added functionality for flexible tfa configuration

common/ASC.IPSecurity/Utils/IPSecurity.cs

@@ -128,7 +128,7 @@ public class IPSecurity
         return false;
     }
 
-    private static bool MatchIPs(string requestIp, string restrictionIp)
+    public static bool MatchIPs(string requestIp, string restrictionIp)
     {
         var dividerIdx = restrictionIp.IndexOf('-');
         if (dividerIdx > -1)

web/ASC.Web.Api/Api/AuthenticationController.cs

@@ -22,8 +22,8 @@
 //
 // All the Product's GUI elements, including illustrations and icon sets, as well as technical writing
 // content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
-// International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
+// International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
-
+
 using AuthenticationException = System.Security.Authentication.AuthenticationException;
 using Constants = ASC.Core.Users.Constants;
 
@@ -66,7 +66,8 @@ public class AuthenticationController : ControllerBase
     private readonly AuthContext _authContext;
     private readonly CookieStorage _cookieStorage;
     private readonly DbLoginEventsManager _dbLoginEventsManager;
-    private readonly UserManagerWrapper _userManagerWrapper;
+    private readonly UserManagerWrapper _userManagerWrapper;
+    private readonly TfaAppAuthSettingsHelper _tfaAppAuthSettingsHelper;
 
     public AuthenticationController(
         UserManager userManager,
@@ -100,7 +101,8 @@ public class AuthenticationController : ControllerBase
         ApiContext apiContext,
         AuthContext authContext,
         CookieStorage cookieStorage,
-        DbLoginEventsManager dbLoginEventsManager)
+        DbLoginEventsManager dbLoginEventsManager,
+        TfaAppAuthSettingsHelper tfaAppAuthSettingsHelper)
     {
         _userManager = userManager;
         _tenantManager = tenantManager;
@@ -133,7 +135,8 @@ public class AuthenticationController : ControllerBase
         _authContext = authContext;
         _cookieStorage = cookieStorage;
         _dbLoginEventsManager = dbLoginEventsManager;
-        _userManagerWrapper = userManagerWrapper;
+        _userManagerWrapper = userManagerWrapper;
+        _tfaAppAuthSettingsHelper = tfaAppAuthSettingsHelper;
     }
 
 
@@ -148,17 +151,17 @@ public class AuthenticationController : ControllerBase
     public AuthenticationTokenDto AuthenticateMeFromBodyWithCode(AuthRequestsDto inDto)
     {
         var tenant = _tenantManager.GetCurrentTenant().Id;
-        var user = GetUser(inDto, out _);
+        var user = GetUser(inDto, out _);
+        var sms = false;
 
-        var sms = false;
         try
         {
-            if (_studioSmsNotificationSettingsHelper.IsVisibleAndAvailableSettings() && _studioSmsNotificationSettingsHelper.Enable)
+            if (_studioSmsNotificationSettingsHelper.IsVisibleAndAvailableSettings() && _studioSmsNotificationSettingsHelper.TfaEnabledForUser(user.Id))
             {
                 sms = true;
                 _smsManager.ValidateSmsCode(user, inDto.Code, true);
             }
-            else if (TfaAppAuthSettings.IsVisibleSettings && _settingsManager.Load<TfaAppAuthSettings>().EnableSetting)
+            else if (TfaAppAuthSettingsHelper.IsVisibleSettings && _tfaAppAuthSettingsHelper.TfaEnabledForUser(user.Id))
             {
                 if (_tfaManager.ValidateAuthCode(user, inDto.Code, true, true))
                 {
@@ -212,7 +215,7 @@ public class AuthenticationController : ControllerBase
         bool viaEmail;
         var user = GetUser(inDto, out viaEmail);
 
