diff options
author | Jeremy Benoist <jeremy.benoist@gmail.com> | 2018-12-02 12:43:05 +0100 |
---|---|---|
committer | Jeremy Benoist <jeremy.benoist@gmail.com> | 2019-01-23 13:28:02 +0100 |
commit | a6b242a1fd6f8900d80354361449f1bf62506ef9 (patch) | |
tree | f69d87208d0ebbdb8517529582280b174af74a16 /app | |
parent | acd4412080dfb73ecaa7f9983728d1d55bc27ea4 (diff) | |
download | wallabag-a6b242a1fd6f8900d80354361449f1bf62506ef9.tar.gz wallabag-a6b242a1fd6f8900d80354361449f1bf62506ef9.tar.zst wallabag-a6b242a1fd6f8900d80354361449f1bf62506ef9.zip |
Enable OTP 2FA
- Update SchebTwoFactorBundle to version 3
- Enable Google 2fa on the bundle
- Disallow ability to use both email and google as 2fa
- Update Ocramius Proxy Manager to handle typed function & attributes (from PHP 7)
- use `$this->addFlash` shortcut instead of `$this->get('session')->getFlashBag()->add`
- update admin to be able to create/reset the 2fa
Diffstat (limited to 'app')
-rw-r--r-- | app/DoctrineMigrations/Version20181202073750.php | 22 | ||||
-rw-r--r-- | app/Resources/static/themes/_global/index.js | 18 | ||||
-rwxr-xr-x | app/Resources/static/themes/material/index.js | 5 | ||||
-rw-r--r-- | app/config/config.yml | 8 | ||||
-rw-r--r-- | app/config/routing.yml | 8 | ||||
-rw-r--r-- | app/config/security.yml | 9 |
6 files changed, 68 insertions, 2 deletions
diff --git a/app/DoctrineMigrations/Version20181202073750.php b/app/DoctrineMigrations/Version20181202073750.php new file mode 100644 index 00000000..a2308b99 --- /dev/null +++ b/app/DoctrineMigrations/Version20181202073750.php | |||
@@ -0,0 +1,22 @@ | |||
1 | <?php | ||
2 | |||
3 | namespace Application\Migrations; | ||
4 | |||
5 | use Doctrine\DBAL\Schema\Schema; | ||
6 | use Wallabag\CoreBundle\Doctrine\WallabagMigration; | ||
7 | |||
8 | /** | ||
9 | * Add 2fa OTP (named google authenticator). | ||
10 | */ | ||
11 | final class Version20181202073750 extends WallabagMigration | ||
12 | { | ||
13 | public function up(Schema $schema): void | ||
14 | { | ||
15 | $this->addSql('ALTER TABLE ' . $this->getTable('user') . ' ADD googleAuthenticatorSecret VARCHAR(191) DEFAULT NULL, CHANGE twoFactorAuthentication emailTwoFactor BOOLEAN NOT NULL, DROP trusted'); | ||
16 | } | ||
17 | |||
18 | public function down(Schema $schema): void | ||
19 | { | ||
20 | $this->addSql('ALTER TABLE `' . $this->getTable('user') . '` DROP googleAuthenticatorSecret, CHANGE emailtwofactor twoFactorAuthentication BOOLEAN NOT NULL, ADD trusted TEXT DEFAULT NULL'); | ||
21 | } | ||
22 | } | ||
diff --git a/app/Resources/static/themes/_global/index.js b/app/Resources/static/themes/_global/index.js index bb3e95b6..9ad96fc0 100644 --- a/app/Resources/static/themes/_global/index.js +++ b/app/Resources/static/themes/_global/index.js | |||
@@ -89,4 +89,22 @@ $(document).ready(() => { | |||
89 | } | 89 | } |
90 | }; | 90 | }; |
91 | }); | 91 | }); |
92 | |||
93 | // mimic radio button because emailTwoFactor is a boolean | ||
94 | $('#update_user_googleTwoFactor').on('change', () => { | ||
95 | $('#update_user_emailTwoFactor').prop('checked', false); | ||
96 | }); | ||
97 | |||
