forked from wallabag/wallabag
Enable OTP 2FA
- Update SchebTwoFactorBundle to version 3
- Enable Google 2fa on the bundle
- Disallow ability to use both email and google as 2fa
- Update Ocramius Proxy Manager to handle typed function & attributes (from PHP 7)
- use `$this->addFlash` shortcut instead of `$this->get('session')->getFlashBag()->add`
- update admin to be able to create/reset the 2fa
This commit is contained in:
Jeremy Benoist
22
app/DoctrineMigrations/Version20181202073750.php
Normal file
22
app/DoctrineMigrations/Version20181202073750.php
Normal file
@ -0,0 +1,22 @@
|
||||
<?php
|
||||
|
||||
namespace Application\Migrations;
|
||||
|
||||
use Doctrine\DBAL\Schema\Schema;
|
||||
use Wallabag\CoreBundle\Doctrine\WallabagMigration;
|
||||
|
||||
/**
|
||||
* Add 2fa OTP (named google authenticator).
|
||||
*/
|
||||
final class Version20181202073750 extends WallabagMigration
|
||||
{
|
||||
public function up(Schema $schema): void
|
||||
{
|
||||
$this->addSql('ALTER TABLE ' . $this->getTable('user') . ' ADD googleAuthenticatorSecret VARCHAR(191) DEFAULT NULL, CHANGE twoFactorAuthentication emailTwoFactor BOOLEAN NOT NULL, DROP trusted');
|
||||
}
|
||||
|
||||
public function down(Schema $schema): void
|
||||
{
|
||||
$this->addSql('ALTER TABLE `' . $this->getTable('user') . '` DROP googleAuthenticatorSecret, CHANGE emailtwofactor twoFactorAuthentication BOOLEAN NOT NULL, ADD trusted TEXT DEFAULT NULL');
|
||||
}
|
||||
}
|
||||
@ -89,4 +89,22 @@ $(document).ready(() => {
|
||||
}
|
||||
};
|
||||
});
|
||||
|
||||
// mimic radio button because emailTwoFactor is a boolean
|
||||
$('#update_user_googleTwoFactor').on('change', () => {
|
||||
$('#update_user_emailTwoFactor').prop('checked', false);
|
||||
});
|
||||
|
||||
$('#update_user_emailTwoFactor').on('change', () => {
|
||||
$('#update_user_googleTwoFactor').prop('checked', false);
|
||||
});
|
||||
|
||||
// same mimic for super admin
|
||||
$('#user_googleTwoFactor').on('change', () => {
|
||||
$('#user_emailTwoFactor').prop('checked', false);
|
||||
});
|
||||
|
||||
$('#user_emailTwoFactor').on('change', () => {
|
||||
$('#user_googleTwoFactor').prop('checked', false);
|
||||
});
|
||||
});
|
||||
|
||||
@ -50,25 +50,30 @@ $(document).ready(() => {
|
||||
$('#tag_label').focus();
|
||||
return false;
|
||||
});
|
||||
|
||||
$('#nav-btn-add').on('click', () => {
|
||||
toggleNav('.nav-panel-add', '#entry_url');
|
||||
return false;
|
||||
});
|
||||
|
||||
const materialAddForm = $('.nav-panel-add');
|
||||
materialAddForm.on('submit', () => {
|
||||
materialAddForm.addClass('disabled');
|
||||
$('input#entry_url', materialAddForm).prop('readonly', true).trigger('blur');
|
||||
});
|
||||
|
||||
$('#nav-btn-search').on('click', () => {
|
||||
toggleNav('.nav-panel-search', '#search_entry_term');
|
||||
return false;
|
||||
});
|
||||
|
||||
$('.close').on('click', (e) => {
|
||||
$(e.target).parent('.nav-panel-item').hide(100);
|
||||
$('.nav-panel-actions').show(100);
|
||||
$('.nav-panels').css('background', 'transparent');
|
||||
return false;
|
||||
});
|
||||
|
||||
$(window).scroll(() => {
|
||||
const s = $(window).scrollTop();
|
||||
const d = $(document).height();
|
||||
|
||||
@ -198,10 +198,14 @@ fos_oauth_server:
|
||||
refresh_token_lifetime: 1209600
|
||||
|
||||
scheb_two_factor:
|
||||
trusted_computer:
|
||||
trusted_device:
|
||||
enabled: true
|
||||
cookie_name: wllbg_trusted_computer
|
||||
cookie_lifetime: 2592000
|
||||
lifetime: 2592000
|
||||
|
||||
google:
|
||||
enabled: "%twofactor_auth%"
|
||||
template: WallabagUserBundle:Authentication:form.html.twig
|
||||
|
||||
email:
|
||||
enabled: "%twofactor_auth%"
|
||||
|
||||
@ -51,3 +51,11 @@ craue_config_settings_modify:
|
||||
|
||||
fos_js_routing:
|
||||
resource: "@FOSJsRoutingBundle/Resources/config/routing/routing.xml"
|
||||
|
||||
2fa_login:
|
||||
path: /2fa
|
||||
defaults:
|
||||
_controller: "scheb_two_factor.form_controller:form"
|
||||
|
||||
2fa_login_check:
|
||||
path: /2fa_check
|
||||
|
||||
@ -56,9 +56,17 @@ security:
|
||||
path: /logout
|
||||
target: /
|
||||
|
||||
two_factor:
|
||||
provider: fos_userbundle
|
||||
auth_form_path: 2fa_login
|
||||
check_path: 2fa_login_check
|
||||
|
||||
access_control:
|
||||
- { path: ^/api/(doc|version|info|user), roles: IS_AUTHENTICATED_ANONYMOUSLY }
|
||||
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
|
||||
# force role for logout otherwise when 2fa enable, you won't be able to logout
|
||||
# https://github.com/scheb/two-factor-bundle/issues/168#issuecomment-430822478
|
||||
- { path: ^/logout, roles: [IS_AUTHENTICATED_ANONYMOUSLY, IS_AUTHENTICATED_2FA_IN_PROGRESS] }
|
||||
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
|
||||
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
|
||||
- { path: /(unread|starred|archive|all).xml$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
|
||||
@ -67,5 +75,6 @@ security:
|
||||
- { path: ^/share, roles: IS_AUTHENTICATED_ANONYMOUSLY }
|
||||
- { path: ^/settings, roles: ROLE_SUPER_ADMIN }
|
||||
- { path: ^/annotations, roles: ROLE_USER }
|
||||
- { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
|
||||
- { path: ^/users, roles: ROLE_SUPER_ADMIN }
|
||||
- { path: ^/, roles: ROLE_USER }
|
||||
|
||||
Reference in New Issue
Block a user