-        if (_studioSmsNotificationSettingsHelper.IsVisibleAndAvailableSettings() && _studioSmsNotificationSettingsHelper.Enable)
+        if (_studioSmsNotificationSettingsHelper.IsVisibleAndAvailableSettings() && _studioSmsNotificationSettingsHelper.TfaEnabledForUser(user.Id))
         {
             if (string.IsNullOrEmpty(user.MobilePhone) || user.MobilePhoneActivationStatus == MobilePhoneActivationStatus.NotActivated)
             {
@@ -234,7 +237,7 @@ public class AuthenticationController : ControllerBase
             };
         }
 
-        if (TfaAppAuthSettings.IsVisibleSettings && _settingsManager.Load<TfaAppAuthSettings>().EnableSetting)
+        if (TfaAppAuthSettingsHelper.IsVisibleSettings && _tfaAppAuthSettingsHelper.TfaEnabledForUser(user.Id))
         {
             if (!TfaAppUserSettings.EnableForUser(_settingsManager, user.Id))
             {

web/ASC.Web.Api/Api/Settings/TfaappController.cs

@@ -43,6 +43,7 @@ public class TfaappController : BaseSettingsController
     private readonly DisplayUserSettingsHelper _displayUserSettingsHelper;
     private readonly MessageTarget _messageTarget;
     private readonly StudioSmsNotificationSettingsHelper _studioSmsNotificationSettingsHelper;
+    private readonly TfaAppAuthSettingsHelper _tfaAppAuthSettingsHelper;
     private readonly InstanceCrypto _instanceCrypto;
     private readonly Signature _signature;
     private readonly SecurityContext _securityContext;
@@ -62,6 +63,7 @@ public class TfaappController : BaseSettingsController
         DisplayUserSettingsHelper displayUserSettingsHelper,
         MessageTarget messageTarget,
         StudioSmsNotificationSettingsHelper studioSmsNotificationSettingsHelper,
+        TfaAppAuthSettingsHelper tfaAppAuthSettingsHelper,
         SmsProviderManager smsProviderManager,
         IMemoryCache memoryCache,
         InstanceCrypto instanceCrypto,
@@ -82,39 +84,49 @@ public class TfaappController : BaseSettingsController
         _displayUserSettingsHelper = displayUserSettingsHelper;
         _messageTarget = messageTarget;
         _studioSmsNotificationSettingsHelper = studioSmsNotificationSettingsHelper;
+        _tfaAppAuthSettingsHelper = tfaAppAuthSettingsHelper;
         _instanceCrypto = instanceCrypto;
         _signature = signature;
         _securityContext = securityContext;
     }
 
     [HttpGet("tfaapp")]
-    public IEnumerable<TfaSettingsRequestsDto> GetTfaSettings()
+    public IEnumerable<TfaSettingsDto> GetTfaSettings()
     {
-        var result = new List<TfaSettingsRequestsDto>();
+        var result = new List<TfaSettingsDto>();
 
-        var SmsVisible = _studioSmsNotificationSettingsHelper.IsVisibleSettings();
+        var SmsVisible = StudioSmsNotificationSettingsHelper.IsVisibleSettings();
         var SmsEnable = SmsVisible && _smsProviderManager.Enabled();
-        var TfaVisible = TfaAppAuthSettings.IsVisibleSettings;
+        var TfaVisible = TfaAppAuthSettingsHelper.IsVisibleSettings;
+
+        var tfaAppSettings = _settingsManager.Load<TfaAppAuthSettings>();
+        var tfaSmsSettings = _settingsManager.Load<StudioSmsNotificationSettings>();
 
         if (SmsVisible)
         {
-            result.Add(new TfaSettingsRequestsDto
+            result.Add(new TfaSettingsDto
             {
-                Enabled = _studioSmsNotificationSettingsHelper.Enable,
+                Enabled = tfaSmsSettings.EnableSetting && _smsProviderManager.Enabled(),
                 Id = "sms",
                 Title = Resource.ButtonSmsEnable,
-                Avaliable = SmsEnable
+                Avaliable = SmsEnable,
+                MandatoryUsers = tfaSmsSettings.MandatoryUsers,
+                MandatoryGroups = tfaSmsSettings.MandatoryGroups,
+                TrustedIps = tfaSmsSettings.TrustedIps
             });
         }
 
