markshust · markshust · Jan 12, 2021 · Nov 10, 2020 · Jan 12, 2021
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [1.1.0] - 2020-01-12
+
+### Added
+- Support to disable 2FA for API token generation ([#1](https://github.com/markshust/magento2-module-disabletwofactorauth/issues/1)).
+
+### Updated
+- Updated docblocks and other minor formatting issues.
+- Updated REAMDE to make it more explicit not to disable 2FA within production environments.
+
 ## [1.0.0] - 2020-08-10
 
 ### Added

diff --git a/Plugin/BypassTwoFactorAuth.php b/Plugin/BypassTwoFactorAuth.php
@@ -6,29 +6,46 @@
 use Magento\Framework\App\Config\ScopeConfigInterface;
 use Magento\TwoFactorAuth\Model\TfaSession;
 
+/**
+ * Class BypassTwoFactorAuth
+ * @package MarkShust\DisableTwoFactorAuth\Plugin
+ */
 class BypassTwoFactorAuth
 {
+    const XML_PATH_CONFIG_ENABLE = 'twofactorauth/general/enable';
+
     /** @var ScopeConfigInterface */
-    private $scopeConfig;
+    private ScopeConfigInterface $scopeConfig;
 
+    /**
+     * BypassTwoFactorAuth constructor.
+     * @param ScopeConfigInterface $scopeConfig
+     */
     public function __construct(
         ScopeConfigInterface $scopeConfig
     ) {
         $this->scopeConfig = $scopeConfig;
     }
 
     /**
-     * If the TwoFactorAuth module Enable setting is set to false, always return true here so all requests bypass 2FA.
-     * Otherwise, return the original result.
+     * Enables the bypass of 2FA for admin access.
+     * This can be useful within development & integration environments.
+     *
+     * If 2FA is enabled, return the original result.
+     * If 2FA is disabled, always return true so all requests bypass 2FA.
+     *
+     * NOTE: Always keep 2FA enabled within production environments for security purposes.
      *
      * @param TfaSession $subject
      * @param $result
      * @return bool
      */
-    public function afterIsGranted(TfaSession $subject, $result): bool
-    {
-        return !$this->scopeConfig->isSetFlag('twofactorauth/general/enable')
-            ? true
-            : $result;
+    public function afterIsGranted(
+        TfaSession $subject,
+        $result
+    ): bool {
+        return $this->scopeConfig->isSetFlag(self::XML_PATH_CONFIG_ENABLE)
+            ? $result
+            : true;
     }
 }
diff --git a/Plugin/BypassTwoFactorAuthForApiTokenGeneration.php b/Plugin/BypassTwoFactorAuthForApiTokenGeneration.php
@@ -0,0 +1,66 @@
+<?php
+declare(strict_types=1);
+
+namespace MarkShust\DisableTwoFactorAuth\Plugin;
+
+use Closure;
+use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\Exception\AuthenticationException;
+use Magento\Framework\Exception\InputException;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Integration\Api\AdminTokenServiceInterface;
+use Magento\TwoFactorAuth\Model\AdminAccessTokenService;
+
+/**
+ * Class BypassWebApiTwoFactorAuth
+ * @package MarkShust\DisableTwoFactorAuth\Plugin
+ */
+class BypassTwoFactorAuthForApiTokenGeneration
+{
+    const XML_PATH_CONFIG_ENABLE_FOR_API_TOKEN_GENERATION = 'twofactorauth/general/enable_for_api_token_generation';
+
+    /** @var ScopeConfigInterface */
+    private ScopeConfigInterface $scopeConfig;
+
+    /** @var AdminTokenServiceInterface */
+    private AdminTokenServiceInterface $adminTokenService;
+
+    /**
+     * BypassTwoFactorAuthForApiTokenGeneration constructor.
+     * @param AdminTokenServiceInterface $adminTokenService
+     * @param ScopeConfigInterface $scopeConfig
+     */
+    public function __construct(
+        AdminTokenServiceInterface $adminTokenService,
+        ScopeConfigInterface $scopeConfig
+    ) {
+        $this->scopeConfig = $scopeConfig;
+        $this->adminTokenService = $adminTokenService;
+    }
+
+    /**
+     * Enables the bypass of 2FA for API token generation.
+     * This can be useful for third-party vendors during module development.
+     *
+     * NOTE: Always keep 2FA enabled within production environments for security purposes.
+     *
+     * @param AdminAccessTokenService $subject
+     * @param Closure $proceed
+     * @param $username
+     * @param $password
+     * @return string
+     * @throws AuthenticationException
+     * @throws InputException
+     * @throws LocalizedException
+     */
+    public function aroundCreateAdminAccessToken(
+        AdminAccessTokenService $subject,
+        Closure $proceed,
+        $username,
+        $password
+    ): string {
+        return $this->scopeConfig->isSetFlag(self::XML_PATH_CONFIG_ENABLE_FOR_API_TOKEN_GENERATION)
+            ? $proceed($username, $password)
+            : $this->adminTokenService->createAdminAccessToken($username, $password);
+    }
+}
diff --git a/README.md b/README.md
@@ -42,14 +42,25 @@ bin/magento setup:upgrade
 This module keeps 2FA enabled by default. This is to prevent any unexpected side effects or security loopholes from
 being introduced during automated installation processes.
 
