Closed allan-simon closed 10 months ago
I've also come across this issue today but with TOTP authentication. I guess the type of authentication doesn't really matter here.
Essentially it looks like this bundle doesn't support requiring MFA on first login out-of-the-box.
I don't see a way around this at the moment so I've install email authentication (since all my users require email to be verified) and I've updated my code to automatically enable email MFA for the user following the guide here: https://symfony.com/bundles/SchebTwoFactorBundle/6.x/providers/email.html. Then, once logged in with email MFA the user can add additional options.
I think it'd be great if there was an option in the bundle to require authentication on first login in the future. However, it might require substantial changes. A lot of this seems to boil down to logic in TotpAuthenticatorTwoFactorProvider::beginAuthentication
which requires TOTP values to be set before authentication can be made.
I'm thinking maybe I need to add a "firewall" event that would fire a "NeedToSetupGoogleAuthenticatorException" ? :thinking:
I've tried to do [...] but it fails with User has to provide a secret code for Google Authenticator authentication. Which I think is normal because this condition is supposed to be used to enter a code for an existing authenticator
Correct. You cannot have Google Authenticator enabled, when you don't have a secret code configured. That's why the docs are recommending return null !== $this->googleAuthenticatorSecret;
for isGoogleAuthenticatorEnabled()
.
I've also come across this issue today but with TOTP authentication. I guess the type of authentication doesn't really matter here.
Correct. The 2fa provider doesn't matter for the implementation.
Essentially it looks like this bundle doesn't support requiring MFA on first login out-of-the-box.
Correct and that's how it's supposed to be. Everyone has their own expectations how a forced 2fa should work, so it would be impossible to provide an out-of-the-box solution that makes everyone happy.
Actually I've never seen how people are solving this problem in the wild π€·. How I'd recommend to handle this:
Ideally: Force people to setup 2fa during the registration process, so you know they have set it up once they login. You don't need to bother with it π.
If you can't do this - e.g. accounts are automatically created for users and therefore you can't setup 2fa for them - then you have to go the route "force them to set it up on the first login". For that, you'd need to inject a check into the login process, where you check if the user account has 2fa setup, if not force them to set it up.
I'd recommend to have a look at the AuthenticationTokenCreatedEvent
event, which is dispatched right after creating the security token object, so by that point, the authentication process was successful and you can get the user object from the security token. But at that point the authentication process hasn't been completed yet. The Symfony security layer does not know about that security token yet, so it's a great point to "do stuff" right in the middle of the login process π.
The 2fa bundle is actually using that event to inject its magic into the authentication process: intercept the security token, wrap it with 2fa magic, before it's announced to the security layer. Code for reference: https://github.com/scheb/2fa/blob/6.x/src/bundle/Security/TwoFactor/Event/AuthenticationTokenListener.php
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
I will soon get to work on this again, I will keep posted if I got a solution ,but yes I think i I will check the AuthenticationTokenCreatedEvent
If you can't do this - e.g. accounts are automatically created for users and therefore you can't setup 2fa for them - t
yes these users are coming from a SamlV2 connection
but your explanation makes sense on why this bundle does not provide a "built-in" solution
I've checked https://symfony.com/bundles/SchebTwoFactorBundle/current/troubleshooting.html
Bundle version: 6.9.0 Symfony version: 6.3.5 PHP version: 8.1.20 Using authenticators (
enable_authenticator_manager: true
): YES (mandatory in 6.2+)Description
I want Google Authenticator to be mandatory on my application.
Hence I thought about doing the following flow:
I block at the step 2.
While I could do a hackish check in the
/dashboard
method to check if there's a google secret, and if not redirecting it would only be a security theater as other pages will not have the check (I could do it for every single page but ....)I've tried to do
but it fails with
User has to provide a secret code for Google Authenticator authentication.
Which I think is normal because this condition is supposed to be used to enter a code for an existing authenticator
As I'm not familiar enough with Symfony's internal I'm not sure if the best solution is
Additional Context
my package config: