Feature/cms 1297 frontend login with mfa

src/auth/methods/AuthMethodInterface.php

@@ -66,6 +66,13 @@ public function isActive(): bool;
      */
     public function getSetupHtml(string $containerId): string;
 
+    /**
+     * Returns the raw data provided to the template rendered via [[getSetupHtml()]]
+     *
+     * @return array
+     */
+    public function getSetupData(): array;
+
     /**
      * Returns the HTML for the authentication method’s authentication form.
      *

src/auth/methods/BaseAuthMethod.php

@@ -23,6 +23,11 @@ abstract class BaseAuthMethod extends Component implements AuthMethodInterface
      */
     protected User $user;
 
+    public function getSetupData(): array
+    {
+        return [];
+    }
+
     /**
      * @inheritdoc
      */

src/auth/methods/RecoveryCodes.php

@@ -13,6 +13,7 @@
 use craft\helpers\Json;
 use craft\records\RecoveryCodes as RecoveryCodesRecord;
 use craft\web\assets\recoverycodes\RecoveryCodesAsset;
+use craft\web\View;
 use DateTime;
 use PragmaRX\Recovery\Recovery;
 use yii\base\InvalidArgumentException;
@@ -62,7 +63,7 @@ public function getSetupHtml(string $containerId): string
 new Craft.RecoveryCodesSetup($containerId);
 JS, [$containerId]);
 
-        return $view->renderTemplate('_components/auth/methods/RecoveryCodes/setup.twig');
+        return $view->renderTemplate('_components/auth/methods/RecoveryCodes/setup.twig', $this->getSetupData(), View::TEMPLATE_MODE_CP);
     }
 
     /**
@@ -72,7 +73,7 @@ public function getAuthFormHtml(): string
     {
         $view = Craft::$app->getView();
         $view->registerAssetBundle(RecoveryCodesAsset::class);
-        return $view->renderTemplate('_components/auth/methods/RecoveryCodes/form.twig');
+        return $view->renderTemplate('_components/auth/methods/RecoveryCodes/form.twig', [], View::TEMPLATE_MODE_CP);
     }
 
     /**

src/auth/methods/TOTP.php

@@ -72,12 +72,20 @@ public function isActive(): bool
         return self::secretFromDb($this->user->id) !== null;
     }
 
+    public function getSetupData(): array
+    {
+        $secret = $this->secret();
+        return [
+            'secret' => trim($secret),
+            'qrCode' => $this->generateQrCode($secret),
+        ];
+    }
+
     /**
      * @inheritdoc
      */
     public function getSetupHtml(string $containerId): string
     {
-        $secret = $this->secret();
         $totpFormId = sprintf('totp-form-%s', mt_rand());
         $view = Craft::$app->getView();
 
@@ -92,12 +100,11 @@ public function getSetupHtml(string $containerId): string
             $containerId,
         ]);
 
-        return $view->renderTemplate('_components/auth/methods/TOTP/setup.twig', [
-            'secret' => $secret,
-            'user' => $this->user,
-            'qrCode' => $this->generateQrCode($secret),
+        $templateData = array_merge($this->getSetupData(), [
             'totpFormId' => $totpFormId,
-        ], View::TEMPLATE_MODE_CP);
+        ]);
+
+        return $view->renderTemplate('_components/auth/methods/TOTP/setup.twig', $templateData, View::TEMPLATE_MODE_CP);
     }
 
     /**
@@ -107,7 +114,7 @@ public function getAuthFormHtml(): string
     {
         $view = Craft::$app->getView();
         $view->registerAssetBundle(TotpAsset::class);
-        return $view->renderTemplate('_components/auth/methods/TOTP/form.twig');
+        return $view->renderTemplate('_components/auth/methods/TOTP/form.twig', [], View::TEMPLATE_MODE_CP);
     }
 
     /**

src/controllers/AuthController.php

@@ -44,8 +44,6 @@ public function beforeAction($action): bool
             return false;
         }
 
-        $this->requireCpRequest();
-        ;
         return true;
     }
 

src/templates/_components/auth/methods/RecoveryCodes/form.twig

@@ -2,7 +2,13 @@
 
 {% set formId = formId ?? "recovery-codes-form-#{random()}" %}
 
-<form id="{{ formId }}">
+<form id="{{ formId }}" method="post">
+    {{ actionInput('auth/verify-recovery-code') }}
+
+    {% if craft.app.config.general.enableCsrfProtection %}
+        {{ csrfInput() }}
+    {% endif %}
+
     {% embed '_includes/forms/field.twig' with {
         fieldClass: 'first',
         label: 'Recovery Code'|t('app'),
@@ -12,6 +18,7 @@
             <div class="flex flex-nowrap">
                 {{ forms.text({
                     class: 'code auth-recovery-code',
+                    name: 'code',
                     maxlength: 13,
                 }) }}
                 {{ forms.submitButton({

src/templates/_components/auth/methods/TOTP/form.twig

@@ -2,7 +2,13 @@
 
 {% set formId = formId ?? "totp-form-#{random()}" %}
 
-<form id="{{ formId }}">
+<form id="{{ formId }}" method="post">
+  {{ actionInput('auth/verify-totp') }}
+
+  {% if craft.app.config.general.enableCsrfProtection %}
+    {{ csrfInput() }}
+  {% endif %}
+
   {% embed '_includes/forms/field.twig' with {
     fieldClass: 'first',
     label: 'Verification Code'|t('app'),
@@ -13,6 +19,7 @@
       <div class="flex flex-nowrap">
         {{ forms.text({
           class: 'code auth-totp-code',
+          name: 'code',
           id: 'verification-code',
           maxlength: 6,
         }) }}