Comments (5)
I've also come across this issue today but with TOTP authentication. I guess the type of authentication doesn't really matter here.
Essentially it looks like this bundle doesn't support requiring MFA on first login out-of-the-box.
I don't see a way around this at the moment so I've install email authentication (since all my users require email to be verified) and I've updated my code to automatically enable email MFA for the user following the guide here: https://symfony.com/bundles/SchebTwoFactorBundle/6.x/providers/email.html. Then, once logged in with email MFA the user can add additional options.
I think it'd be great if there was an option in the bundle to require authentication on first login in the future. However, it might require substantial changes. A lot of this seems to boil down to logic in TotpAuthenticatorTwoFactorProvider::beginAuthentication
which requires TOTP values to be set before authentication can be made.
from 2fa.
I'm thinking maybe I need to add a "firewall" event that would fire a "NeedToSetupGoogleAuthenticatorException" ? 🤔
from 2fa.
I've tried to do [...] but it fails with User has to provide a secret code for Google Authenticator authentication.
Which I think is normal because this condition is supposed to be used to enter a code for an existing authenticator
Correct. You cannot have Google Authenticator enabled, when you don't have a secret code configured. That's why the docs are recommending return null !== $this->googleAuthenticatorSecret;
for isGoogleAuthenticatorEnabled()
.
I've also come across this issue today but with TOTP authentication. I guess the type of authentication doesn't really matter here.
Correct. The 2fa provider doesn't matter for the implementation.
Essentially it looks like this bundle doesn't support requiring MFA on first login out-of-the-box.
Correct and that's how it's supposed to be. Everyone has their own expectations how a forced 2fa should work, so it would be impossible to provide an out-of-the-box solution that makes everyone happy.
Actually I've never seen how people are solving this problem in the wild 🤷. How I'd recommend to handle this:
Ideally: Force people to setup 2fa during the registration process, so you know they have set it up once they login. You don't need to bother with it 😉.
If you can't do this - e.g. accounts are automatically created for users and therefore you can't setup 2fa for them - then you have to go the route "force them to set it up on the first login". For that, you'd need to inject a check into the login process, where you check if the user account has 2fa setup, if not force them to set it up.
I'd recommend to have a look at the AuthenticationTokenCreatedEvent
event, which is dispatched right after creating the security token object, so by that point, the authentication process was successful and you can get the user object from the security token. But at that point the authentication process hasn't been completed yet. The Symfony security layer does not know about that security token yet, so it's a great point to "do stuff" right in the middle of the login process 😄.
The 2fa bundle is actually using that event to inject its magic into the authentication process: intercept the security token, wrap it with 2fa magic, before it's announced to the security layer. Code for reference: https://github.com/scheb/2fa/blob/6.x/src/bundle/Security/TwoFactor/Event/AuthenticationTokenListener.php
from 2fa.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from 2fa.
I will soon get to work on this again, I will keep posted if I got a solution ,but yes I think i I will check the AuthenticationTokenCreatedEvent
If you can't do this - e.g. accounts are automatically created for users and therefore you can't setup 2fa for them - t
yes these users are coming from a SamlV2 connection
but your explanation makes sense on why this bundle does not provide a "built-in" solution
from 2fa.
Related Issues (20)
- Infinite redirection loop problem HOT 2
- advice on taking this bundle to the next level HOT 3
- Unable to decode the secret. Is it correctly base32 encoded? HOT 1
- After login it is not redirecting me to the 2fa route HOT 2
- Reduce the secret length to 16 characters HOT 1
- 2FA not detected/working on my project HOT 8
- Increase performance by using CacheableVoterInterface HOT 2
- GitHub Sponsors (PayPal not possible) HOT 2
- Cache-control headers are set to private when using 2FA bundle HOT 1
- Symfony 7.1 Support
- Unrecognized option "trusted_device" under "scheb_two_factor" HOT 2
- Failover 2FA HOT 1
- How to ask for 2FA (TOTP code) when already logged in HOT 2
- "User is in a two-factor authentication process" exception picked up by sentry HOT 3
- Modify 2fa in project to check all factors (username+password and 2fa code) before reporting an error HOT 2
- no authenticator raised when I enter the 2fa code, bug only with traeffik HOT 2
- Check route redirects back to login form upon submit HOT 3
- Allow CSRF token to be retrieved via the X-XSRF-TOKEN header HOT 4
- Support locale with route HOT 4
- Always getting error "invalid_code" HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from 2fa.