6 files changed, 68 insertions, 2 deletions
diff --git a/app/DoctrineMigrations/Version20181202073750.php b/app/DoctrineMigrations/Version20181202073750.php
new file mode 100644
index 00000000..a2308b99
--- /dev/null
+++ b/app/DoctrineMigrations/Version20181202073750.php
@@ -0,0 +1,22 @@
+<?php
+namespace Application\Migrations;
+use Doctrine\DBAL\Schema\Schema;
+use Wallabag\CoreBundle\Doctrine\WallabagMigration;
+/**
+ * Add 2fa OTP (named google authenticator).
+ */
+final class Version20181202073750 extends WallabagMigration
+{
+    public function up(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE ' . $this->getTable('user') . ' ADD googleAuthenticatorSecret VARCHAR(191) DEFAULT NULL, CHANGE twoFactorAuthentication emailTwoFactor BOOLEAN NOT NULL, DROP trusted');
+    }
+    public function down(Schema $schema): void
+    {
+        $this->addSql('ALTER TABLE `' . $this->getTable('user') . '` DROP googleAuthenticatorSecret, CHANGE emailtwofactor twoFactorAuthentication BOOLEAN NOT NULL, ADD trusted TEXT DEFAULT NULL');
+    }
+}
diff --git a/app/Resources/static/themes/_global/index.js b/app/Resources/static/themes/_global/index.js
index bb3e95b6..9ad96fc0 100644
--- a/app/Resources/static/themes/_global/index.js
+++ b/app/Resources/static/themes/_global/index.js
@@ -89,4 +89,22 @@ $(document).ready(() => {
      }
    };
  });
+  // mimic radio button because emailTwoFactor is a boolean
+  $('#update_user_googleTwoFactor').on('change', () => {
+    $('#update_user_emailTwoFactor').prop('checked', false);
+  });
+  $('#update_user_emailTwoFactor').on('change', () => {
+    $('#update_user_googleTwoFactor').prop('checked', false);
+  });
+  // same mimic for super admin
+  $('#user_googleTwoFactor').on('change', () => {
+    $('#user_emailTwoFactor').prop('checked', false);
+  });
+  $('#user_emailTwoFactor').on('change', () => {
+    $('#user_googleTwoFactor').prop('checked', false);
+  });
 });
diff --git a/app/Resources/static/themes/material/index.js b/app/Resources/static/themes/material/index.js
index 05794597..2926cad1 100755
--- a/app/Resources/static/themes/material/index.js
+++ b/app/Resources/static/themes/material/index.js
@@ -50,25 +50,30 @@ $(document).ready(() => {
    $('#tag_label').focus();
    return false;
  });
  $('#nav-btn-add').on('click', () => {
    toggleNav('.nav-panel-add', '#entry_url');
    return false;
  });
  const materialAddForm = $('.nav-panel-add');
  materialAddForm.on('submit', () => {
    materialAddForm.addClass('disabled');
    $('input#entry_url', materialAddForm).prop('readonly', true).trigger('blur');
  });
  $('#nav-btn-search').on('click', () => {
    toggleNav('.nav-panel-search', '#search_entry_term');
    return false;
  });
  $('.close').on('click', (e) => {
    $(e.target).parent('.nav-panel-item').hide(100);
    $('.nav-panel-actions').show(100);
    $('.nav-panels').css('background', 'transparent');
    return false;
  });
  $(window).scroll(() => {
    const s = $(window).scrollTop();
    const d = $(document).height();
diff --git a/app/config/config.yml b/app/config/config.yml
index 4b34af30..908f53b7 100644
--- a/app/config/config.yml
+++ b/app/config/config.yml
@@ -198,10 +198,14 @@ fos_oauth_server:
            refresh_token_lifetime: 1209600
 scheb_two_factor:
-    trusted_computer:
+    trusted_device:
        enabled: true
        cookie_name: wllbg_trusted_computer
-        cookie_lifetime: 2592000
+        lifetime: 2592000
+    google:
+        enabled: "%twofactor_auth%"
+        template: WallabagUserBundle:Authentication:form.html.twig
    email:
        enabled: "%twofactor_auth%"
diff --git a/app/config/routing.yml b/app/config/routing.yml
index 0bd2d130..a7c0f7e9 100644
--- a/app/config/routing.yml
+++ b/app/config/routing.yml
@@ -51,3 +51,11 @@ craue_config_settings_modify:
 fos_js_routing:
    resource: "@FOSJsRoutingBundle/Resources/config/routing/routing.xml"
+2fa_login:
+    path: /2fa
+    defaults:
+        _controller: "scheb_two_factor.form_controller:form"
+2fa_login_check:
+    path: /2fa_check
diff --git a/app/config/security.yml b/app/config/security.yml
index 96489e26..6a21b4e5 100644
--- a/app/config/security.yml
+++ b/app/config/security.yml
@@ -56,9 +56,17 @@ security:
                path:   /logout
                target: /
+            two_factor:
+                provider: fos_userbundle
+                auth_form_path: 2fa_login
+                check_path: 2fa_login_check
    access_control:
        - { path: ^/api/(doc|version|info|user), roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        # force role for logout otherwise when 2fa enable, you won't be able to logout
+        # https://github.com/scheb/two-factor-bundle/issues/168#issuecomment-430822478
+        - { path: ^/logout, roles: [IS_AUTHENTICATED_ANONYMOUSLY, IS_AUTHENTICATED_2FA_IN_PROGRESS] }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: /(unread|starred|archive|all).xml$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
@@ -67,5 +75,6 @@ security:
        - { path: ^/share, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/settings, roles: ROLE_SUPER_ADMIN }
        - { path: ^/annotations, roles: ROLE_USER }
+        - { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
        - { path: ^/users, roles: ROLE_SUPER_ADMIN }
        - { path: ^/, roles: ROLE_USER }

