sandstorm / neostwofactorauthentication Goto Github PK
View Code? Open in Web Editor NEWExtend the Neos Backend Login with 2FA
License: MIT License
Extend the Neos Backend Login with 2FA
License: MIT License
When a user enabled 2FA, their credentials should immediately be updated or they should logged out and forced to re-login to make sure the token is 2FA enabled.
This is necessary to either force users to enable it or give them a notice in some way to enable it.
Currently the token is not updated and the new status cannot be properly detected.
While testing I could only successfully use the plugin with the Google Authenticator
, the Microsoft and 1Password said that the QR Code is invalid.
Would be great to add a "tested" app list to the readme.
At the moment only one second factor per user is checked:
The provider should check all factors and match if one was correct.
The new version with the option to enforce 2FA is not (yet) available on packagist. Maybe there is some sync error. Could you please check and fix this so we can update to the new version without adding this repo as a composer repository?
See https://packagist.org/packages/sandstorm/neostwofactorauthentication
BTW: Thanks for your great work on this!
Only the qr code is shown to create a new second factor.
The code for the second factor will be shown below the qr code. This will enable devices with broken or no camera to add a second factor.
We have a Neos 5.3 installation using this plugin. In some cases the 2FA token becomes invalid and the users are unable to login again. We can't reproduce this yet and don't know why this happens. Once the token becomes invalid it stays invalid.
Do you have any idea, why this could happen?
To improve usability it would be nice if the 2fa input field would have autofocus so one would not have to click tab or use the mouse cursor to select the input first.
As an administrator I'm not able to remove the last second factor of an account at the moment, if that user is forced to have a second factor.
If that user has lost his access to his OTP, he might not be able to login anymore. Therefore an admin should always be allowed to remove the last second factor of other users (not himself!), no matter what roles etc. they have to help with issues with lost second factors (broken phone, ...).
According to composer this allows php 7.4, except this renders a few errors.
Hi,
the composer manifest claims that this package is compatible with PHP 7.4, but it is not (see
for example).Great package by the way! :)
If you have already logged in and get logged out due to session timeout, the Login is shown as a Popup window. This window does not (yet) work with the 2FA login and always shows only the username + password input fields.
Main branch wasn't protected. I set it up but let's check if it's set up correctly.
If you try to remove a user that has a second factor enabled, you will see a 500 Internal Server Error. This is due to the existing second factor:
<!-- Part of the logged Exception -->
Exception in line 182 of .../Packages/Libraries/doctrine/dbal/lib/Doctrine/DBAL/DBALException.php: An exception occurred while executing 'DELETE FROM neos_flow_security_account WHERE persistence_object_identifier = ?' with params ["46c79952-b120-4353-afcb-20179e4420f5"]:
SQLSTATE[23000]: Integrity constraint violation: 1451 Cannot delete or update a parent row: a foreign key constraint fails (`neos_database`.`sandstorm_neostwofactorauthentication_domain_model_secondfactor`, CONSTRAINT `FK_29EF8A7F7D3656A4` FOREIGN KEY (`account`) REFERENCES `neos_flow_security_account` (`persistence_ob)
This is especially a problem in cases where the second factor is enforced and can not be removed.
When removing a user with existing second factor(s), all second factors will be removed first. Then the user will be removed. So in the end, no warning or additional work for the administrator / user manager.
It would be awesome to have a way of enforcing 2FA for specified Editor Groups like Administrators.
As PHP 8.1 is already approaching it's EOL I'm considering dropping the support for PHP <8.1.
I know there have been people using this package in production where PHP was still 7.4 when we developed 1.1.0
but I think it's time.
My customer asked whether it can be made possible to warn of a missing 2FA token when a user logs in.
Or even force a redirect to setting it up as long as it hasn't been done yet.
The might be a customer budget for this, then I could provide a PR.
If not I just leave it here as an idea :)
When directly navigating to the Neos login mask (/neos/login
) 2FA redirects back to the login screen and nom session is started.
I assume that is because in this case Security\Context::setInterceptedRequest() is not triggered and, thus, no session is started.
/neos/login
/neos/two-factor-login
The user should be authenticated in the Neos backend
The user is redirected to the login screen and no session is started
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.