApi().login(username, password, twoFactorCode);
+                }
             } catch (IOException e) {
                 // Do something better!
                 return "NetworkFailure";
@@ -168,6 +183,7 @@ public void onCreate(Bundle savedInstanceState) {
         signupButton = (Button) findViewById(R.id.signupButton);
         usernameEdit = (EditText) findViewById(R.id.loginUsername);
         passwordEdit = (EditText) findViewById(R.id.loginPassword);
+        twoFactorEdit = (EditText) findViewById(R.id.loginTwoFactor);
         final LoginActivity that = this;
 
         prefs = getSharedPreferences("fr.free.nrw.commons", MODE_PRIVATE);
@@ -181,7 +197,11 @@ public void onTextChanged(CharSequence charSequence, int start, int count, int a
 
             @Override
             public void afterTextChanged(Editable editable) {
-                if(usernameEdit.getText().length() != 0 && passwordEdit.getText().length() != 0) {
+                if(
+                        usernameEdit.getText().length() != 0 &&
+                        passwordEdit.getText().length() != 0 &&
+                        ( twoFactorEdit.getText().length() != 0 || twoFactorEdit.getVisibility() != View.VISIBLE )
+                        ) {
                     loginButton.setEnabled(true);
                 } else {
                     loginButton.setEnabled(false);
@@ -191,6 +211,7 @@ public void afterTextChanged(Editable editable) {
 
         usernameEdit.addTextChangedListener(loginEnabler);
         passwordEdit.addTextChangedListener(loginEnabler);
+        twoFactorEdit.addTextChangedListener(loginEnabler);
         passwordEdit.setOnEditorActionListener(new TextView.OnEditorActionListener() {
             @Override
             public boolean onEditorAction(TextView textView, int actionId, KeyEvent keyEvent) {
@@ -249,9 +270,15 @@ private void performLogin() {
 
         String password = passwordEdit.getText().toString();
 
+        String twoFactorCode = twoFactorEdit.getText().toString();
+
         Timber.d("Login to start!");
         LoginTask task = new LoginTask(this);
-        task.execute(canonicalUsername, password);
+        if(twoFactorCode.isEmpty()) {
+            task.execute(canonicalUsername, password);
+        } else {
+            task.execute(canonicalUsername, password, twoFactorCode);
+        }
     }
 
     @Override

app/src/main/java/fr/free/nrw/commons/auth/WikiAccountAuthenticator.java

@@ -44,6 +44,7 @@ public Bundle editProperties(AccountAuthenticatorResponse response, String accou
 
     private String getAuthCookie(String username, String password) throws IOException {
         MWApi api = CommonsApplication.createMWApi();
+        //TODO add 2fa support here
         String result = api.login(username, password);
         if(result.equals("PASS")) {
             return api.getAuthCookie();

app/src/main/res/layout/activity_login.xml

@@ -62,6 +62,24 @@
 
         </android.support.design.widget.TextInputLayout>
 
+        <android.support.design.widget.TextInputLayout
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            app:passwordToggleEnabled="false"
+            >
+
+            <android.support.design.widget.TextInputEditText
+                android:id="@+id/loginTwoFactor"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                android:hint="@string/_2fa_code"
+                android:imeOptions="flagNoExtractUi"
+                android:inputType="textNoSuggestions"
+                android:visibility="gone"
+                />
+
+        </android.support.design.widget.TextInputLayout>
+
         <Button
             android:id="@+id/loginButton"
             android:layout_width="match_parent"

app/src/main/res/values/strings.xml

@@ -42,7 +42,7 @@
   <string name="login_failed_password">Unable to login - please check your password</string>
   <string name="login_failed_throttled">Too many unsuccessful attempts. Please try again in a few minutes.</string>
   <string name="login_failed_blocked">Sorry, this user has been blocked on Commons</string>
-  <string name="login_failed_2fa_not_supported">The app doesn\'t currently support 2 Factor Authentication.</string>
+  <string name="login_failed_2fa_needed">You must provide your two factor authentication code.</string>
   <string name="login_failed_generic">Login failed</string>
   <string name="share_upload_button">Upload</string>
   <string name="multiple_share_base_title">Name this set</string>
@@ -171,4 +171,5 @@ Tap this message (or hit back) to skip this step.</string>
   <string name="use_wikidata">Use Wikidata</string>
   <string name="use_wikidata_summary">(Warning: disabling this may cause large mobile data consumption)</string>
   <string name="mapbox_commons_app_token">pk.eyJ1IjoibWFza2FyYXZpdmVrIiwiYSI6ImNqMmxvdzFjMTAwMHYzM283ZWM3eW5tcDAifQ.ib5SZ9EVjwJe6GSKve0bcg</string>
+  <string name="_2fa_code">2FA Code</string>
 </resources>