diff --git a/app/DoctrineMigrations/Version20181202073750.php b/app/DoctrineMigrations/Version20181202073750.php new file mode 100644 index 00000000..a2308b99 --- /dev/null +++ b/app/DoctrineMigrations/Version20181202073750.php
@@ -0,0 +1,22 @@
		1	<?php
		2
		3	namespace Application\Migrations;
		4
		5	use Doctrine\DBAL\Schema\Schema;
		6	use Wallabag\CoreBundle\Doctrine\WallabagMigration;
		7
		8	/**
		9	* Add 2fa OTP (named google authenticator).
		10	*/
		11	final class Version20181202073750 extends WallabagMigration
		12	{
		13	public function up(Schema $schema): void
		14	{
		15	$this->addSql('ALTER TABLE ' . $this->getTable('user') . ' ADD googleAuthenticatorSecret VARCHAR(191) DEFAULT NULL, CHANGE twoFactorAuthentication emailTwoFactor BOOLEAN NOT NULL, DROP trusted');
		16	}
		17
		18	public function down(Schema $schema): void
		19	{
		20	$this->addSql('ALTER TABLE `' . $this->getTable('user') . '` DROP googleAuthenticatorSecret, CHANGE emailtwofactor twoFactorAuthentication BOOLEAN NOT NULL, ADD trusted TEXT DEFAULT NULL');
		21	}
		22	}


diff --git a/app/Resources/static/themes/_global/index.js b/app/Resources/static/themes/_global/index.js index bb3e95b6..9ad96fc0 100644 --- a/app/Resources/static/themes/_global/index.js +++ b/app/Resources/static/themes/_global/index.js
@@ -89,4 +89,22 @@ $(document).ready(() => {
89	}	89	}
90	};	90	};
91	});	91	});
		92
		93	// mimic radio button because emailTwoFactor is a boolean
		94	$('#update_user_googleTwoFactor').on('change', () => {
		95	$('#update_user_emailTwoFactor').prop('checked', false);
		96	});
		97
		98	$('#update_user_emailTwoFactor').on('change', () => {
		99	$('#update_user_googleTwoFactor').prop('checked', false);
		100	});
		101
		102	// same mimic for super admin
		103	$('#user_googleTwoFactor').on('change', () => {
		104	$('#user_emailTwoFactor').prop('checked', false);
		105	});
		106
		107	$('#user_emailTwoFactor').on('change', () => {
		108	$('#user_googleTwoFactor').prop('checked', false);
		109	});
92	});	110	});


diff --git a/app/Resources/static/themes/material/index.js b/app/Resources/static/themes/material/index.js index 05794597..2926cad1 100755 --- a/app/Resources/static/themes/material/index.js +++ b/app/Resources/static/themes/material/index.js
@@ -50,25 +50,30 @@ $(document).ready(() => {
50	$('#tag_label').focus();	50	$('#tag_label').focus();
51	return false;	51	return false;
52	});	52	});
		53
53	$('#nav-btn-add').on('click', () => {	54	$('#nav-btn-add').on('click', () => {
54	toggleNav('.nav-panel-add', '#entry_url');	55	toggleNav('.nav-panel-add', '#entry_url');
55	return false;	56	return false;
56	});	57	});
		58
57	const materialAddForm = $('.nav-panel-add');	59	const materialAddForm = $('.nav-panel-add');
58	materialAddForm.on('submit', () => {	60	materialAddForm.on('submit', () => {
59	materialAddForm.addClass('disabled');	61	materialAddForm.addClass('disabled');
60	$('input#entry_url', materialAddForm).prop('readonly', true).trigger('blur');	62	$('input#entry_url', materialAddForm).prop('readonly', true).trigger('blur');
61	});	63	});
		64
62	$('#nav-btn-search').on('click', () => {	65	$('#nav-btn-search').on('click', () => {
63	toggleNav('.nav-panel-search', '#search_entry_term');	66	toggleNav('.nav-panel-search', '#search_entry_term');
64	return false;	67	return false;
65	});	68	});
		69
66	$('.close').on('click', (e) => {	70	$('.close').on('click', (e) => {
67	$(e.target).parent('.nav-panel-item').hide(100);	71	$(e.target).parent('.nav-panel-item').hide(100);
68	$('.nav-panel-actions').show(100);	72	$('.nav-panel-actions').show(100);
69	$('.nav-panels').css('background', 'transparent');	73	$('.nav-panels').css('background', 'transparent');
70	return false;	74	return false;
71	});	75	});
		76
72	$(window).scroll(() => {	77	$(window).scroll(() => {
73	const s = $(window).scrollTop();	78	const s = $(window).scrollTop();
74	const d = $(document).height();	79	const d = $(document).height();


