From 6dc29e24e26871516ab02fb1e2c950acf157b62b Mon Sep 17 00:00:00 2001 From: jitheeshvo Date: Tue, 10 Nov 2020 15:32:17 +0530 Subject: [PATCH 1/2] Does not patch rest api #1 --- Plugin/BypassWebApiTwoFactorAuth.php | 67 ++++++++++++++++++++++++++++ etc/adminhtml/system.xml | 4 ++ etc/config.xml | 1 + etc/di.xml | 3 ++ 4 files changed, 75 insertions(+) create mode 100644 Plugin/BypassWebApiTwoFactorAuth.php diff --git a/Plugin/BypassWebApiTwoFactorAuth.php b/Plugin/BypassWebApiTwoFactorAuth.php new file mode 100644 index 0000000..b5f72f6 --- /dev/null +++ b/Plugin/BypassWebApiTwoFactorAuth.php @@ -0,0 +1,67 @@ + + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code + */ +declare(strict_types=1); + +namespace MarkShust\DisableTwoFactorAuth\Plugin; + +use Magento\Framework\App\Config\ScopeConfigInterface; +use Magento\Integration\Api\AdminTokenServiceInterface; +use Magento\TwoFactorAuth\Model\AdminAccessTokenService; + +/** + * Class BypassWebApiTwoFactorAuth + * + * @package MarkShust\DisableTwoFactorAuth\Plugin + */ +class BypassWebApiTwoFactorAuth +{ + const XML_PATH_CONFIG_API_ENABLE = 'twofactorauth/general/enable_api'; + + /** @var ScopeConfigInterface */ + private $scopeConfig; + /** + * @var AdminTokenServiceInterface + */ + private AdminTokenServiceInterface $adminTokenService; + + public function __construct( + AdminTokenServiceInterface $adminTokenService, + ScopeConfigInterface $scopeConfig + ) { + $this->scopeConfig = $scopeConfig; + $this->adminTokenService = $adminTokenService; + } + + /** + * This will bypass 2fa and allow us to use existing token generate end-point + * Recommended to use this until third-party service is ready to configure 2fa + * + * @param AdminAccessTokenService $subject + * @param \Closure $proceed + * @param $username + * @param $password + * + * @return string + * @throws \Magento\Framework\Exception\AuthenticationException + * @throws \Magento\Framework\Exception\InputException + * @throws \Magento\Framework\Exception\LocalizedException + */ + public function aroundCreateAdminAccessToken( + AdminAccessTokenService $subject, + \Closure $proceed, + $username, + $password + ): string { + return !$this->scopeConfig->isSetFlag(self::XML_PATH_CONFIG_API_ENABLE) + ? $this->adminTokenService->createAdminAccessToken($username, $password) + : $proceed($username, $password); + } +} diff --git a/etc/adminhtml/system.xml b/etc/adminhtml/system.xml index e01e9ac..7108091 100644 --- a/etc/adminhtml/system.xml +++ b/etc/adminhtml/system.xml @@ -9,6 +9,10 @@ Magento\Config\Model\Config\Source\Yesno Warning: Enabling 2FA will immediately prompt admin user for OTP code. + + + Magento\Config\Model\Config\Source\Yesno + 1 diff --git a/etc/config.xml b/etc/config.xml index 413d221..7cb4a82 100644 --- a/etc/config.xml +++ b/etc/config.xml @@ -5,6 +5,7 @@ 1 + 1 diff --git a/etc/di.xml b/etc/di.xml index 3696d4b..47dc37d 100644 --- a/etc/di.xml +++ b/etc/di.xml @@ -3,4 +3,7 @@ + + + From bdf794cc1ab4448a6d909553487cddb25326df12 Mon Sep 17 00:00:00 2001 From: Mark Shust Date: Tue, 12 Jan 2021 09:12:37 -0500 Subject: [PATCH 2/2] Updates per code review for #4 --- CHANGELOG.md | 9 +++ Plugin/BypassTwoFactorAuth.php | 33 ++++++--- ...passTwoFactorAuthForApiTokenGeneration.php | 66 ++++++++++++++++++ Plugin/BypassWebApiTwoFactorAuth.php | 67 ------------------- README.md | 23 +++++-- composer.json | 2 +- etc/adminhtml/system.xml | 9 ++- etc/config.xml | 5 +- etc/di.xml | 2 +- 9 files changed, 125 insertions(+), 91 deletions(-) create mode 100644 Plugin/BypassTwoFactorAuthForApiTokenGeneration.php delete mode 100644 Plugin/BypassWebApiTwoFactorAuth.php diff --git a/CHANGELOG.md b/CHANGELOG.md index b5c96e7..7462891 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). +## [1.1.0] - 2020-01-12 + +### Added +- Support to disable 2FA for API token generation ([#1](https://github.com/markshust/magento2-module-disabletwofactorauth/issues/1)). + +### Updated +- Updated docblocks and other minor formatting issues. +- Updated REAMDE to make it more explicit not to disable 2FA within production environments. + ## [1.0.0] - 2020-08-10 ### Added diff --git a/Plugin/BypassTwoFactorAuth.php b/Plugin/BypassTwoFactorAuth.php index 0229d4e..9d21113 100644 --- a/Plugin/BypassTwoFactorAuth.php +++ b/Plugin/BypassTwoFactorAuth.php @@ -6,11 +6,21 @@ use Magento\Framework\App\Config\ScopeConfigInterface; use Magento\TwoFactorAuth\Model\TfaSession; +/** + * Class BypassTwoFactorAuth + * @package MarkShust\DisableTwoFactorAuth\Plugin + */ class BypassTwoFactorAuth { + const XML_PATH_CONFIG_ENABLE = 'twofactorauth/general/enable'; + /** @var ScopeConfigInterface */ - private $scopeConfig; + private ScopeConfigInterface $scopeConfig; + /** + * BypassTwoFactorAuth constructor. + * @param ScopeConfigInterface $scopeConfig + */ public function __construct( ScopeConfigInterface $scopeConfig ) { @@ -18,17 +28,24 @@ public function __construct( } /** - * If the TwoFactorAuth module Enable setting is set to false, always return true here so all requests bypass 2FA. - * Otherwise, return the original result. + * Enables the bypass of 2FA for admin access. + * This can be useful within development & integration environments. + * + * If 2FA is enabled, return the original result. + * If 2FA is disabled, always return true so all requests bypass 2FA. + * + * NOTE: Always keep 2FA enabled within production environments for security purposes. * * @param TfaSession $subject * @param $result * @return bool */ - public function afterIsGranted(TfaSession $subject, $result): bool - { - return !$this->scopeConfig->isSetFlag('twofactorauth/general/enable') - ? true - : $result; + public function afterIsGranted( + TfaSession $subject, + $result + ): bool { + return $this->scopeConfig->isSetFlag(self::XML_PATH_CONFIG_ENABLE) + ? $result + : true; } } diff --git a/Plugin/BypassTwoFactorAuthForApiTokenGeneration.php b/Plugin/BypassTwoFactorAuthForApiTokenGeneration.php new file mode 100644 index 0000000..3642957 --- /dev/null +++ b/Plugin/BypassTwoFactorAuthForApiTokenGeneration.php @@ -0,0 +1,66 @@ +scopeConfig = $scopeConfig; + $this->adminTokenService = $adminTokenService; + } + + /** + * Enables the bypass of 2FA for API token generation. + * This can be useful for third-party vendors during module development. + * + * NOTE: Always keep 2FA enabled within production environments for security purposes. + * + * @param AdminAccessTokenService $subject + * @param Closure $proceed + * @param $username + * @param $password + * @return string + * @throws AuthenticationException + * @throws InputException + * @throws LocalizedException + */ + public function aroundCreateAdminAccessToken( + AdminAccessTokenService $subject, + Closure $proceed, + $username, + $password + ): string { + return $this->scopeConfig->isSetFlag(self::XML_PATH_CONFIG_ENABLE_FOR_API_TOKEN_GENERATION) + ? $proceed($username, $password) + : $this->adminTokenService->createAdminAccessToken($username, $password); + } +} diff --git a/Plugin/BypassWebApiTwoFactorAuth.php b/Plugin/BypassWebApiTwoFactorAuth.php deleted file mode 100644 index b5f72f6..0000000 --- a/Plugin/BypassWebApiTwoFactorAuth.php +++ /dev/null @@ -1,67 +0,0 @@ - - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code - */ -declare(strict_types=1); - -namespace MarkShust\DisableTwoFactorAuth\Plugin; - -use Magento\Framework\App\Config\ScopeConfigInterface; -use Magento\Integration\Api\AdminTokenServiceInterface; -use Magento\TwoFactorAuth\Model\AdminAccessTokenService; - -/** - * Class BypassWebApiTwoFactorAuth - * - * @package MarkShust\DisableTwoFactorAuth\Plugin - */ -class BypassWebApiTwoFactorAuth -{ - const XML_PATH_CONFIG_API_ENABLE = 'twofactorauth/general/enable_api'; - - /** @var ScopeConfigInterface */ - private $scopeConfig; - /** - * @var AdminTokenServiceInterface - */ - private AdminTokenServiceInterface $adminTokenService; - - public function __construct( - AdminTokenServiceInterface $adminTokenService, - ScopeConfigInterface $scopeConfig - ) { - $this->scopeConfig = $scopeConfig; - $this->adminTokenService = $adminTokenService; - } - - /** - * This will bypass 2fa and allow us to use existing token generate end-point - * Recommended to use this until third-party service is ready to configure 2fa - * - * @param AdminAccessTokenService $subject - * @param \Closure $proceed - * @param $username - * @param $password - * - * @return string - * @throws \Magento\Framework\Exception\AuthenticationException - * @throws \Magento\Framework\Exception\InputException - * @throws \Magento\Framework\Exception\LocalizedException - */ - public function aroundCreateAdminAccessToken( - AdminAccessTokenService $subject, - \Closure $proceed, - $username, - $password - ): string { - return !$this->scopeConfig->isSetFlag(self::XML_PATH_CONFIG_API_ENABLE) - ? $this->adminTokenService->createAdminAccessToken($username, $password) - : $proceed($username, $password); - } -} diff --git a/README.md b/README.md index 75f8792..066f7d6 100644 --- a/README.md +++ b/README.md @@ -42,14 +42,25 @@ bin/magento setup:upgrade This module keeps 2FA enabled by default. This is to prevent any unexpected side effects or security loopholes from being introduced during automated installation processes. -After installing the module, one can disable 2FA by going to **Admin > Stores > Settings > Configuration > -Security > 2FA**, and setting *Enable 2FA* to **No**. +### Disable 2FA -This setting can also be toggled to a 1 or 0 to respectively enable or disable 2FA from the command-line console: +Enables the bypass of 2FA for admin access. This can be useful within development & integration environments. -``` -bin/magento config:set twofactorauth/general/enable 0 -``` +Visit **Admin > Stores > Settings > Configuration > Security > 2FA** and set *Enable 2FA* to **No**. + +CLI: `bin/magento config:set twofactorauth/general/enable 0` + +*NOTE: Always keep 2FA enabled within production environments for security purposes.* + +### Disable 2FA for API Token Generation + +Enables the bypass of 2FA for API token generation. This can be useful for third-party vendors during module development. + +Visit **Admin > Stores > Settings > Configuration > Security > 2FA** and set *Enable 2FA for API Token Generation* to **No**. + +CLI: `bin/magento config:set twofactorauth/general/enable_for_api_token_generation 0` + +*NOTE: Always keep 2FA enabled within production environments for security purposes.* ## License diff --git a/composer.json b/composer.json index 9e8ded7..56cf05c 100644 --- a/composer.json +++ b/composer.json @@ -6,7 +6,7 @@ "magento/framework": ">=103" }, "type": "magento2-module", - "version": "1.0.0", + "version": "1.1.0", "license": [ "MIT" ], diff --git a/etc/adminhtml/system.xml b/etc/adminhtml/system.xml index 7108091..5dffc76 100644 --- a/etc/adminhtml/system.xml +++ b/etc/adminhtml/system.xml @@ -1,16 +1,15 @@ - +
- + Magento\Config\Model\Config\Source\Yesno Warning: Enabling 2FA will immediately prompt admin user for OTP code. - - + + Magento\Config\Model\Config\Source\Yesno diff --git a/etc/config.xml b/etc/config.xml index 7cb4a82..b48110d 100644 --- a/etc/config.xml +++ b/etc/config.xml @@ -1,11 +1,10 @@ - + 1 - 1 + 1 diff --git a/etc/di.xml b/etc/di.xml index 47dc37d..d81a880 100644 --- a/etc/di.xml +++ b/etc/di.xml @@ -4,6 +4,6 @@ - +