-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding Google Authenticator #439
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please check review comments
@@ -27,7 +27,8 @@ | |||
"source": "https://github.com/CakeDC/users" | |||
}, | |||
"require": { | |||
"cakephp/cakephp": ">=3.2.9 <4.0.0" | |||
"cakephp/cakephp": ">=3.2.9 <4.0.0", | |||
"robthree/twofactorauth": "^1.5.2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should not require this lib by default, we are trying to keep the plugin as clean as possible and let every user include the required packages if needed, for example see the oauth related packages
@@ -36,15 +37,17 @@ | |||
"league/oauth2-instagram": "@stable", | |||
"league/oauth2-google": "@stable", | |||
"league/oauth2-linkedin": "@stable", | |||
"google/recaptcha": "@stable" | |||
"google/recaptcha": "@stable", | |||
"robthree/twofactorauth": "^1.5.2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this needed here? or could we leave this as suggest only and add some docs on how to properly setup the 2factor feature?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@steinkel , I've removed it from require
param, and left it only in require-dev
just to make sure that unit tests will pass.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
makes sense, thanks
$table->addColumn('secret', 'string', [ | ||
'after' => 'activation_date', | ||
'default' => null, | ||
'limit' => 255, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
secret is using any fixed size or should we use text instead?
'plugin' => 'CakeDC/Users', | ||
'controller' => 'Users', | ||
'action' => 'verify', | ||
'prefix' => null, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
better to use "false" instead, to prevent issues with login inside a prefixed controller. We had issues with this before setting up the loginAction...
@@ -32,6 +32,7 @@ class UsersAuthComponent extends Component | |||
const EVENT_BEFORE_LOGOUT = 'Users.Component.UsersAuth.beforeLogout'; | |||
const EVENT_AFTER_LOGOUT = 'Users.Component.UsersAuth.afterLogout'; | |||
|
|||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
phpcs
} | ||
|
||
if ($this->request->is('post')) { | ||
$verificationCode = $this->request->data['code']; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use request->data() instead
$verificationCode = $this->request->data['code']; | ||
$user = $this->request->session()->read('temporarySession'); | ||
|
||
$codeVerified = $this->GoogleAuthenticator->verifyCode($user['secret'], $verificationCode); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
check user keys before using them
|
||
$url = $this->Auth->redirectUrl(); | ||
|
||
$this->redirect($url); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use return
|
||
$this->request->session()->destroy(); | ||
|
||
$this->redirect(Configure::read('Auth.loginAction')); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use return
<?php if (!empty($secretDataUri)):?> | ||
<p class='text-center'><img src="<?php echo $secretDataUri;?>"/></p> | ||
<?php endif;?> | ||
<?= $this->Form->input('code', ['required' => true,'label' => 'Verification Code']) ?> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use __d() for label
Otherwise the tests won't run
I've expanded a bit the default LoginTrait to support Google Authenticator mechanism, by using TwoFactorAuth plugin (since version 1.5.2, which became PSR-4 compatible for CakePHP3.x).
In order to function properly, there was also added migration file, to expand
users
table withsecret, secret_verified
fields. One holds Base32 shared secret, the second one - makes sure QR-code is shown inverify.ctp
until the first successful verification/login into the system.After the user is authorised from
/login
, I'm creating temporary session, with holds all required data for me, removing Auth.Users session (to avoid access for restricted url's), and redirect to/verify
, where verification process takes place. Once verification is successful, I'm restoring Auth.Users session to let AuthComponent magic to work.