diff --git a/app/config/config.yml b/app/config/config.yml index 4b34af30..908f53b7 100644 --- a/app/config/config.yml +++ b/app/config/config.yml
@@ -198,10 +198,14 @@ fos_oauth_server:
198	refresh_token_lifetime: 1209600	198	refresh_token_lifetime: 1209600
199		199
200	scheb_two_factor:	200	scheb_two_factor:
201	trusted_computer:	201	trusted_device:
202	enabled: true	202	enabled: true
203	cookie_name: wllbg_trusted_computer	203	cookie_name: wllbg_trusted_computer
204	cookie_lifetime: 2592000	204	lifetime: 2592000
		205
		206	google:
		207	enabled: "%twofactor_auth%"
		208	template: WallabagUserBundle:Authentication:form.html.twig
205		209
206	email:	210	email:
207	enabled: "%twofactor_auth%"	211	enabled: "%twofactor_auth%"


diff --git a/app/config/routing.yml b/app/config/routing.yml index 0bd2d130..a7c0f7e9 100644 --- a/app/config/routing.yml +++ b/app/config/routing.yml
@@ -51,3 +51,11 @@ craue_config_settings_modify:
51		51
52	fos_js_routing:	52	fos_js_routing:
53	resource: "@FOSJsRoutingBundle/Resources/config/routing/routing.xml"	53	resource: "@FOSJsRoutingBundle/Resources/config/routing/routing.xml"
		54
		55	2fa_login:
		56	path: /2fa
		57	defaults:
		58	_controller: "scheb_two_factor.form_controller:form"
		59
		60	2fa_login_check:
		61	path: /2fa_check


diff --git a/app/config/security.yml b/app/config/security.yml index 96489e26..6a21b4e5 100644 --- a/app/config/security.yml +++ b/app/config/security.yml
@@ -56,9 +56,17 @@ security:
56	path: /logout	56	path: /logout
57	target: /	57	target: /
58		58
		59	two_factor:
		60	provider: fos_userbundle
		61	auth_form_path: 2fa_login
		62	check_path: 2fa_login_check
		63
59	access_control:	64	access_control:
60	- { path: ^/api/(doc\|version\|info\|user), roles: IS_AUTHENTICATED_ANONYMOUSLY }	65	- { path: ^/api/(doc\|version\|info\|user), roles: IS_AUTHENTICATED_ANONYMOUSLY }
61	- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }	66	- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
		67	# force role for logout otherwise when 2fa enable, you won't be able to logout
		68	# https://github.com/scheb/two-factor-bundle/issues/168#issuecomment-430822478
		69	- { path: ^/logout, roles: [IS_AUTHENTICATED_ANONYMOUSLY, IS_AUTHENTICATED_2FA_IN_PROGRESS] }
62	- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }	70	- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
63	- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }	71	- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
64	- { path: /(unread\|starred\|archive\|all).xml$, roles: IS_AUTHENTICATED_ANONYMOUSLY }	72	- { path: /(unread\|starred\|archive\|all).xml$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
@@ -67,5 +75,6 @@ security:
67	- { path: ^/share, roles: IS_AUTHENTICATED_ANONYMOUSLY }	75	- { path: ^/share, roles: IS_AUTHENTICATED_ANONYMOUSLY }
68	- { path: ^/settings, roles: ROLE_SUPER_ADMIN }	76	- { path: ^/settings, roles: ROLE_SUPER_ADMIN }
69	- { path: ^/annotations, roles: ROLE_USER }	77	- { path: ^/annotations, roles: ROLE_USER }
		78	- { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
70	- { path: ^/users, roles: ROLE_SUPER_ADMIN }	79	- { path: ^/users, roles: ROLE_SUPER_ADMIN }
71	- { path: ^/, roles: ROLE_USER }	80	- { path: ^/, roles: ROLE_USER }