Class AuthenticationEngine<Account>

Activate previously registered account.

Authenticates user.

Authentication process consists from multiple AuthenticationStepName and is performed in a state machine fashion. Authentication process state is persisted by AuthenticationSession and FailedAuthenticationAttemptSession.

Transition to next state/step is announced to client via AuthenticationStatus.nextStep. Depending on this, he needs to provide additional data.
When an error is encountered, it will be set into AuthenticationStatus.error. In case it is a AuthenticationStatusError.soft error caused by invalid credentials, user can continue authentication from AuthenticationStatus.nextStep. In case it is a AuthenticationStatusError.hard error, user needs to abort authentication.
When password-less authentication by challenge-response mechanism is used, generated challenge will be sent by AuthenticationStatus.token property.
When authentication completes successfully, only AuthenticationStatus.authenticated property will be present in the authentication status.
The following AuthenticationStatus property combinations might be returned:

• AuthenticationStatus.nextStep - previous authentication step was performed successfully and client needs to move to next step
  
• AuthenticationStatus.nextStep and AuthenticationStatus.token - nonce was generated successfully by AuthenticationStepName.GENERATE_CHALLENGE step and stored in this property, client needs to move to next step AuthenticationStepName.CHALLENGE_RESPONSE
  
• AuthenticationStatus.nextStep and AuthenticationStatusError.soft - previous authentication step failed and client needs to move to next step (might be the same as previous one or differ)
  
• AuthenticationStatusError.hard - authentication failed with hard error, account was disabled and client needs to abort authentication.
  
• AuthenticationStatus.authenticated - authentication completed successfully
  
  Depending on the authentication next step, client needs to provide the following data:
  
• NONE - authentication needs to be started by client by either providing AuthenticationContextInterface.password or AuthenticationContextInterface.generateChallenge
  
• AuthenticationStepName.CHALLENGE_RESPONSE - client needs to provide encrypted nonce in the AuthenticationContextInterface.responseForChallenge
  
• AuthenticationStepName.PASSWORD - password was invalid and client needs to provide another AuthenticationContextInterface.password
  
• AuthenticationStepName.RECAPTCHA - invalid password/nonce was provided too many times and client needs to provide another AuthenticationContextInterface.password/AuthenticationContextInterface.responseForChallenge and also AuthenticationContextInterface.recaptcha
  
• AuthenticationStepName.TWO_FACTOR_AUTH_CHECK - client needs to provide 2fa token sent to him via side channel in the AuthenticationContextInterface.twoFactorAuthenticationToken
  
  On successful authentication, AuthenticationStatus.authenticated property will contain user account.

Change forgotten password.
On successful password change, OnForgottenPasswordChangedHook will be called.
In case any exception is thrown, operation is considered failed, and user needs to start again account recovery (i.e. obtain a new forgot password token). This restriction is imposed in order to prevent replay attacks. The only exception from this rule is when ErrorCodes.SESSION_NOT_FOUND error code is thrown, as in this case forgot password token wasn't invalidated.

Creates forgot password session and starts account recovery procedure.
Creates forgot password token and sends it via specified sideChannel.
If account has AccountModel.pubKey, token will be encrypted before being sent to user. In this case user needs to decrypt token with his Private Key and send plaintext token back to server.
In case any exception is thrown, operation is considered failed.

Disable user account.

Important! This operation should be done only by admin, or by application's business logic.

Enable user account.

Important! This operation should be done only by admin.

Get failed authentication attempts into user account.

Important! This method has authorization implications. It needs to be called only by authenticated users for their account or by admin.

Get successful authentications into user account.

Important! This method has authorization implications. It needs to be called only by authenticated users for their account or by admin.

Register user account.
When account is registered, multi factor authentication is disabled.
Depending on the AccountModel.disabledUntil value:

• AccountStatus.ENABLED - account is enabled and stored by AccountRepository
• AccountStatus.DISABLED_UNTIL_ACTIVATION - account is disabled until activation and stored by ActivateAccountSessionRepository; token is generated and sent by EmailSender
  In case any exception is thrown, registration fails and needs to be repeated.

Enable/Disable two factor authentication on the user's account.
When SetTwoFactorAuthenticationContext.password is given, it will be verified against the account one. If it is not valid, Exception with ErrorCodes.INCORRECT_PASSWORD will be thrown. If invalid password was provided too many times, Exception with ErrorCodes.ACCOUNT_DISABLED will be thrown.

Verifies user password.