From a6b242a1fd6f8900d80354361449f1bf62506ef9 Mon Sep 17 00:00:00 2001 From: Jeremy Benoist Date: Sun, 2 Dec 2018 12:43:05 +0100 Subject: Enable OTP 2FA - Update SchebTwoFactorBundle to version 3 - Enable Google 2fa on the bundle - Disallow ability to use both email and google as 2fa - Update Ocramius Proxy Manager to handle typed function & attributes (from PHP 7) - use `$this->addFlash` shortcut instead of `$this->get('session')->getFlashBag()->add` - update admin to be able to create/reset the 2fa --- app/config/config.yml | 8 ++++++-- app/config/routing.yml | 8 ++++++++ app/config/security.yml | 9 +++++++++ 3 files changed, 23 insertions(+), 2 deletions(-) (limited to 'app/config') diff --git a/app/config/config.yml b/app/config/config.yml index 4b34af30..908f53b7 100644 --- a/app/config/config.yml +++ b/app/config/config.yml @@ -198,10 +198,14 @@ fos_oauth_server: refresh_token_lifetime: 1209600 scheb_two_factor: - trusted_computer: + trusted_device: enabled: true cookie_name: wllbg_trusted_computer - cookie_lifetime: 2592000 + lifetime: 2592000 + + google: + enabled: "%twofactor_auth%" + template: WallabagUserBundle:Authentication:form.html.twig email: enabled: "%twofactor_auth%" diff --git a/app/config/routing.yml b/app/config/routing.yml index 0bd2d130..a7c0f7e9 100644 --- a/app/config/routing.yml +++ b/app/config/routing.yml @@ -51,3 +51,11 @@ craue_config_settings_modify: fos_js_routing: resource: "@FOSJsRoutingBundle/Resources/config/routing/routing.xml" + +2fa_login: + path: /2fa + defaults: + _controller: "scheb_two_factor.form_controller:form" + +2fa_login_check: + path: /2fa_check diff --git a/app/config/security.yml b/app/config/security.yml index 96489e26..6a21b4e5 100644 --- a/app/config/security.yml +++ b/app/config/security.yml @@ -56,9 +56,17 @@ security: path: /logout target: / + two_factor: + provider: fos_userbundle + auth_form_path: 2fa_login + check_path: 2fa_login_check + access_control: - { path: ^/api/(doc|version|info|user), roles: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY } + # force role for logout otherwise when 2fa enable, you won't be able to logout + # https://github.com/scheb/two-factor-bundle/issues/168#issuecomment-430822478 + - { path: ^/logout, roles: [IS_AUTHENTICATED_ANONYMOUSLY, IS_AUTHENTICATED_2FA_IN_PROGRESS] } - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: /(unread|starred|archive|all).xml$, roles: IS_AUTHENTICATED_ANONYMOUSLY } @@ -67,5 +75,6 @@ security: - { path: ^/share, roles: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/settings, roles: ROLE_SUPER_ADMIN } - { path: ^/annotations, roles: ROLE_USER } + - { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS } - { path: ^/users, roles: ROLE_SUPER_ADMIN } - { path: ^/, roles: ROLE_USER } -- cgit v1.2.3 From dfd0a7bc5feb4fd7b77d7e2f3a25c5c3febc1eba Mon Sep 17 00:00:00 2001 From: Jeremy Benoist Date: Mon, 3 Dec 2018 06:51:06 +0100 Subject: Add backup codes --- app/config/config.yml | 3 +++ 1 file changed, 3 insertions(+) (limited to 'app/config') diff --git a/app/config/config.yml b/app/config/config.yml index 908f53b7..2d8f9bf0 100644 --- a/app/config/config.yml +++ b/app/config/config.yml @@ -203,6 +203,9 @@ scheb_two_factor: cookie_name: wllbg_trusted_computer lifetime: 2592000 + backup_codes: + enabled: "%twofactor_auth%" + google: enabled: "%twofactor_auth%" template: WallabagUserBundle:Authentication:form.html.twig -- cgit v1.2.3