         if (TfaVisible)
         {
-            result.Add(new TfaSettingsRequestsDto
+            result.Add(new TfaSettingsDto
             {
-                Enabled = _settingsManager.Load<TfaAppAuthSettings>().EnableSetting,
+                Enabled = tfaAppSettings.EnableSetting,
                 Id = "app",
                 Title = Resource.ButtonTfaAppEnable,
-                Avaliable = true
+                Avaliable = true,
+                MandatoryUsers = tfaAppSettings.MandatoryUsers,
+                MandatoryGroups = tfaAppSettings.MandatoryGroups,
+                TrustedIps = tfaAppSettings.TrustedIps
             });
         }
 
@@ -135,7 +147,8 @@ public class TfaappController : BaseSettingsController
     public object TfaConfirmUrl()
     {
         var user = _userManager.GetUsers(_authContext.CurrentAccount.ID);
-        if (_studioSmsNotificationSettingsHelper.IsVisibleSettings() && _studioSmsNotificationSettingsHelper.Enable)// && smsConfirm.ToLower() != "true")
+
+        if (StudioSmsNotificationSettingsHelper.IsVisibleSettings() && _studioSmsNotificationSettingsHelper.TfaEnabledForUser(user.Id))// && smsConfirm.ToLower() != "true")
         {
             var confirmType = string.IsNullOrEmpty(user.MobilePhone) ||
                             user.MobilePhoneActivationStatus == MobilePhoneActivationStatus.NotActivated
@@ -145,7 +158,7 @@ public class TfaappController : BaseSettingsController
             return _commonLinkUtility.GetConfirmationEmailUrl(user.Email, confirmType);
         }
 
-        if (TfaAppAuthSettings.IsVisibleSettings && _settingsManager.Load<TfaAppAuthSettings>().EnableSetting)
+        if (TfaAppAuthSettingsHelper.IsVisibleSettings && _tfaAppAuthSettingsHelper.TfaEnabledForUser(user.Id))
         {
             var confirmType = TfaAppUserSettings.EnableForUser(_settingsManager, _authContext.CurrentAccount.ID)
                 ? ConfirmType.TfaAuth
@@ -165,7 +178,6 @@ public class TfaappController : BaseSettingsController
         var result = false;
 
         MessageAction action;
-        var settings = _settingsManager.Load<TfaAppAuthSettings>();
 
         switch (inDto.Type)
         {
@@ -180,13 +192,15 @@ public class TfaappController : BaseSettingsController
                     throw new MethodAccessException();
                 }
 
-                _studioSmsNotificationSettingsHelper.Enable = true;
+                var smsSettings = _settingsManager.Load<StudioSmsNotificationSettings>();
+                SetSettingsProperty(smsSettings);
+                _settingsManager.Save(smsSettings);
+
                 action = MessageAction.TwoFactorAuthenticationEnabledBySms;
 
-                if (settings.EnableSetting)
+                if (_tfaAppAuthSettingsHelper.Enable)
                 {
-                    settings.EnableSetting = false;
+                    _tfaAppAuthSettingsHelper.Enable = false;
-                    _settingsManager.Save(settings);
                 }
 
                 result = true;
@@ -194,13 +208,15 @@ public class TfaappController : BaseSettingsController
                 break;
 
             case "app":
-                if (!TfaAppAuthSettings.IsVisibleSettings)
+                if (!TfaAppAuthSettingsHelper.IsVisibleSettings)
                 {
                     throw new Exception(Resource.TfaAppNotAvailable);
                 }
 
-                settings.EnableSetting = true;
+                var appSettings = _settingsManager.Load<TfaAppAuthSettings>();
-                _settingsManager.Save(settings);
+                SetSettingsProperty(appSettings);
+                _settingsManager.Save(appSettings);
+
 
                 action = MessageAction.TwoFactorAuthenticationEnabledByTfaApp;
 
@@ -214,10 +230,9 @@ public class TfaappController : BaseSettingsController
                 break;
 
             default:
-                if (settings.EnableSetting)
+                if (_tfaAppAuthSettingsHelper.Enable)
                 {
-                    settings.EnableSetting = false;
+                    _tfaAppAuthSettingsHelper.Enable = false;
-                    _settingsManager.Save(settings);
                 }
 
                 if (_studioSmsNotificationSettingsHelper.IsVisibleAndAvailableSettings() && _studioSmsNotificationSettingsHelper.Enable)
@@ -237,6 +252,14 @@ public class TfaappController : BaseSettingsController
 
         _messageService.Send(action);
         return result;
+
+        void SetSettingsProperty<T>(TfaSettingsBase<T> settings) where T : class, ISettings<T>
+        {
+            settings.EnableSetting = true;
+            settings.TrustedIps = inDto.TrustedIps;
+            settings.MandatoryUsers = inDto.MandatoryUsers;
+            settings.MandatoryGroups = inDto.MandatoryGroups;
+        }
     }
 
     [HttpPut("tfaappwithlink")]
@@ -257,7 +280,7 @@ public class TfaappController : BaseSettingsController
         ApiContext.AuthByClaim();
         var currentUser = _userManager.GetUsers(_authContext.CurrentAccount.ID);
 
-        if (!TfaAppAuthSettings.IsVisibleSettings ||
+        if (!TfaAppAuthSettingsHelper.IsVisibleSettings ||
             !_settingsManager.Load<TfaAppAuthSettings>().EnableSetting ||
             TfaAppUserSettings.EnableForUser(_settingsManager, currentUser.Id))
         {
@@ -277,7 +300,7 @@ public class TfaappController : BaseSettingsController
     {
         var currentUser = _userManager.GetUsers(_authContext.CurrentAccount.ID);
 
-        if (!TfaAppAuthSettings.IsVisibleSettings || !TfaAppUserSettings.EnableForUser(_settingsManager, currentUser.Id))
+        if (!TfaAppAuthSettingsHelper.IsVisibleSettings || !TfaAppUserSettings.EnableForUser(_settingsManager, currentUser.Id))
         {
             throw new Exception(Resource.TfaAppNotAvailable);
         }
@@ -295,7 +318,7 @@ public class TfaappController : BaseSettingsController
     {
         var currentUser = _userManager.GetUsers(_authContext.CurrentAccount.ID);
 
-        if (!TfaAppAuthSettings.IsVisibleSettings || !TfaAppUserSettings.EnableForUser(_settingsManager, currentUser.Id))
+        if (!TfaAppAuthSettingsHelper.IsVisibleSettings || !TfaAppUserSettings.EnableForUser(_settingsManager, currentUser.Id))
         {
             throw new Exception(Resource.TfaAppNotAvailable);
         }
@@ -323,7 +346,7 @@ public class TfaappController : BaseSettingsController
             throw new SecurityAccessDeniedException(Resource.ErrorAccessDenied);
         }
 
-        if (!TfaAppAuthSettings.IsVisibleSettings || !TfaAppUserSettings.EnableForUser(_settingsManager, user.Id))
+        if (!TfaAppAuthSettingsHelper.IsVisibleSettings || !TfaAppUserSettings.EnableForUser(_settingsManager, user.Id))
         {
             throw new Exception(Resource.TfaAppNotAvailable);
         }

web/ASC.Web.Api/ApiModels/RequestsDto/TfaRequestsDto.cs

@@ -30,6 +30,9 @@ public class TfaRequestsDto
 {
     public string Type { get; set; }
     public Guid? Id { get; set; }
+    public List<string> TrustedIps { get; set; }
+    public List<Guid> MandatoryUsers { get; set; }
+    public List<Guid> MandatoryGroups { get; set; }
 }
 
 public class TfaValidateRequestsDto

web/ASC.Web.Api/ApiModels/RequestsDto/TfaSettingsDto.cs

@@ -26,10 +26,13 @@
 
 namespace ASC.Web.Api.ApiModel.RequestsDto;
 
