Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multifactor Authentication: Integration branch #3711

Merged
merged 135 commits into from Dec 9, 2020
Merged

Multifactor Authentication: Integration branch #3711

merged 135 commits into from Dec 9, 2020

Conversation

TimWolla
Copy link
Member

@TimWolla TimWolla commented Nov 9, 2020
edited

ToDo:

  • Add basic support for multi factor authentication #3712 (comment)
  • Automatically enable MFA after setting up first method.
  • Support disabling MFA in frontend.
  • Authentication workflow
  • Email based MFA.
  • Confirmation before deleting TOTP devices
  • Maybe confirmation before regenerating Backup codes.
  • MFA management for the admin (disable MFA for a specific user).
  • Possibly integration into the condition system.
  • Password confirmation before MFA management.
  • Notification mail when MFA is enabled.
  • Notification mail when a backup code is used.
  • Tie the code sent by the email method to the current session, preventing misuse.

@TimWolla TimWolla added this to Needs Triage in WoltLab Suite 5.4 via automation Nov 9, 2020
@TimWolla TimWolla mentioned this pull request Nov 9, 2020
Merged
@TimWolla TimWolla moved this from Needs Triage to Feature in WoltLab Suite 5.4 Nov 10, 2020
@TimWolla TimWolla self-assigned this Nov 10, 2020
@TimWolla
Add com.woltlab.wcf.multifactor objectTypeDefinition
d538255
@TimWolla
Add com.woltlab.wcf.multifactor.totp objectType
29613d1
@TimWolla
Add wcf1_user_multifactor
534b864
@TimWolla
Integrate multifactor into AccountSecurityPage
c11460e
@TimWolla
Add IMultifactorMethod
bc6097a
@TimWolla
Add com.woltlab.wcf.multifactor.backup object type
544f70d
@TimWolla
Add User::getEnabledMultifactorMethods()
fdfca05
@TimWolla
Add MultifactorManageForm
2e781ff
@TimWolla
Implement getStatusText() for the backup multifactor method
276df39
@TimWolla
Add support for adding devices to TotpMultifactorMethod
b4a0d5c
@TimWolla
Add SessionHandler::changeUserAfterMultifactor()
2924e93
@TimWolla
Add MultifactorAuthenticationForm
b15436b
@TimWolla
Add QR code to __totpSecretField.tpl
6e8e1a9
@TimWolla
Add authentication support to TotpMultifactorMethod
775bf30
@TimWolla
Add multifactor language items
6128e9f
@TimWolla
Facelift adding TOTP devices
ed920c4
@TimWolla
Add barebones support for deleting TOTP devices
7f6d5b6
@TimWolla
Add default device name for TOTP
54394be
@TimWolla
Add namespace to all functions and constants for BackupMultifactorMethod
0c0581f
@TimWolla
Add namespace to all functions and constants for TotpMultifactorMethod
d38ad96
@TimWolla
Add namespace to all functions and constants for multifactor forms
eee1ff7
@TimWolla
Move the heavy TOTP lifting into unpack
d7dcb22
@TimWolla
Use 'Multi-Factor Authentication' in English phrasing
7d87436
@TimWolla
Add update_com.woltlab.wcf_5.4_migrate_multifactor.php
ca2fdcd
@TimWolla
Merge pull request #3766 from WoltLab/mfa-migration
13e3bb1 
Add update_com.woltlab.wcf_5.4_migrate_multifactor.php
@TimWolla
Use proper German title for AccountManagementForm
e6b72f0
@TimWolla
Clean up handling of user objects in UserEditForm
e65ef4a
@TimWolla
Add multi-factor management to UserEditForm
3fcadd1
@TimWolla
Use more user-friendly error message for MFA w/o setups
ccc2758 
This still MUST NOT ever happen, but in case it does the error message is more
useful and it was easy enough to implement.
@TimWolla
Move the checkmark out of wcf.acp.user.security.multifactor.active
e7f05e0
@TimWolla
Merge pull request #3779 from WoltLab/mfa-acp
111b7fa 
Add multi-factor management to UserEditForm
@TimWolla
Merge branch 'master' into mfa-meta
c509da3 
For the UserPasswordFormField.
@TimWolla
Remove obsolete import from MultifactorAuthenticationForm
2068664
@TimWolla
Add reauthentication logic to SessionHandler
db4dca5
@TimWolla
Add ReauthenticationForm
68ee7d3
@TimWolla
Add TReauthenticationCheck
dd038ef
@TimWolla
Request reauthentication in MultifactorManageForm
fa03d1f
@TimWolla
Request reauthentication in MultifactorDisableForm
fbf4a54
@TimWolla
Do not request reauthentication from users connected to a third party…
fbebdd6 
… provider
@TimWolla
Add explanatory texts to reauthentication
6d80952
@TimWolla
Merge pull request #3775 from WoltLab/mfa-reauth
8762354 
Add generic reauthentication implementation
@TimWolla TimWolla marked this pull request as ready for review December 7, 2020 10:36
joshuaruesweg
joshuaruesweg reviewed Dec 9, 2020
View reviewed changes
wcfsetup/install/files/lib/system/user/multifactor/TotpMultifactorMethod.class.php Outdated Show resolved Hide resolved
wcfsetup/install/files/lib/system/user/multifactor/EmailMultifactorMethod.class.php Outdated Show resolved Hide resolved
wcfsetup/install/files/acp/update_com.woltlab.wcf_5.4_migrate_multifactor.php Show resolved Hide resolved
wcfsetup/install/files/acp/update_com.woltlab.wcf_5.4_migrate_multifactor.php Outdated Show resolved Hide resolved
wcfsetup/install/files/lib/data/user/UserProfile.class.php
return (
WCF::getUser()->userID == $this->userID ||
WCF::getSession()->getPermission('user.profile.avatar.canSeeAvatars') ||
(($pending = WCF::getSession()->getPendingUserChange()) && $pending->userID == $this->userID)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do I need to see the Avatars then? I assume that this is a change that is now irrelevant due to template changes...?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is technically irrelevant now. However it allows grants access to the pending user's avatar which is not wrong, so I'll leave this as-is.

wcfsetup/install/files/lib/system/session/SessionHandler.class.php Outdated Show resolved Hide resolved
@TimWolla TimWolla mentioned this pull request Dec 9, 2020
Closed
@TimWolla TimWolla merged commit 2a73891 into master Dec 9, 2020
WoltLab Suite 5.4 automation moved this from Feature to Resolved Dec 9, 2020
@TimWolla TimWolla deleted the mfa-meta branch December 9, 2020 12:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dtdesign dtdesign dtdesign left review comments

@joshuaruesweg joshuaruesweg joshuaruesweg left review comments

Assignees

@TimWolla TimWolla

Labels
Feature
Projects
No open projects
WoltLab Suite 5.4
  
Resolved
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@TimWolla @dtdesign @Gravatronics @joshuaruesweg