-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Additional security checks for certain resources ( aka websudo ) #84
Comments
I found some articles / forum posts which could be a start point for some prototypes:
I hope I can test it in the next days. I will keep you informed :) |
Gist for the first prototype (via middleware). https://gist.github.com/noxify/90ffac363138e43bc330b74df6c9cfbc In the next days I will try to finish this prototype. |
While checking how it works in github i found the following POC for wordpress, which is exactly what we're trying to do here :) |
Nice, cool progress for this POC. |
Hi everybody, today I found some time to finish the first running prototype. It's currently a basic implementation without any language files and something has to be changed. What do you think about it? |
Open Todos: Make it more secureThe current implementation with "checking that there is a session and the timestamp is valid" is ok for a mockup, but it's not really a good idea to secure a resource. My idea was to use the Add 2FA ConfirmationCurrently we're checking only that the entered password equals the current user password. I have to check how can I call the existing functionality and understand how is it working. Policy ImplementationCurrently we're using in the prototype a new middleware to check everything. To be honest, i have no clue if it's possible to add a parameter to the middleware to decide if the user has to enter a password or the app generated token. I think with a policy like |
Hi, the first running version with 2FA (tokenbased via app) is running. Now it's also possible to define the session timeout per route and you can define if the session should be renewed if you're visiting it within the defined time. You can also decide the confirmation type. For password confirmation, you can use This should complete the "Policy Implementation" part. The "Make it more secure" part is obsolete (for me). Because Laravel handles the sessions in a secure way and I didn't saw any possibility to change the values via the browser developer tools. What do you think? |
Awesome, this is really moving forward. I'm looking at the code right now, ... |
First of all, I really appreciate your efforts @noxify 😃 Well, looks pretty solid to move towards implementation phase. |
You mean something like:
The session name which is currently defined in the config could be replaced with the route name. I will test it in the next days :) Thanks for the new ideas. |
The gist is updated and can be configured inside the routes definition. |
This is still one of my best feature discussions! I still like it & I'm now open for PRs and willing to merge it ASAP .. @noxify are you still interested in lending a helping hand here? 😃 |
Hi, Yes for sure. Should we implement it as part of the rinvex/fort package or better as part of the cortex/fort package since there is no frontend in the rinvex/fort package anymore? Maybe it‘s also an idea to create a new cortex module for this as additional package. What do you think? |
Thank you in advance, appreciated 🙏 |
@Omranic - i have checked the existing packages and found something which could help to speed up the implementation. What do you think about https://github.com/mpociot/reauthenticate ? The difference between the idea and the package is just the "missing" 2FA verification. Also I'm not sure about the enduser perspective if they have to search for their mobile phone to enter page X... |
I reviewed the package, and it's a simple but still we need to modify it to add our own view, attach middleware automatically through service provider, and add config option for the timeout. Accordingly I recommend implementing it on our own for a more clean feature :) |
Merged! |
Awesome! Thank you so much |
* 'develop' of github.com:rinvex/cortex-fort: Clean ReauthenticationController Allow grouping reauthentication routes Clean & simplify Reauthenticate middleware Fix service provider conflict with recent update * revert type changes * removed config for session prefix to keep it simple Update config.php Implementation for rinvex/laravel-auth#84
The Idea (pasted from Slack)
I'm using the the two factor auth via app, everything is working fine in the frontend.
Now I had the idea to secure the backend/admin with the following:
In confluence/jira and/or github there is something simular, but they require (only) the user password again.
Current Implementation
Future Implementation
Both described implementations are simplified
How can we implement it
Via Guard / Middleware
I had the idea to create my own Guard (for example: admin guard).
Each route which should handled via the admin guard, will have a custom middleware.
Example:
The idea was to use the existing functionality to keep the code maintainable (don't repeat yourself ;) )
This means, we can define it in the routes for each resource or via the controller "globally" for all resource actions.
Via Policy
While writing the
Via Guard
section, i have checked the policy documentation.The idea here is to define, what we need in the policies.
Why? In the current implementation we have already the definitions for the resources and actions.
Example:
We can use this as start point and extend the existing policy classes with our new functionality to show our forms
Alternative solution (first prototype?)
Based on "Make it work then make it better", we should create a prototype.
With this, i'm very sure, we find another way how we can implement this feature... anyway...
We extend our config file, where we can define which route needs some additional security check.
Example:
Then we're creating a new middleware (e.g. security) which will be used in the same way as the
web
middleware.This middleware checks at first, if the current route is defined in the config.
If so, then we check a session variable (each route has it's own session).
If the session is valid, show the requested page.
If not, we have to redirect to our "enter password" / "enter twofactor" page.
If the confirmation was successful, we will call the original requested page again.
If you have another idea - feel free to post it :)
I hope my ideas are understandable and you can follow my thoughts.
Thanks a lot :)
The text was updated successfully, but these errors were encountered: