Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2FA (TOTP and U2F) on a per user basis #861

Open
jtraulle opened this issue Jan 19, 2020 · 4 comments
Open

2FA (TOTP and U2F) on a per user basis #861

jtraulle opened this issue Jan 19, 2020 · 4 comments
Labels
feature improvement

Comments

@jtraulle
Copy link
Contributor

Hello,

This is related to #404 😉

It would be great if both U2F and TOTP second factor authentication could be enabled on a per user basis.

Right now, when it is enabled, all users must use it (however some users do not have an U2F security key or a smartphone, so they cannot or do not want to add this second layer of security).
@rochamarcelo
Copy link
Collaborator

It's a good feature and should not be hard to archive since we can extend the https://github.com/CakeDC/auth/blob/6.next/src/Authentication/DefaultU2fAuthenticationChecker.php

@viniciusbig
Copy link

viniciusbig commented Sep 28, 2020
edited
Loading

I've coded that in my app

something like that:

add a new field in users table to hold this configuration

// migration file
public function change()
{
    $table = $this->table('users');
    $table->addColumn('two_steps', 'boolean', [
        'default' => 0,
        'null' => false,
    ]);
    $table->update();
}

creating a new checker

// src/Authentication/DefaultOneTimePasswordAuthenticationChecker.php
declare(strict_types=1);

namespace App\Authentication;

use CakeDC\Auth\Authentication\DefaultOneTimePasswordAuthenticationChecker as CakeDCAuthentication;

/**
 * Default class to check if two factor authentication is enabled and required
 *
 * @package CakeDC\Auth\Authentication
 */
class DefaultOneTimePasswordAuthenticationChecker extends CakeDCAuthentication
{
    /**
     * Check if two factor authentication is required for a user
     *
     * @param array $user user data
     *
     * @return bool
     */
    public function isRequired(?array $user = null)
    {
        return parent::isRequired($user) && $user['two_steps'];
    }
}

Configuring the your user.php to use the new checker

$config = [
    'OneTimePasswordAuthenticator' => [
        // custom checker to skip 2FA by user settings
        'checker' => \App\Authentication\DefaultOneTimePasswordAuthenticationChecker::class,
    ],

this should be enough!

But I agree this should be added on the plugin itself =)

@LordSimal
Copy link
Contributor

LordSimal commented Mar 11, 2022
edited
Loading

@viniciusbig solution works like a charm, even with latest CakeDC/Users 11 version 👍🏻
Thank you very much!

@ajibarra
Copy link
Member

@viniciusbig would you mind making a PR to include this feature in latest versions?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature improvement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@viniciusbig @jtraulle @ajibarra @rochamarcelo @LordSimal