[Feature] Support for Garmin MFA (Two-Factor Auth)

[philosowaffle]

Garmin supports MFA/2FA. See if there is any way that P2G can work with Garmin accounts that have MFA/2FA enabled.

#408

[dkmcgowan]

I had to enable this to use the new ECG feature

[philosowaffle]

After several hours of reverse engineering and tinkering,here is what was learned today:

Non-MFA flow:

1. GET https://sso.garmin.com/sso/signin
   1. INPUT: pass in some generic/magic params
   2. OUTPUT: you get yourself some Cookies
2. POST https://sso.garmin.com/sso/signin
   1. INPUT: pass in user credentials
   2. OUTPUT: More stuff in Cookie + ServiceTicket
3. GET https://connect.garmin.com/?ticket=<ServiceTicket>
   1. INPUT: ServiceTicket
   2. OUTPUT: Cookie updated
4. Sanity check that we are now officially authenticated
   1. GET https://connect.garmin.com/modern/currentuser-service/user/info
   2. INPUT: Cookie
   3. OUTPUT: user info

MFA flow:

1. GET https://sso.garmin.com/sso/signin
   1. INPUT: pass in some generic/magic params
   2. OUTPUT: you get yourself some Cookies
2. POST https://sso.garmin.com/sso/signin
   1. INPUT: pass in user credentials
   2. OUTPUT: MFA Code is sent to user, and we are redirected to a page for entering the Code
3. POST https://sso.garmin.com/sso/verifyMFA/logainEnterMfaCode
   1. INPUT: The MFA code provided by user + csrf token (from previous redirect)
   2. OUTPUT: Success! ->Cookie updated + redirected + ServiceTicket
4. GET https://connect.garmin.com/?ticket=<ServiceTicket>
   1. INPUT: ServiceTicket
   2. OUTPUT: this step is failing, cannot proceed

Currently can't see anything wrong or different about the request on step 4, appears to match the request I see being made from the browser. Will need to take a look again later with fresh eyes.

[philosowaffle]

Good news, without any changes from last week, things are working this morning. I suspect last week I had made too many failed attempts and Garmin was temporarily blocking me from signing in.

Now that I know we can successfully authenticate with Garmin will move to solving the next problems:

1. Background Sync will likely never work for users with MFA since you'd have to regularly provide your MFA token
2. Console users need a way to enter their token on manual run
3. WebUI users need a way to enter their token on manual sync
4. Github Action users - investigate if there is a way to provide MFA
5. Docs need to be updated to explain the limitations MFA imposes on P2G (like no auto-syncing)

[philosowaffle]

MFA Code valid for 30min.
Auth cookie expires after 1 hr.
can see if we can simulate "remember this device functionality" - needs investigation

Todo:

• Introduce new setting - Garmin.TwoStepVerificationEnabled
• API - be able to manage setting via API
• WebUI - be able to manage setting via WebUI
• API - do not allow sync if MFA is enabled and token not initialized yet
• API - create endpoint to Init Garmin Auth and support MFA flow
• WebUI - create modal to allow user to do MFA flow
• WebUI - polish
• Console - allow user to enter MFA code during manual sync
• Console - test
• BackgroundSync - not allowed if you have MFA enabled
• Find way to fail fast on GitHub actions - will not be able to support this flow
• Docs - update

02/11/23 - progress updated
02/12/23 - progress updated

[philosowaffle]

Will make a post on #408 with more details once this finished building.