98 | $('#update_user_emailTwoFactor').on('change', () => { | ||
99 | $('#update_user_googleTwoFactor').prop('checked', false); | ||
100 | }); | ||
101 | |||
102 | // same mimic for super admin | ||
103 | $('#user_googleTwoFactor').on('change', () => { | ||
104 | $('#user_emailTwoFactor').prop('checked', false); | ||
105 | }); | ||
106 | |||
107 | $('#user_emailTwoFactor').on('change', () => { | ||
108 | $('#user_googleTwoFactor').prop('checked', false); | ||
109 | }); | ||
92 | }); | 110 | }); |
diff --git a/app/Resources/static/themes/material/index.js b/app/Resources/static/themes/material/index.js index 05794597..2926cad1 100755 --- a/app/Resources/static/themes/material/index.js +++ b/app/Resources/static/themes/material/index.js | |||
@@ -50,25 +50,30 @@ $(document).ready(() => { | |||
50 | $('#tag_label').focus(); | 50 | $('#tag_label').focus(); |
51 | return false; | 51 | return false; |
52 | }); | 52 | }); |
53 | |||
53 | $('#nav-btn-add').on('click', () => { | 54 | $('#nav-btn-add').on('click', () => { |
54 | toggleNav('.nav-panel-add', '#entry_url'); | 55 | toggleNav('.nav-panel-add', '#entry_url'); |
55 | return false; | 56 | return false; |
56 | }); | 57 | }); |
58 | |||
57 | const materialAddForm = $('.nav-panel-add'); | 59 | const materialAddForm = $('.nav-panel-add'); |
58 | materialAddForm.on('submit', () => { | 60 | materialAddForm.on('submit', () => { |
59 | materialAddForm.addClass('disabled'); | 61 | materialAddForm.addClass('disabled'); |
60 | $('input#entry_url', materialAddForm).prop('readonly', true).trigger('blur'); | 62 | $('input#entry_url', materialAddForm).prop('readonly', true).trigger('blur'); |
61 | }); | 63 | }); |
64 | |||
62 | $('#nav-btn-search').on('click', () => { | 65 | $('#nav-btn-search').on('click', () => { |
63 | toggleNav('.nav-panel-search', '#search_entry_term'); | 66 | toggleNav('.nav-panel-search', '#search_entry_term'); |
64 | return false; | 67 | return false; |
65 | }); | 68 | }); |
69 | |||
66 | $('.close').on('click', (e) => { | 70 | $('.close').on('click', (e) => { |
67 | $(e.target).parent('.nav-panel-item').hide(100); | 71 | $(e.target).parent('.nav-panel-item').hide(100); |
68 | $('.nav-panel-actions').show(100); | 72 | $('.nav-panel-actions').show(100); |
69 | $('.nav-panels').css('background', 'transparent'); | 73 | $('.nav-panels').css('background', 'transparent'); |
70 | return false; | 74 | return false; |
71 | }); | 75 | }); |
76 | |||
72 | $(window).scroll(() => { | 77 | $(window).scroll(() => { |
73 | const s = $(window).scrollTop(); | 78 | const s = $(window).scrollTop(); |
74 | const d = $(document).height(); | 79 | const d = $(document).height(); |
diff --git a/app/config/config.yml b/app/config/config.yml index 4b34af30..908f53b7 100644 --- a/app/config/config.yml +++ b/app/config/config.yml | |||
@@ -198,10 +198,14 @@ fos_oauth_server: | |||
198 | refresh_token_lifetime: 1209600 | 198 | refresh_token_lifetime: 1209600 |
199 | 199 | ||
200 | scheb_two_factor: | 200 | scheb_two_factor: |
201 | trusted_computer: | 201 | trusted_device: |
202 | enabled: true | 202 | enabled: true |