-After installing the module, one can disable 2FA by going to **Admin > Stores > Settings > Configuration >
-Security > 2FA**, and setting *Enable 2FA* to **No**.
+### Disable 2FA
 
-This setting can also be toggled to a 1 or 0 to respectively enable or disable 2FA from the command-line console:
+Enables the bypass of 2FA for admin access. This can be useful within development & integration environments.
 
-```
-bin/magento config:set twofactorauth/general/enable 0
-```
+Visit **Admin > Stores > Settings > Configuration > Security > 2FA** and set *Enable 2FA* to **No**.
+
+CLI: `bin/magento config:set twofactorauth/general/enable 0`
+
+*NOTE: Always keep 2FA enabled within production environments for security purposes.*
+
+### Disable 2FA for API Token Generation
+
+Enables the bypass of 2FA for API token generation. This can be useful for third-party vendors during module development.
+
+Visit **Admin > Stores > Settings > Configuration > Security > 2FA** and set *Enable 2FA for API Token Generation* to **No**.
+
+CLI: `bin/magento config:set twofactorauth/general/enable_for_api_token_generation 0`
+
+*NOTE: Always keep 2FA enabled within production environments for security purposes.*
 
 ## License
 

diff --git a/composer.json b/composer.json
@@ -6,7 +6,7 @@
         "magento/framework": ">=103"
     },
     "type": "magento2-module",
-    "version": "1.0.0",
+    "version": "1.1.0",
     "license": [
         "MIT"
     ],

diff --git a/etc/adminhtml/system.xml b/etc/adminhtml/system.xml
@@ -1,14 +1,17 @@
 <?xml version="1.0"?>
-<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Config:etc/system_file.xsd">
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Config:etc/system_file.xsd">
     <system>
         <section id="twofactorauth">
             <group id="general">
-                <field id="enable" translate="label" type="select" sortOrder="1" showInDefault="1" canRestore="1">
+                <field id="enable" translate="label" type="select" sortOrder="100" showInDefault="1" canRestore="1">
                     <label>Enable 2FA</label>
                     <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
                     <comment>Warning: Enabling 2FA will immediately prompt admin user for OTP code.</comment>
                 </field>
+                <field id="enable_for_api_token_generation" translate="label" type="select" sortOrder="200" showInDefault="1" canRestore="1">
+                    <label>Enable 2FA for API Token Generation</label>
+                    <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
+                </field>
                 <field id="force_providers">
                     <depends>
                         <field id="enable">1</field>

diff --git a/etc/config.xml b/etc/config.xml
@@ -1,10 +1,10 @@
 <?xml version="1.0"?>
-<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
     <default>
         <twofactorauth>
             <general>
                 <enable>1</enable>
+                <enable_for_api_token_generation>1</enable_for_api_token_generation>
             </general>
         </twofactorauth>
     </default>

diff --git a/etc/di.xml b/etc/di.xml
@@ -3,4 +3,7 @@
     <type name="Magento\TwoFactorAuth\Model\TfaSession">
         <plugin name="bypassTwoFactorAuth" type="MarkShust\DisableTwoFactorAuth\Plugin\BypassTwoFactorAuth"/>
     </type>
+    <type name="Magento\TwoFactorAuth\Model\AdminAccessTokenService">
+        <plugin name="bypassTwoFactorAuthForApiTokenGeneration" type="MarkShust\DisableTwoFactorAuth\Plugin\BypassTwoFactorAuthForApiTokenGeneration"/>
+    </type>
 </config>