-public class TfaSettingsRequestsDto
+public class TfaSettingsDto
 {
     public string Id { get; set; }
     public string Title { get; set; }
     public bool Enabled { get; set; }
     public bool Avaliable { get; set; }
+    public List<string> TrustedIps { get; set; }
+    public List<Guid> MandatoryUsers { get; set; }
+    public List<Guid> MandatoryGroups { get; set; }
 }

web/ASC.Web.Core/Sms/SmsManager.cs

@@ -100,7 +100,7 @@ public class SmsManager
             }
         }
 
-        if (_studioSmsNotificationSettingsHelper.Enable)
+        if (_studioSmsNotificationSettingsHelper.TfaEnabledForUser(user.Id))
         {
             await PutAuthCodeAsync(user, false);
         }
@@ -115,7 +115,7 @@ public class SmsManager
             throw new Exception(Resource.ErrorUserNotFound);
         }
 
-        if (!_studioSmsNotificationSettingsHelper.IsVisibleAndAvailableSettings() || !_studioSmsNotificationSettingsHelper.Enable)
+        if (!_studioSmsNotificationSettingsHelper.IsVisibleAndAvailableSettings() || !_studioSmsNotificationSettingsHelper.TfaEnabledForUser(user.Id))
         {
             throw new MethodAccessException();
         }
@@ -146,7 +146,7 @@ public class SmsManager
     public void ValidateSmsCode(UserInfo user, string code, bool isEntryPoint = false)
     {
         if (!_studioSmsNotificationSettingsHelper.IsVisibleAndAvailableSettings()
-            || !_studioSmsNotificationSettingsHelper.Enable)
+            || !_studioSmsNotificationSettingsHelper.TfaEnabledForUser(user.Id))
         {
             return;
         }

web/ASC.Web.Core/Sms/StudioSmsNotificationSettings.cs

@@ -26,26 +26,22 @@
 
 namespace ASC.Web.Studio.Core.SMS;
 
-[Serializable]
+public class StudioSmsNotificationSettings : TfaSettingsBase<StudioSmsNotificationSettings>
-public class StudioSmsNotificationSettings : ISettings<StudioSmsNotificationSettings>
 {
     [JsonIgnore]
-    public Guid ID
+    public override Guid ID
     {
         get { return new Guid("{2802df61-af0d-40d4-abc5-a8506a5352ff}"); }
     }
 
-    public StudioSmsNotificationSettings GetDefault()
+    public override StudioSmsNotificationSettings GetDefault()
     {
-        return new StudioSmsNotificationSettings { EnableSetting = false, };
+        return new StudioSmsNotificationSettings();
     }
-
-    [JsonPropertyName("Enable")]
-    public bool EnableSetting { get; set; }
 }
 
 [Scope]
-public class StudioSmsNotificationSettingsHelper
+public class StudioSmsNotificationSettingsHelper : TfaSettingsHelperBase
 {
     private readonly TenantExtra _tenantExtra;
     private readonly CoreBaseSettings _coreBaseSettings;
@@ -54,11 +50,14 @@ public class StudioSmsNotificationSettingsHelper
     private readonly SmsProviderManager _smsProviderManager;
 
     public StudioSmsNotificationSettingsHelper(
+        IHttpContextAccessor httpContextAccessor,
         TenantExtra tenantExtra,
         CoreBaseSettings coreBaseSettings,
         SetupInfo setupInfo,
         SettingsManager settingsManager,
-        SmsProviderManager smsProviderManager)
+        SmsProviderManager smsProviderManager,
+        UserManager userManager) 
+        : base(httpContextAccessor, userManager)
     {
         _tenantExtra = tenantExtra;
         _coreBaseSettings = coreBaseSettings;
@@ -67,7 +66,7 @@ public class StudioSmsNotificationSettingsHelper
         _smsProviderManager = smsProviderManager;
     }
 
