Authenticate two factor in one request (with json_login)

[friedrichroell]

scheb/two-factor-bundle : v4.18.0
symfony/framework-bundle version : v4.4.10

I am asking my users to send their (google) 2fa code together with their username/password credentials. Everything in one request basically.

Is it possible to handle 2fa in one request? I have tried a custom handler, but as this process is still inside the multi form process, i havent been able to get it to work.

Thanks in advance:)

[scheb]

I don't see an easy way to do this. By design in Symfony security only one authentication provider is executed in a request.

What you'd normally do when you have an API with 2fa, after you've identified the user via username/password, your API returns a response telling the frontend that 2fa is required. You can do this by implementing your own success handler and setting it for the username/password authentication. Then let the frontend show the 2fa form. And then in a second request execute 2fa process.

[friedrichroell]

Thanks @scheb for the quick response!

I was thinking, as you are decorating the AuthenticationProviderInterface::authenticate() method, for a "single request" 2fa authentication you could skip IS_AUTHENTICATED_2FA_IN_PROGRESS and run the 2fa validation process immediately and then continue with normal authentication?

[scheb]

That was something I was thinking as well, but it would only do a part of the job. You'd miss all the logic that is implemented in TwoFactorListener, which is mostly events and the trusted feature. And calling another listener within the same request is not something Symfony's Firewall wouldn't do:

https://github.com/symfony/symfony/blob/f64f59a9c0d92fdd65f9de3e44b612402b224aaf/src/Symfony/Component/Security/Http/Firewall.php#L110-L116

With the new "authenticator" system, that was introduced in Symfony 5.1, things look a bit different. But that system cannot be considered stable (yet) and your version is 4.4 anyways.

Besides that, there'd be a problem with the preparation of the two-factor authentication method. While Google Authenticator doesn't need any prepartation work to be done, other methods might need it (such as SMS or email). So there is no universal solution to this problem.

So many things that'd need to be considered and I cannot offer a solution to this - at least not right now.

[friedrichroell]

Ok, that makes sense. Thanks for clearing that up :)

I guess I might just move from json_login, create a custom guard firewall and implement a simple 2fa solution in there for now.

Cheers