From 12733616d77528af94551511ae3e575fced861b6 Mon Sep 17 00:00:00 2001
From: "Nicholas K. Dionysopoulos" <nicholas@akeeba.com>
Date: Sat, 18 Jun 2022 12:30:56 +0300
Subject: [PATCH] Add captive prompts for the rest of MFA methods (#38082)

* Add captive prompts for the rest of MFA methods

Addresses comment https://github.com/joomla/joomla-cms/pull/37912#issuecomment-1141972256

Adds captive login prompts for these MFA methods:
* Backup Codes
* TOTP (Authenticator Code)
* YubiKey

The rest of the methods already had it:
* Email
* Fixed
* WebAuthn

* Update administrator/language/en-GB/com_users.ini

* Update language/en-GB/com_users.ini

Co-authored-by: Brian Teeman <brian@teeman.net>
---
 administrator/components/com_users/src/Model/CaptiveModel.php | 1 +
 administrator/language/en-GB/com_users.ini                    | 1 +
 administrator/language/en-GB/plg_multifactorauth_totp.ini     | 1 +
 administrator/language/en-GB/plg_multifactorauth_yubikey.ini  | 1 +
 components/com_users/tmpl/captive/default.php                 | 2 +-
 language/en-GB/com_users.ini                                  | 1 +
 plugins/multifactorauth/totp/src/Extension/Totp.php           | 2 +-
 plugins/multifactorauth/yubikey/src/Extension/Yubikey.php     | 2 +-
 8 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/administrator/components/com_users/src/Model/CaptiveModel.php b/administrator/components/com_users/src/Model/CaptiveModel.php
index b4fc175a72de4..f61f47f3aa51b 100644
--- a/administrator/components/com_users/src/Model/CaptiveModel.php
+++ b/administrator/components/com_users/src/Model/CaptiveModel.php
@@ -240,6 +240,7 @@ public function loadCaptiveRenderOptions(?MfaTable $record): CaptiveRenderOption
 			{
 				return $renderOptions->merge(
 					[
+						'pre_message' => Text::_('COM_USERS_USER_BACKUPCODES_CAPTIVE_PROMPT'),
 						'input_type' => 'number',
 						'label' => Text::_('COM_USERS_USER_BACKUPCODE'),
 					]
diff --git a/administrator/language/en-GB/com_users.ini b/administrator/language/en-GB/com_users.ini
index e38898a421b43..655fa69827d26 100644
--- a/administrator/language/en-GB/com_users.ini
+++ b/administrator/language/en-GB/com_users.ini
@@ -392,6 +392,7 @@ COM_USERS_USERS_TABLE_CAPTION="Table of Users"
 COM_USERS_USER_ACCOUNT_DETAILS="Account Details"
 COM_USERS_USER_BACKUPCODE="Backup Code"
 COM_USERS_USER_BACKUPCODES="Backup Codes"
+COM_USERS_USER_BACKUPCODES_CAPTIVE_PROMPT="If you do not have access to your usual Multi-factor Authentication method use any of your Backup Codes in the field below. Please remember that this emergency backup code cannot be reused."
 COM_USERS_USER_BACKUPCODES_DESC="Lets you access the site if all other Multi-factor Authentication methods you have set up fail."
 COM_USERS_USER_BATCH_FAILED="An error was encountered while performing the batch operation: %s."
 COM_USERS_USER_BATCH_SUCCESS="Batch operation completed."
diff --git a/administrator/language/en-GB/plg_multifactorauth_totp.ini b/administrator/language/en-GB/plg_multifactorauth_totp.ini
index cc7272f744cde..ac9c1c1be849d 100644
--- a/administrator/language/en-GB/plg_multifactorauth_totp.ini
+++ b/administrator/language/en-GB/plg_multifactorauth_totp.ini
@@ -4,6 +4,7 @@
 ; Note : All ini files need to be saved as UTF-8
 
 PLG_MULTIFACTORAUTH_TOTP="Multi-factor Authentication - Verification Code"
+PLG_MULTIFACTORAUTH_TOTP_CAPTIVE_PROMPT="Please open your authenticator application or password manager and copy the six digit code for this site in the text box below, then click on the Validate button. If this code has been automatically filled in for you just click on the Validate button."
 PLG_MULTIFACTORAUTH_TOTP_ERR_VALIDATIONFAILED="You did not enter a valid verification code. Please check your authenticator app setup, and make sure that the time and time zone on your device is set correctly."
 PLG_MULTIFACTORAUTH_TOTP_LBL_LABEL="Enter the six digit verification code"
 PLG_MULTIFACTORAUTH_TOTP_LBL_SETUP_INSTRUCTIONS="Set up your verification code (also known as an “authenticator code”) using the information below. You can use an authenticator app (such Google Authenticator, Authy, LastPass Authenticator, etc), your favorite password manager (1Password, BitWarden, Keeper, KeePassXC, Strongbox, etc) or, in some cases, your browser."
diff --git a/administrator/language/en-GB/plg_multifactorauth_yubikey.ini b/administrator/language/en-GB/plg_multifactorauth_yubikey.ini
index e681af501e33a..f50ce2e7126fb 100644
--- a/administrator/language/en-GB/plg_multifactorauth_yubikey.ini
+++ b/administrator/language/en-GB/plg_multifactorauth_yubikey.ini
@@ -4,6 +4,7 @@
 ; Note : All ini files need to be saved as UTF-8
 
