Name

global.PwdVerifyGoogleAuthProcessor

Description

A verification processor extension that will check the validity of a Google Authenticator (OTP) code

Script

var PwdVerifyGoogleAuthProcessor = Class.create();

PwdVerifyGoogleAuthProcessor.prototype = {
  category: 'password_reset.extension.verification_form_processor',   // DO NOT REMOVE THIS LINE!
  
  /**********
   * Initialization stuff here...
   **********/
  initialize: function() {
  },

  /**********
  * Process the verification form request, and return whether the user was successfully verified
  * 
  * @param params.resetRequestId The sys-id of the current password-reset request (table: pwd_reset_request)
  * @param params.userId         The sys-id of the user trying to be verified (table: sys_user)
  * @param params.verificationId The sys-id of the verification to be processed (table: pwd_verification)
  * @param request               The form request object. fields in the form can be accessed using: request.getParameter('<element-id>')
  * @return boolean telling whether the user is successfully verified
  **********/
  processForm: function(params, request) {
      return this.verify(params.resetRequestId, params.userId, params.verificationId, request);
  },
  	
  /*********
   * verify - returns true/false whether the user is verified for this verification method.
   *
   * This will compare the OTP code provided by the user to the one generated using their secret key on the server, and return true
   * if there is a match (within a certain clock skew)
   *
   * Params: 
   * @enrolled_user_id
   * @verification
   * @request - the request object that was submitted by the user in the verification form
   *********/
  verify: function(reset_request_id, enrolled_user_id, verification, request) {
  	// If request is password reset request or a context
      var requestExists = new SNC.PwdTrackingManager().requestExists(reset_request_id);
      var requestId = reset_request_id;
      var contextId = reset_request_id;
      if (!requestExists)
          requestId = '';
  	
      // If we already validated the code (e.g. in step 1 of the reset process) then return that result since we validate
      // everything at the end, and the code could have expired causing a false negative
  	var reqVerGr = new GlideRecord('pwd_map_request_to_verification');
  	reqVerGr.addQuery('verification', verification);
  	reqVerGr.addQuery('context_id', contextId);
  	reqVerGr.query();

  	var recordExists = reqVerGr.next();
  	if (recordExists && reqVerGr.getValue('status') == 'verified')
          return true;

      var isValid = SNC.PwdMultifactorAuthUtilWrapper.isResponseValid(request.getParameter("sysparm_otp_code").trim(), enrolled_user_id);
      
      var status = isValid ? 'verified' : 'not_verified';

      var passwordResetUtil = new global.PasswordResetUtil();
      passwordResetUtil.updateVerificationResult(enrolled_user_id, verification, contextId, status, requestId);

      return isValid;
  },

  type: 'PwdVerifyGoogleAuthProcessor'
};

Sys ID

1e3f425287180300cfab6dd207cb0b5d

Offical Documentation

Official Docs: