Adam0shka
commented
10 months ago Hi, BookStack team,
You remember about this issue? This is very important for our company)
Open schnapsidee opened 3 years ago
Adam0shka
commented
10 months ago Hi, BookStack team,
You remember about this issue? This is very important for our company)
eubi86
commented
1 month ago You can skip 2Fa if you log in from the company network. As usual, 2fa is required from outside. You can set an IP range. This also works for individual users such as the admin. You just have to adjust it a bit. require composer Longman iptools Here is the functions.php
```php ip(); Log::info('Received IP: ' . $ip); $isInCompanyNetwork = array_filter($companyNetworkRanges, function ($range) use ($ip) { return Ip::match($ip, $range); }); $isInCompanyNetwork = !empty($isInCompanyNetwork); Log::info('Is IP in company network: ' . ($isInCompanyNetwork ? 'Yes' : 'No')); // Proceed only if user is in the company network if ($isInCompanyNetwork) { $loginService = new LoginService($mfaSession, $emailConfirmationService, $socialDriverManager); if (auth()->check()) { $user = auth()->user(); Log::info('Authenticated user ID: ' . $user->id); // No additional actions if the user is authenticated and in the company network return null; } Log::info('User is not authenticated.'); try { $credentials = $request->only('email', 'password'); $remember = $request->boolean('remember', false); $result = auth()->attempt($credentials, $remember); if ($result) { $user = auth()->user(); Log::info('Authenticated user ID: ' . $user->id); Auth::login($user, $remember); } else { Log::info('Authentication attempt failed.'); } } catch (\Exception $e) { Log::error('Authentication error: ' . $e->getMessage(), ['exception' => $e]); } } else { Log::info('User is outside the company network. No actions performed.'); } return null; }); ```
Describe the feature you'd like Currently you have to enter a new MFA Code everytime you login. It would be nice if there was an option to remember a device so you don't have to reauthenticate with MFA on every login.
Describe the benefits this feature would bring to BookStack users We use MFA mostly to protect accounts in case of compromised passwords and outside access. Having to reauthentiate with 2FA from trusted devices at every login gets annoying very fast when we really just want to protect access from untrusted devices. I believe making a security feature more user-friendly can only help adoption especially if the security risk isn't increased significantly. Most websites that offer 2FA already use this feature so it's a well established industry practice.
Additional context Perhaps there could be an option in the admin pannel to allow or disallow trusting a device in case an admin wants the "full security" option of having users reauthenticate at every login.