[RFC] two-factor authentication #1545
Conversation
bytehead
force-pushed
the
feature/two-factor
branch
4 times, most recently
from
935034f
to
6203d91
Compare
|
🙌 I'm really looking forward to see this feature.
And currently im getting the |
bytehead
force-pushed
the
feature/two-factor
branch
from
a73d12f
to
12517ea
Compare
Yes I don't use it. It didn't work with all of my apps I've tried upfront. That's why I decided to choose a library that supports actually the RFCs. Even easier, if we decide to support HOTP in future.
I like the idea, @contao/developers what do you think about?
IMHO the users should enable 2FA by themselves.
I will implement this, already discussed 👍
Did you miss to enable the |
Go for it.
I also think we should not force them. |
I think @richardhj meant that you should optionally be able to enforce 2FA for one Contao Installation for everyone. Not that it should be enforced in general. This makes sense imho. |
Optionally for some users or user groups, in order to comply with some TOMs :-) |
I don't get this one. If somebody else enforces 2FA in general the question will be how the users will initially setup the app in this case? |
I like it as well. Maybe a badge on the user/admin icon like the page publishing options?
Something like forcing the setup after login attempt? |
|
Please don't do this. None of the apps I am using 2FA with does it – and I am using a lot of them. |
|
As an option to enforce 2FA upon users would be, well.. optional, I don't see a problem there. It'd work analogous to "Password change required". Upon first/next login the user is required to change his password/setup 2FA, whatever the admin's reasons for that decision might be. If 2FA becomes a core feature, so should the option to enforce its usage upon all or specific users. |
|
I agree with @patrickjDE . A company should ideally be able to decide whether to force all editors of their website two use 2FA in order to increase security. @leofeyer you are probably talking about a front end context there, right? But this is about the back end functionality. If your website has 2 administrators for the back end and only one uses 2FA, the other account is still (maybe) more vulnerable. Hence you might want to decide that every back end user (or specific back end user groups - or just administrators) should use 2FA. |
bytehead
force-pushed
the
feature/two-factor
branch
from
51833b6
to
378e260
Compare
@frontendschlampe do you want to create an icon for it? 😎 |
bytehead
force-pushed
the
feature/two-factor
branch
from
17fa0a8
to
9bec2f7
Compare
src/Resources/contao/dca/tl_user.php
Outdated
| continue; | ||
| } | ||
|
|
||
| $GLOBALS['TL_DCA']['tl_user']['palettes'][$palette] = str_replace |
There was a problem hiding this comment.
Why not use the PaletteManipulator here? Would make things easier 😄
src/Resources/contao/dca/tl_user.php
Outdated
| // Generate 1024 bit secret | ||
| $secret = random_bytes(128); | ||
|
|
||
| $this->Database->prepare("UPDATE tl_user SET secret=? WHERE id=?") |
There was a problem hiding this comment.
Shouldn't that be something like this?
$user = BackendUser::getInstance();
$user->secret = random_bytes(128);
$user->save();There was a problem hiding this comment.
Yep. Can't see the forest for the trees.
src/Resources/contao/dca/tl_user.php
Outdated
| <div class="' . $class . ' widget"> | ||
| <div id="ctrl_' . $dc->field . '" class=""> | ||
| <h3><label for="ctrl_' . $dc->field . '">' . $GLOBALS['TL_LANG']['tl_user']['2faQrCode'][0] . '</label></h3> | ||
| <img src="data:image/svg+xml;base64,' . base64_encode($twoFactorAuthenticator->getQrCode($this->User, $request)) . '" /> |
There was a problem hiding this comment.
Can we use BackendUser::getInstance() everywhere instead of $this->User that's stored somewhere in nowhere?
src/Resources/contao/dca/tl_user.php
Outdated
| throw new Exception($GLOBALS['TL_LANG']['ERR']['invalidTwoFactor']); | ||
| } | ||
|
|
||
| return 1; |
| */ | ||
| public function validateCode(User $user, string $code): bool | ||
| { | ||
| // The 2FA app from Google (Google authenticator) does not strictly confirm to RFC 4648 [1] (they confirm to the old RFC 3548 [2]). |
There was a problem hiding this comment.
private function getUpperUnpaddedScretForUser(User $user): stringThen you need to add the google comment only once :-P
yes ... :-) Today is icon day :-D |
|
What do you think?
|
|
Love it. |
|
@frontendschlampe Yeah, I like! I'll place it on the left as @richardhj already stated. |
|
Here is the implemented version:
|
|
yeah ... no problem. I‘ve added the icon to my PR yesterday with the other icons. :-) |
bytehead
force-pushed
the
feature/two-factor
branch
from
8d30ffe
to
5683059
Compare
|
With the change in 4e36d00, so we actually still need a different route for the 2FA or can we just apply 2FA on the login route? |
|
@aschempp see here: #1545 (comment) |
leofeyer
force-pushed
the
feature/two-factor
branch
from
c39a5c5
to
168a620
Compare
src/Security/TwoFactor/Provider.php
Outdated
| return false; | ||
| } | ||
|
|
||
| if (!$this->enforceTwoFactor && !$user->useTwoFactor) { |
There was a problem hiding this comment.
So if the user does not have a secret (which is the default, if he never edited his data), then we don't enforce 2FA?
There was a problem hiding this comment.
This seems correct to me. Otherwise the user would be asked to enter their verification code although they never had a chance to set up 2FA.
There was a problem hiding this comment.
In fact that's wrong. If there is no secret and 2FA is enforced, a secret should be generated, so the user gets the QR code to verify on the login screen.
src/Security/TwoFactor/Provider.php
Outdated
| return false; | ||
| // Generate a secret if 2FA is enforced and the user has not yet enabled it | ||
| if ($this->enforceTwoFactor && !$user->secret) { | ||
| $user->secret = random_bytes(128); |
There was a problem hiding this comment.
Isn't here a $user->save(); missing?
There was a problem hiding this comment.
IDK. Can we be sure that $context->getUser() returns an object with a save() method? Also it seems to work without save().
There was a problem hiding this comment.
Yes we can, it returns a Contao\User object.
| } | ||
|
|
||
| // 2FA is now confirmed, save the user flag | ||
| if ($this->enforceTwoFactor && !$user->confirmedTwoFactor) { |
There was a problem hiding this comment.
Why do we only set this if 2FA is enforced?
There was a problem hiding this comment.
Because this only happens if 2FA is enforced by config. Otherwise it gets saved here.
|
Thank you big time @bytehead! |
Description ----------- This is what I meant in #1545 (comment) Commits ------- 3b35e23 Drop the unnecessary 2FA login route 2da1351 Also adjust the tests and the firewall and rename the check route. 2398caa Merge branch 'master' into feature/no-2fa-route
Description ----------- - improve icon modules.svg - add icons for contao/core-bundle#1202 - add icon for contao/core-bundle#1545 Commits ------- abb6003b add/improve some icons f14694e4 improve size of 2fa icons (same height like user icons) d37484eb improve module icon again a86c900d delete single 2fa-icons and add user/admin icon with lock aeaf343b improve size units of some icons 3922030e improve position of icon elements 0c427ba5 Run the gulp task.
Description ----------- This is what I meant in contao/core-bundle#1545 (comment) Commits ------- 3b35e23d Drop the unnecessary 2FA login route 2da1351d Also adjust the tests and the firewall and rename the check route. 2398caa0 Merge branch 'master' into feature/no-2fa-route
This is a working draft to add a two-factor authentication mechanism 2FA with TOTP for backend users.
It uses
scheb/two-factor-bundleto extend the symfony security authentication mechanism,spomky-labs/otphpfor generating and validating one-time passwords andbacon/bacon-qr-codeto render QR codes as SVGs.Please review and mention all missed topics.
Changes to
security.yml:Changes to
AppKernel.php:How to enforce 2FA for backend users via
config.yml:ToDos:
tl_userindicating which users have 2FA enabledPossible new features (future PRs):