sandstorm / neostwofactorauthentication Goto Github PK

When a user enabled 2FA, their credentials should immediately be updated or they should logged out and forced to re-login to make sure the token is 2FA enabled.

This is necessary to either force users to enable it or give them a notice in some way to enable it.

Currently the token is not updated and the new status cannot be properly detected.

While testing I could only successfully use the plugin with the Google Authenticator, the Microsoft and 1Password said that the QR Code is invalid.

Would be great to add a "tested" app list to the readme.

At the moment only one second factor per user is checked:

The provider should check all factors and match if one was correct.

The new version with the option to enforce 2FA is not (yet) available on packagist. Maybe there is some sync error. Could you please check and fix this so we can update to the new version without adding this repo as a composer repository?

See https://packagist.org/packages/sandstorm/neostwofactorauthentication

@JamesAlias, @Pingu501

BTW: Thanks for your great work on this!

Current behaviour

Only the qr code is shown to create a new second factor.

Expected behaviour

The code for the second factor will be shown below the qr code. This will enable devices with broken or no camera to add a second factor.

We have a Neos 5.3 installation using this plugin. In some cases the 2FA token becomes invalid and the users are unable to login again. We can't reproduce this yet and don't know why this happens. Once the token becomes invalid it stays invalid.
Do you have any idea, why this could happen?

To improve usability it would be nice if the 2fa input field would have autofocus so one would not have to click tab or use the mouse cursor to select the input first.

As an administrator I'm not able to remove the last second factor of an account at the moment, if that user is forced to have a second factor.
If that user has lost his access to his OTP, he might not be able to login anymore. Therefore an admin should always be allowed to remove the last second factor of other users (not himself!), no matter what roles etc. they have to help with issues with lost second factors (broken phone, ...).

According to composer this allows php 7.4, except this renders a few errors.

Hi,

the composer manifest claims that this package is compatible with PHP 7.4, but it is not (see

Great package by the way! :)

If you have already logged in and get logged out due to session timeout, the Login is shown as a Popup window. This window does not (yet) work with the 2FA login and always shows only the username + password input fields.

Main branch wasn't protected. I set it up but let's check if it's set up correctly.

Current behaviour

If you try to remove a user that has a second factor enabled, you will see a 500 Internal Server Error. This is due to the existing second factor:

<!-- Part of the logged Exception -->
Exception in line 182 of .../Packages/Libraries/doctrine/dbal/lib/Doctrine/DBAL/DBALException.php: An exception occurred while executing 'DELETE FROM neos_flow_security_account WHERE persistence_object_identifier = ?' with params ["46c79952-b120-4353-afcb-20179e4420f5"]:

SQLSTATE[23000]: Integrity constraint violation: 1451 Cannot delete or update a parent row: a foreign key constraint fails (`neos_database`.`sandstorm_neostwofactorauthentication_domain_model_secondfactor`, CONSTRAINT `FK_29EF8A7F7D3656A4` FOREIGN KEY (`account`) REFERENCES `neos_flow_security_account` (`persistence_ob)

This is especially a problem in cases where the second factor is enforced and can not be removed.

Expected behaviour

When removing a user with existing second factor(s), all second factors will be removed first. Then the user will be removed. So in the end, no warning or additional work for the administrator / user manager.

Steps to reproduce

1. Enforce Two-Factor Authentication (optional).
2. Create a new user.
3. Log in as that user and create a second factor.
4. Log out and re-login as Administrator / UserManager.
5. Try to remove the user with a second factor.

Environment

• Flow: 8.3.3
• Neos: 8.3.4
• Sandstorm/NeosTwoFactorAuthentication: 1.1.2
• PHP: 8.1.20

It would be awesome to have a way of enforcing 2FA for specified Editor Groups like Administrators.

As PHP 8.1 is already approaching it's EOL I'm considering dropping the support for PHP <8.1.

I know there have been people using this package in production where PHP was still 7.4 when we developed 1.1.0 but I think it's time.

My customer asked whether it can be made possible to warn of a missing 2FA token when a user logs in.
Or even force a redirect to setting it up as long as it hasn't been done yet.

The might be a customer budget for this, then I could provide a PR.
If not I just leave it here as an idea :)

When directly navigating to the Neos login mask (/neos/login) 2FA redirects back to the login screen and nom session is started.

I assume that is because in this case Security\Context::setInterceptedRequest() is not triggered and, thus, no session is started.

Steps to reproduce

1. Install package
2. Setup 2FA
3. Logout
4. Navigate to /neos/login
5. Enter valid username and password -> get redirected to /neos/two-factor-login
6. Enter valid OTP

Expected result

The user should be authenticated in the Neos backend

Actual result

The user is redirected to the login screen and no session is started

Would be nice to see what this package does.
This issue is just here to hold some images and videos ;)