-    public bool IsVisibleSettings()
+    public static bool IsVisibleSettings()
     {
         return SetupInfo.IsVisibleSettings<StudioSmsNotificationSettings>();
     }
@@ -87,13 +86,28 @@ public class StudioSmsNotificationSettingsHelper
                     && !quota.Open);
     }
 
+    public bool TfaEnabledForUser(Guid userGuid)
+    {
+        var settings = _settingsManager.Load<StudioSmsNotificationSettings>();
+
+        return TfaEnabledForUser(settings, userGuid);
+    }
+
     public bool Enable
     {
         get { return _settingsManager.Load<StudioSmsNotificationSettings>().EnableSetting && _smsProviderManager.Enabled(); }
         set
         {
-            var settings = _settingsManager.Load<StudioSmsNotificationSettings>();
+            StudioSmsNotificationSettings settings;
-            settings.EnableSetting = value;
+            if (value)
+            {
+                settings = _settingsManager.Load<StudioSmsNotificationSettings>();
+                settings.EnableSetting = value;
+            }
+            else
+            {
+                settings = new StudioSmsNotificationSettings();
+            }
             _settingsManager.Save(settings);
         }
     }

web/ASC.Web.Core/Sms/TfaSettingsBase.cs

@@ -0,0 +1,97 @@
+// (c) Copyright Ascensio System SIA 2010-2022
+//
+// This program is a free software product.
+// You can redistribute it and/or modify it under the terms
+// of the GNU Affero General Public License (AGPL) version 3 as published by the Free Software
+// Foundation. In accordance with Section 7(a) of the GNU AGPL its Section 15 shall be amended
+// to the effect that Ascensio System SIA expressly excludes the warranty of non-infringement of
+// any third-party rights.
+//
+// This program is distributed WITHOUT ANY WARRANTY, without even the implied warranty
+// of MERCHANTABILITY or FITNESS FOR A PARTICULAR  PURPOSE. For details, see
+// the GNU AGPL at: http://www.gnu.org/licenses/agpl-3.0.html
+//
+// You can contact Ascensio System SIA at Lubanas st. 125a-25, Riga, Latvia, EU, LV-1021.
+//
+// The  interactive user interfaces in modified source and object code versions of the Program must
+// display Appropriate Legal Notices, as required under Section 5 of the GNU AGPL version 3.
+//
+// Pursuant to Section 7(b) of the License you must retain the original Product logo when
+// distributing the program. Pursuant to Section 7(e) we decline to grant you any rights under
+// trademark law for use of our trademarks.
+//
+// All the Product's GUI elements, including illustrations and icon sets, as well as technical writing
+// content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
+// International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
+
+
+using ASC.MessagingSystem;
+
+namespace ASC.Web.Core.Sms;
+public abstract class TfaSettingsBase<T> : ISettings<T> where T : ISettings<T>
+{
+    [JsonPropertyName("Enable")]
+    public bool EnableSetting { get; set; }
+
+    public abstract Guid ID { get; }
+
+    [JsonPropertyName("TrustedIps")]
+    public List<string> TrustedIps { get; set; }
+
+    [JsonPropertyName("MandatoryUsers")]
+    public List<Guid> MandatoryUsers { get; set; }
+
+    [JsonPropertyName("MandatoryGroups")]
+    public List<Guid> MandatoryGroups { get; set; }
+
+    public abstract T GetDefault();
+}
+
+
+public abstract class TfaSettingsHelperBase
+{
+
+    private readonly UserManager _userManager;
+    private readonly IHttpContextAccessor _httpContextAccessor;
+
+    public TfaSettingsHelperBase(
+        IHttpContextAccessor httpContextAccessor,
+        UserManager userManager)
+    {
+        _httpContextAccessor = httpContextAccessor;
+        _userManager = userManager;
+    }
+
+    public bool TfaEnabledForUser<T>(TfaSettingsBase<T> settings,Guid userGuid) where T : ISettings<T>
+    {
+        if (!settings.EnableSetting)
+        {
+            return false;
+        }
+
+        foreach (var mandatory in settings.MandatoryGroups)
+        {
+            if (_userManager.IsUserInGroup(userGuid, mandatory))
+            {
+                return true;
+            }
+        }
+
+        foreach (var mandatory in settings.MandatoryUsers)
+        {
+            if (mandatory == userGuid)
+            {
+                return true;
+            }
+        }
+
+        var ips = MessageSettings.GetIP(_httpContextAccessor.HttpContext.Request);
+
+        if (settings.TrustedIps.Any(trustedIp => IPSecurity.IPSecurity.MatchIPs(ips, trustedIp)))
+        {
+            return false;
+        }
+
+        return true;
+    }
+}

web/ASC.Web.Core/Tfa/TfaAppAuthSettings.cs

@@ -26,23 +26,59 @@
 
 namespace ASC.Web.Studio.Core.TFA;
 
-[Serializable]
+public class TfaAppAuthSettings : TfaSettingsBase<TfaAppAuthSettings>
-public class TfaAppAuthSettings : ISettings<TfaAppAuthSettings>
 {
     [JsonIgnore]
-    public Guid ID
+    public override Guid ID
     {
         get { return new Guid("{822CA059-AA8F-4588-BEE3-6CD2AA920CDB}"); }
     }
 
-    public TfaAppAuthSettings GetDefault()
+    public override TfaAppAuthSettings GetDefault()
     {
-        return new TfaAppAuthSettings { EnableSetting = false, };
+        return new TfaAppAuthSettings();
+    }
+}
+
+[Scope]
+public class TfaAppAuthSettingsHelper : TfaSettingsHelperBase
+{
+    private readonly SettingsManager _settingsManager;
+
+    public TfaAppAuthSettingsHelper(
+        IHttpContextAccessor httpContextAccessor,
+        UserManager userManager,
+        SettingsManager settingsManager) 
+        : base(httpContextAccessor, userManager)
+    {
+        _settingsManager = settingsManager;
     }
 
-    [JsonPropertyName("Enable")]
+    public bool TfaEnabledForUser(Guid userGuid)
-    public bool EnableSetting { get; set; }
+    {
+        var settings = _settingsManager.Load<TfaAppAuthSettings>();
 
+        return TfaEnabledForUser(settings, userGuid);
+    }
+
+    public bool Enable
+    {
+        get { return _settingsManager.Load<TfaAppAuthSettings>().EnableSetting; }
+        set
+        {
+            TfaAppAuthSettings settings;
+            if (value)
+            {
+                settings = _settingsManager.Load<TfaAppAuthSettings>();
+                settings.EnableSetting = value;
+            }
+            else
+            {
+                settings = new TfaAppAuthSettings();
+            }
+            _settingsManager.Save(settings);
+        }
+    }
 
     public static bool IsVisibleSettings
     {

web/ASC.Web.Core/Tfa/TfaManager.cs

@@ -95,7 +95,7 @@ public class TfaManager
 
     public bool ValidateAuthCode(UserInfo user, string code, bool checkBackup = true, bool isEntryPoint = false)
     {
-        if (!TfaAppAuthSettings.IsVisibleSettings
+        if (!TfaAppAuthSettingsHelper.IsVisibleSettings
             || !_settingsManager.Load<TfaAppAuthSettings>().EnableSetting)
         {
             return false;