203 | cookie_name: wllbg_trusted_computer | 203 | cookie_name: wllbg_trusted_computer |
204 | cookie_lifetime: 2592000 | 204 | lifetime: 2592000 |
205 | |||
206 | google: | ||
207 | enabled: "%twofactor_auth%" | ||
208 | template: WallabagUserBundle:Authentication:form.html.twig | ||
205 | 209 | ||
206 | email: | 210 | email: |
207 | enabled: "%twofactor_auth%" | 211 | enabled: "%twofactor_auth%" |
diff --git a/app/config/routing.yml b/app/config/routing.yml index 0bd2d130..a7c0f7e9 100644 --- a/app/config/routing.yml +++ b/app/config/routing.yml | |||
@@ -51,3 +51,11 @@ craue_config_settings_modify: | |||
51 | 51 | ||
52 | fos_js_routing: | 52 | fos_js_routing: |
53 | resource: "@FOSJsRoutingBundle/Resources/config/routing/routing.xml" | 53 | resource: "@FOSJsRoutingBundle/Resources/config/routing/routing.xml" |
54 | |||
55 | 2fa_login: | ||
56 | path: /2fa | ||
57 | defaults: | ||
58 | _controller: "scheb_two_factor.form_controller:form" | ||
59 | |||
60 | 2fa_login_check: | ||
61 | path: /2fa_check | ||
diff --git a/app/config/security.yml b/app/config/security.yml index 96489e26..6a21b4e5 100644 --- a/app/config/security.yml +++ b/app/config/security.yml | |||
@@ -56,9 +56,17 @@ security: | |||
56 | path: /logout | 56 | path: /logout |
57 | target: / | 57 | target: / |
58 | 58 | ||
59 | two_factor: | ||
60 | provider: fos_userbundle | ||
61 | auth_form_path: 2fa_login | ||
62 | check_path: 2fa_login_check | ||
63 | |||
59 | access_control: | 64 | access_control: |
60 | - { path: ^/api/(doc|version|info|user), roles: IS_AUTHENTICATED_ANONYMOUSLY } | 65 | - { path: ^/api/(doc|version|info|user), roles: IS_AUTHENTICATED_ANONYMOUSLY } |
61 | - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY } | 66 | - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY } |
67 | # force role for logout otherwise when 2fa enable, you won't be able to logout | ||
68 | # https://github.com/scheb/two-factor-bundle/issues/168#issuecomment-430822478 | ||
69 | - { path: ^/logout, roles: [IS_AUTHENTICATED_ANONYMOUSLY, IS_AUTHENTICATED_2FA_IN_PROGRESS] } | ||
62 | - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } | 70 | - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } |
63 | - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } | 71 | - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } |
64 | - { path: /(unread|starred|archive|all).xml$, roles: IS_AUTHENTICATED_ANONYMOUSLY } | 72 | - { path: /(unread|starred|archive|all).xml$, roles: IS_AUTHENTICATED_ANONYMOUSLY } |
@@ -67,5 +75,6 @@ security: | |||
67 | - { path: ^/share, roles: IS_AUTHENTICATED_ANONYMOUSLY } | 75 | - { path: ^/share, roles: IS_AUTHENTICATED_ANONYMOUSLY } |
68 | - { path: ^/settings, roles: ROLE_SUPER_ADMIN } | 76 | - { path: ^/settings, roles: ROLE_SUPER_ADMIN } |
69 | - { path: ^/annotations, roles: ROLE_USER } | 77 | - { path: ^/annotations, roles: ROLE_USER } |
78 | - { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS } | ||
70 | - { path: ^/users, roles: ROLE_SUPER_ADMIN } | 79 | - { path: ^/users, roles: ROLE_SUPER_ADMIN } |
71 | - { path: ^/, roles: ROLE_USER } | 80 | - { path: ^/, roles: ROLE_USER } |