Is force email verification after registration and Email 2FA working ?

[jozefrebjak]

If Force email verification after registration is enabled it will redirect after register form to auth/a/show route, but it return

404 - File Not Found
Sorry! Cannot seem to find the page you were looking for.

The same behaviour with Force 2FA check after login

[nowackipawel]

Yes, it is working nicely.

[jozefrebjak]

I'm tried to find where I have something wrong, but I can't find it. I noticed there is probably a mistake in comment within file /src/Config/Auth.php:

 - register: Shield\Authentication\Actions\EmailActivate

There is no EmailActivate action, but there is EmailActivator action within /src/Authentication/Actions, so I changed it to correct action, but nothing changed. It seems like a some kind a problem with registering an action. Magic link is working as expected for me, but email verification and 2FA not. @lonnieezell I tried it with Bonfire2 and it's the same for me.

[jozefrebjak]

I found an issue. We need to specify correct actions like:

Wrong

     - login:    Shield\Authentication\Actions\Email2FA
     - register: Shield\Authentication\Actions\EmailActivate

Correct

     - login:    Sparks\Shield\Authentication\Actions\Email2FA
     - register: Sparks\Shield\Authentication\Actions\EmailActivator

[jozefrebjak]

Email2F is working for me now. But how to get to work EmailActivator? . How we can get

$user = auth()->user();

if we are not logged in within /src/Authentication/Actions/EmailActivator.php?

@lonnieezell We are getting error: Attempt to read property "id" on null, because there is no logged in user, what make sense because We want to check user before login with Email code.

@nowackipawel How it's working nicely for you ?

[jozefrebjak]

@lonnieezell I can see another problem with Email2F. We can skip the whole 2F by just changing URL, because the user is already logged in. The whole 2F flow is trigged after logging in. OK, we have typed the correct username and password, but if we want to use 2F, we need to change something in database to not allow the user to access an application without 2F code.

[lonnieezell]

@jozefrebjak that's a good point. We save that information as an identity for the user, so it sounds like we need to check that during the controller filter. I've got some other stuff taking up my time for the next few days but can hopefully start to look into it by the end of the week, unless someone else submits a PR for that first.

[jozefrebjak]

@lonnieezell I'm trying to implement Shield into my project. Bonfire2 it's helping me a lot, but there is also some bugs. I'll try to submit some PR's to improve both projects. I'm using myth-auth in a production, but Shield looks better to me now. Nobody likes the 2F, but nowadays it's a must, public internet is dangerous place.

[nowackipawel]

Ok so, there is some fix. I will be working on it to extend / improve it. Anyway, the most important use case looks that it is fixed.

I planned to use better checks in some cases like: i.e. class_implements to check if config field class is the right one in chain filter but in fact we should expect developer to configure everything correctly according to the architecture delivered by @lonnieezell .

[nowackipawel]

Email2F is working for me now. But how to get to work EmailActivator? . How we can get

$user = auth()->user();

if we are not logged in within /src/Authentication/Actions/EmailActivator.php?

@lonnieezell We are getting error: Attempt to read property "id" on null, because there is no logged in user, what make sense because We want to check user before login with Email code.

@nowackipawel How it's working nicely for you ?

In fact EmailActivator did not but now it seams to work - I updated changes to my repo - you could try it out to give me feedback or better wait for @lonnieezell to accept my PR #40

[jozefrebjak]

@lonnieezell I updated to version with new commits from you, but I'm still not happy with behaviour within 2FA. I will try to explain it better:

Step 1

• lougout from app. I believe that auth session is cleared.
• I'm trying to access ADMIN area. It seems ok, I'm getting redirect to login

Step 2

• login with 2FA enabled with action Email2FA
• my username and pass is passed and I'm getting view from route /auth/a/show with asking me to send code to provided email, but we already have session up, because we can view email in form input because of helper function auth()->user()->email
• from users table I can see that column active is not used, there is still 0
• from auth_identies I can see that there is one identity for my user with type email_password what seems ok

Step 3

• I can send activation code to email or just change url from http://localhost/auth/a/show to http://crm/admin and I'm not getting any redirect to auth/a/show route as should be expected.

In AuthSession is added

         // If user is in middle of an action flow
         // ensure they must finish it first.
         $user     = auth('session')->user();
         $identity = auth('session')->user()->getIdentity('email_2fa');
         if ($identity instanceof UserIdentity) {
             $action = config('Auth')->actions['login'];

             if ($action) {
                 session()->set('auth_action', $action);

                 return redirect()->route('auth-action-show')->with('error', lang('Auth.need2FA'));
             }
         }

but how we can get that redirect if in database doesn't exist identity with email_2fa type within /auth/a/show route view.

I have extended actions and controller so maybe I'm missing something.

[jozefrebjak]

@lonnieezell I submited PR https://github.com/lonnieezell/codeigniter-shield/pull/41, which will solve problem with actions. Another problem is email_2fa within getIdentity because email_2fa doesn't exit with Step 1 and we can still skip 2FA.

[lonnieezell]

Sorry about that - should be fixed now.

[jozefrebjak]

@lonnieezell perfect. Email 2FA is now working!

[lonnieezell]

@jozefrebjak Awesome! Back in town now and will be tightening up Email Verification also. Which should get us ready for a 1.0 launch.