 PLG_MULTIFACTORAUTH_YUBIKEY="Multi-factor Authentication - YubiKey"
+PLG_MULTIFACTORAUTH_YUBIKEY_CAPTIVE_PROMPT="Please click in the text box below. Then insert your YubiKey into the USB port of your device and touch its golden disk or golden pad (depending on your model) to make it produce a YubiKey code. If you are on an NFC-capable phone or tablet with an NFC-enabled YubiKey you need to instead approach your YubiKey to the NFC reader area of your phone or tablet."
 PLG_MULTIFACTORAUTH_YUBIKEY_CODE_LABEL="YubiKey code"
 PLG_MULTIFACTORAUTH_YUBIKEY_ERR_VALIDATIONFAILED="You did not enter a valid YubiKey secret code or the YubiCloud servers are unreachable at this time."
 PLG_MULTIFACTORAUTH_YUBIKEY_LBL_AFTERSETUP_INSTRUCTIONS="You have already set up your YubiKey (the one generating codes starting with <code>%s</code>). You can only change its title from this page."
diff --git a/components/com_users/tmpl/captive/default.php b/components/com_users/tmpl/captive/default.php
index c96fc648ef60f..8fc5247164ea9 100644
--- a/components/com_users/tmpl/captive/default.php
+++ b/components/com_users/tmpl/captive/default.php
@@ -57,7 +57,7 @@ class="btn btn-sm btn-secondary"
 	</h2>
 
 	<?php if ($this->renderOptions['pre_message']): ?>
-		<div class="users-mfa-captive-pre-message text-muted">
+		<div class="users-mfa-captive-pre-message text-muted mb-3">
 			<?php echo $this->renderOptions['pre_message'] ?>
 		</div>
 	<?php endif; ?>
diff --git a/language/en-GB/com_users.ini b/language/en-GB/com_users.ini
index 38552435012b7..05e469e62bf1a 100644
--- a/language/en-GB/com_users.ini
+++ b/language/en-GB/com_users.ini
@@ -140,6 +140,7 @@ COM_USERS_RESET_REQUEST_LABEL="Please enter the email address for your account.
 COM_USERS_SETTINGS_FIELDSET_LABEL="Basic Settings"
 COM_USERS_USER_BACKUPCODE="Backup Code"
 COM_USERS_USER_BACKUPCODES="Backup Codes"
+COM_USERS_USER_BACKUPCODES_CAPTIVE_PROMPT="If you do not have access to your usual Multi-factor Authentication method use any of your Backup Codes in the field below. Please remember that this emergency backup code cannot be reused."
 COM_USERS_USER_BACKUPCODES_DESC="If you do not have access to your Multi-factor Authentication device you can use any of the following passwords instead of a regular security code. Each one of these emergency codes is immediately destroyed upon use. We recommend printing these codes out and keeping the printout in a safe and accessible location, eg your wallet or a safety deposit box."
 COM_USERS_USER_BLOCKED="This user is blocked. If this is an error, please contact an administrator."
 COM_USERS_USER_FIELD_BACKEND_LANGUAGE_LABEL="Backend Language"
diff --git a/plugins/multifactorauth/totp/src/Extension/Totp.php b/plugins/multifactorauth/totp/src/Extension/Totp.php
index 8241cfa4084b4..4706a8ee3489e 100644
--- a/plugins/multifactorauth/totp/src/Extension/Totp.php
+++ b/plugins/multifactorauth/totp/src/Extension/Totp.php
@@ -137,7 +137,7 @@ public function onUserMultifactorCaptive(Captive $event): void
 			new CaptiveRenderOptions(
 				[
 					// Custom HTML to display above the MFA form
-					'pre_message'      => '',
+					'pre_message'      => Text::_('PLG_MULTIFACTORAUTH_TOTP_CAPTIVE_PROMPT'),
 					// How to render the MFA code field. "input" (HTML input element) or "custom" (custom HTML)
 					'field_type'       => 'input',
 					// The type attribute for the HTML input box. Typically "text" or "password". Use any HTML5 input type.
diff --git a/plugins/multifactorauth/yubikey/src/Extension/Yubikey.php b/plugins/multifactorauth/yubikey/src/Extension/Yubikey.php
index 128e0a7c6ee1d..57f40108dfeef 100644
--- a/plugins/multifactorauth/yubikey/src/Extension/Yubikey.php
+++ b/plugins/multifactorauth/yubikey/src/Extension/Yubikey.php
@@ -139,7 +139,7 @@ public function onUserMultifactorCaptive(Captive $event): void
 			new CaptiveRenderOptions(
 				[
 					// Custom HTML to display above the MFA form
-					'pre_message'        => '',
+					'pre_message'        => Text::_('PLG_MULTIFACTORAUTH_YUBIKEY_CAPTIVE_PROMPT'),
 					// How to render the MFA code field. "input" (HTML input element) or "custom" (custom HTML)
 					'field_type'         => 'input',
 					// The type attribute for the HTML input box. Typically "text" or "password". Use any HTML5 input type.