Added possibility to show backup codes in user settings.

src/Controller/UserController.php

@@ -31,7 +31,9 @@ use App\Form\UserSettingsType;
 use App\Services\EntityExporter;
 use App\Services\EntityImporter;
 use App\Services\StructuralElementRecursionHelper;
+use App\Services\TFA\BackupCodeManager;
 use Doctrine\ORM\EntityManagerInterface;
+use PHPUnit\Util\Exception;
 use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Google\GoogleAuthenticator;
 use Symfony\Component\Asset\Packages;
 use Symfony\Component\Form\Extension\Core\Type\HiddenType;
@@ -151,10 +153,33 @@ class UserController extends AdminPages\BaseAdminController
         ]);
     }
 
+    /**
+     * @Route("/2fa_backup_codes", name="show_backup_codes")
+     */
+    public function showBackupCodes()
+    {
+        $user = $this->getUser();
+        if (!$user instanceof User) {
+            return new \RuntimeException('This controller only works only for Part-DB User objects!');
+        }
+
+        //When user change its settings, he should be logged  in fully.
+        $this->denyAccessUnlessGranted('IS_AUTHENTICATED_FULLY');
+
+        if (empty($user->getBackupCodes())) {
+            $this->addFlash('error', 'You do not have any backup codes enabled, therefore you can not view them!');
+            throw new Exception('You do not have any backup codes enabled, therefore you can not view them!');
+        }
+
+        return $this->render('Users/backup_codes.html.twig', [
+            'user' => $user
+        ]);
+    }
+
     /**
      * @Route("/settings", name="user_settings")
      */
-    public function userSettings(Request $request, EntityManagerInterface $em, UserPasswordEncoderInterface $passwordEncoder, GoogleAuthenticator $googleAuthenticator)
+    public function userSettings(Request $request, EntityManagerInterface $em, UserPasswordEncoderInterface $passwordEncoder, GoogleAuthenticator $googleAuthenticator, BackupCodeManager $backupCodeManager)
     {
         /**
          * @var User
@@ -252,12 +277,14 @@ class UserController extends AdminPages\BaseAdminController
             if (!$google_enabled) {
                 //Save 2FA settings (save secrets)
                 $user->setGoogleAuthenticatorSecret($google_form->get('googleAuthenticatorSecret')->getData());
+                $backupCodeManager->enableBackupCodes($user);
                 $em->flush();
                 $this->addFlash('success', 'user.settings.2fa.google.activated');
                 return $this->redirectToRoute('user_settings');
             } elseif ($google_enabled) {
                 //Remove secret to disable google authenticator
                 $user->setGoogleAuthenticatorSecret(null);
+                $backupCodeManager->disableBackupCodesIfUnused($user);
                 $em->flush();
                 $this->addFlash('success', 'user.settings.2fa.google.disabled');
                 return $this->redirectToRoute('user_settings');
@@ -270,6 +297,7 @@ class UserController extends AdminPages\BaseAdminController
          *****************************/
 
         return $this->render('Users/user_settings.html.twig', [
+            'user' => $user,
             'settings_form' => $form->createView(),
             'pw_form' => $pw_form->createView(),
             'page_need_reload' => $page_need_reload,

src/Entity/UserSystem/User.php

@@ -764,7 +764,7 @@ class User extends AttachmentContainingDBElement implements UserInterface, HasPe
      */
     public function getBackupCodes() : array
     {
-        return $this->backupCodes;
+        return $this->backupCodes ?? [];
     }
 
     /**

src/Services/TFA/BackupCodeGenerator.php

@@ -46,7 +46,6 @@ class BackupCodeGenerator
     /**
      * Returns a full backup code set. The code count can be configured in the constructor
      * @return string[] An array containing different backup codes.
-     * @throws \Exception If no entropy source is available
      */
     public function generateCodeSet() : array
     {

src/Services/TFA/BackupCodeManager.php

@@ -0,0 +1,57 @@
+<?php
+
+
+namespace App\Services\TFA;
+
+
+use App\Entity\UserSystem\User;
+
+/**
+ * This services offers methods to manage backup codes for two factor authentication
+ * @package App\Services\TFA
+ */
+class BackupCodeManager
+{
+    protected $backupCodeGenerator;
+
+    public function __construct(BackupCodeGenerator $backupCodeGenerator)
+    {
+        $this->backupCodeGenerator = $backupCodeGenerator;
+    }
+
+    /**
+     * Enable backup codes for the given user, by generating a set of backup codes.
+     * If the backup codes were already enabled before, they a
+     * @param  User  $user
+     */
+    public function enableBackupCodes(User $user)
+    {
+        if(empty($user->getBackupCodes())) {
+           $this->regenerateBackupCodes($user);
+        }
+    }
+
+    /**
+     * Disable (remove) the backup codes when no other 2 factor authentication methods are enabled.
+     * @param  User  $user
+     */
+    public function disableBackupCodesIfUnused(User $user)
+    {
+        if($user->isU2FAuthEnabled() || $user->isGoogleAuthenticatorEnabled()) {
+            return;
+        }
+
+        $user->setBackupCodes([]);
+    }
+
+    /**
+     * Generates a new set of backup codes for the user. If no backup codes were available before, new ones are
+     * generated.
+     * @param  User  $user The user for which the backup codes should be regenerated
+     */
+    public function regenerateBackupCodes(User $user)
+    {
+        $codes = $this->backupCodeGenerator->generateCodeSet();
+        $user->setBackupCodes($codes);
+    }
+}