search

scheb / 2fa

Two-factor authentication for Symfony applications 🔐
MIT License
504 stars 75 forks source link

no authenticator raised when I enter the 2fa code, bug only with traeffik #240

Closed namosdjoro7 closed 1 month ago

namosdjoro7 commented 3 months ago

scheb/2fa-bundle: 7.5 Symfony version: 7.1 PHP version: 8.2

Description

I have an API symfony with a client angular, when I use the URL configured with traeffik https://api.test.local I have this error:

Full authentication is required to access this resource.

when I hit /api/login/2fa_check is not raising the authenticator in the profiler.

I can still make request to the api, I have just an issue with the authenticator at this endpoint

the 2fa was working when I was dealing with localhost

Additional Context

security:
    # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
    password_hashers:
        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
    providers:
        # used to reload user from session & other features (e.g. switch_user)
        app_user_provider:
            entity:
                class: App\Entity\User
                property: email
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        login:
            pattern: ^/api/login
            stateless: false
            json_login:
                check_path: /api/login_check
                success_handler: login.custom.success_handler
                failure_handler: lexik_jwt_authentication.handler.authentication_failure
            two_factor:
                prepare_on_login: true
                check_path: /api/login/2fa_check
                post_only: true
                authentication_required_handler: 2fa.custom.required_handler
                success_handler: lexik_jwt_authentication.handler.authentication_success
                failure_handler: 2fa.custom.failure_handler

        api:
            pattern: ^/api
            provider: app_user_provider
            stateless: true
            jwt: ~

            # activate different ways to authenticate
            # https://symfony.com/doc/current/security.html#the-firewall

            # https://symfony.com/doc/current/security/impersonating_user.html
            # switch_user: true

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        - { path: ^/api, roles: PUBLIC_ACCESS }
        - { path: ^/api/login/2fa_check, roles: PUBLIC_ACCESS }
        - { path: ^/api/2fa, roles: IS_AUTHENTICATED_2FA_IN_PROGRESS }
        - { path: '^/forgot-password', roles: PUBLIC_ACCESS }

when@test:
    security:
        password_hashers:
            # By default, password hashers are resource intensive and take time. This is
            # important to generate secure password hashes. In tests however, secure hashes
            # are not important, waste resources and increase test times. The following
            # reduces the work factor to the lowest possible values.
            Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
                algorithm: auto
                cost: 4 # Lowest possible value for bcrypt
                time_cost: 3 # Lowest possible value for argon
                memory_cost: 10 # Lowest possible value for argon

App\Controller\TwoFactorController:
  operations:
    2fa_check:
      method: POST
      class: ApiPlatform\Metadata\Post
      path: '/api/login/2fa_check'
      controller: 'App\Controller\TwoFactorController'
      openapi:
        summary: 'Send a OTP and get token'
        description: 'Validate your OTP'
        requestBody:
          required: true
          content:
            application/json:
              schema:
                type: 'object'
                properties:
                  _auth_code: { type: string }
scheb commented 2 months ago

Full authentication is required to access this resource

No idea where this is coming from, it's not part of the bundle's implementation 🤷

If it works without Traefik as a proxy, your Traefik configuration is obviously the problem. You should check if the request, including all its HTTP headers, is forwarded properly to the Symfony application. There's likely some header being removed/modified.

stale[bot] commented 2 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.