DEV-998: requesting user password before 2fa init

Controllers/AccountController.cs

@@ -26,6 +26,7 @@ public class AccountController : ControllerBase
         private readonly ApplicationCache _applicationCache;
         private readonly AuthService _authService;
         private readonly MultiFactorApiClient _apiClient;
+        private readonly MultiFactorSelfServiceApiClient _selfServiceApiClient;
         private readonly IHttpClientFactory _httpFactory;
         private readonly ActiveDirectoryService _activeDirectoryService;
         private readonly DataProtectionService _dataProtectionService;
@@ -35,13 +36,15 @@ public class AccountController : ControllerBase
         public AccountController(ApplicationCache applicationCache,
             AuthService authService,
             MultiFactorApiClient apiClient,
+            MultiFactorSelfServiceApiClient selfServiceApiClient,
             ActiveDirectoryService activeDirectoryService,
             DataProtectionService dataProtectionService,
             ILogger logger, IHttpClientFactory httpFactory)
         {
             _applicationCache = applicationCache ?? throw new ArgumentNullException(nameof(applicationCache));
             _authService = authService ?? throw new ArgumentNullException(nameof(authService));
             _apiClient = apiClient ?? throw new ArgumentNullException(nameof(apiClient));
+            _selfServiceApiClient = selfServiceApiClient ?? throw new ArgumentNullException(nameof(selfServiceApiClient));
             _activeDirectoryService =
                 activeDirectoryService ?? throw new ArgumentNullException(nameof(activeDirectoryService));
             _dataProtectionService =
@@ -224,9 +227,19 @@ public ActionResult Identity(IdentityModel model, SingleSignOnDto sso)
 
             // 2fa before authn
             var identity = model.UserName;
+            var authenticatorsResponse = _selfServiceApiClient.GetUserAuthenticators(identity);
+            if (!authenticatorsResponse.Success || !authenticatorsResponse.Model.GetAuthenticators().Any())
+            {
+                return View("Login", new LoginModel()
+                {
+                    UserName = identity
+                });
+            }
+
             // in common case
             if (!Configuration.Current.NeedPrebindInfo())
             {
+
                 return RedirectToMfa(
                     identity: identity,
                     login: model.UserName,

MultiFactor.SelfService.Windows.Portal.csproj

@@ -329,7 +329,7 @@
       <DesignTime>True</DesignTime>
       <AutoGen>True</AutoGen>
       <DependentUpon>PasswordPolicy.ru.resx</DependentUpon>
-	</Compile>
+    </Compile>
     <Compile Include="Resources\UserUnlock.Designer.cs">
       <DependentUpon>UserUnlock.resx</DependentUpon>
       <AutoGen>True</AutoGen>
@@ -452,8 +452,8 @@
     <Compile Include="Services\API\DTO\BypassPage.cs" />
     <Compile Include="Services\API\DTO\ApiResponse.cs" />
     <Compile Include="Services\API\DTO\ScopeSupportInfoDto.cs" />
+    <Compile Include="Services\API\DTO\UserProfileAuthenticatorsDto.cs" />
     <Compile Include="Services\API\DTO\UserProfile.cs" />
-    <Compile Include="Services\API\DTO\UserProfileAuthenticator.cs" />
     <Compile Include="Core\JwtTokenProvider.cs" />
     <Compile Include="Services\API\MultiFactorSelfServiceApiClient.cs" />
     <Compile Include="Services\AuthService.cs" />
@@ -572,7 +572,7 @@
     <EmbeddedResource Include="Resources\PasswordPolicy.ru.resx">
       <Generator>PublicResXFileCodeGenerator</Generator>
       <LastGenOutput>PasswordPolicy.ru.Designer.cs</LastGenOutput>
-	</EmbeddedResource>
+    </EmbeddedResource>
     <EmbeddedResource Include="Resources\UserUnlock.resx">
       <Generator>PublicResXFileCodeGenerator</Generator>
       <LastGenOutput>UserUnlock.Designer.cs</LastGenOutput>

Services/API/DTO/UserProfileAuthenticatorsDto.cs

@@ -0,0 +1,30 @@
+using System.Linq;
+
+namespace MultiFactor.SelfService.Windows.Portal.Services.API.DTO
+{
+    public class UserProfileAuthenticatorsDto
+    {
+        public UserProfileAuthenticatorDto[] TotpAuthenticators { get; set; }
+        public UserProfileAuthenticatorDto[] TelegramAuthenticators { get; set; }
+        public UserProfileAuthenticatorDto[] MobileAppAuthenticators { get; set; }
+        public UserProfileAuthenticatorDto[] PhoneAuthenticators { get; set; }
+
+        public UserProfileAuthenticatorDto[] GetAuthenticators()
+        {
+            return TotpAuthenticators
+                .Concat(TelegramAuthenticators)
+                .Concat(MobileAppAuthenticators)
+                .Concat(PhoneAuthenticators)
+                .ToArray();
+        }
+    }
+
+    /// <summary>
+    /// MFA authenticator
+    /// </summary>
+    public class UserProfileAuthenticatorDto
+    {
+        public string Id { get; set; }
+        public string Label { get; set; }
+    }
+}

Services/API/MultiFactorSelfServiceApiClient.cs

@@ -30,6 +30,19 @@ public UserProfile LoadUserProfile()
             return result.Model;
         }
 
+        public ApiResponse<UserProfileAuthenticatorsDto> GetUserAuthenticators(string identity)
+        {
+            if (string.IsNullOrWhiteSpace(identity)) throw new ArgumentNullException(nameof(identity));
+
+            var payload = new
+            {
+                Identity = identity
+            };
+
+            var result = _apiClient.Post<ApiResponse<UserProfileAuthenticatorsDto>>("/self-service/user-authenticators", payload, x => x.Authorization = GetBasicAuth());
+            return result;
+        }
+
         public ApiResponse<AccessPage> StartResetPassword(string twoFaIdentity, string ldapIdentity, string callbackUrl)
         {
             if (twoFaIdentity is null) throw new ArgumentNullException(nameof(twoFaIdentity));