This is a random selection of links related to my blog.
Personal Websites
- My Twitter – Follow me for updates on my blog
- My Github
- My Packagist
- My LinkedIn
Projects
scheb/two-factor-bundle
A Symfony bundle providing two-factor authentication
scheb/yahoo-finance-api
A PHP library for Yahoo Finance API
scheb/tombstone
Dead code detection with tombstones for PHP
scheb/in-memory-data-storage
A simple in-memory data storage for PHP
Open Apexx
The open source distribution of my CMS from 2005
Hi Christian,
My name is Pawel.
Thank for great bundles.
I develop project where should be two-step-authentication. I want use your two-factor-bundle as foundation for our authentication system.
Do you support this bundle for current symfony versions (3.3, 3.4, 4.*)?
You choose that after autentiticate by login&password user fully authenticated to the Symfony security layer. Why do you not create middle status for user already autentiticate by login&password?
Hi Pawel!
Yes, two-factor-bundle supports the latest versions of Symfony. Just updated the composer.jso to support the upcoming Symfony 4.0.
The reason why the bundle it put on top of a fully-authenticated user is, that I did not find any better solution until now. Introducing a new intermediate state is not possible (at least I did not find a way), because the existing states are hard-coded into the security layer and not really extensible.
I did some experiments with a different integration a while ago. The goal was to get the bundle fully integrated into the security layer. I was trying to get some help from the Symfony developers to get the implementation right, but didn’t manage to get someone to help me. So it is somewhat stuck now. If you want to have a look at what I tried, there’s a branch with my results: https://github.com/scheb/two-factor-bundle/tree/firewall-integration
Nevertheless the current implementation of the bundle is working, as long as you’re aware of its limitations.
Hi Scheb,
I am a fan of your work and it’s amazing. I’m currently trying to figure out how to implement the Two-factor-bundle that you created. I did it successfully in a test project:
https://gitlab.com/jp.fortuno/symfony-4-2fa.git
I’m a symfony noob, I’m trying to implement it in one of my clients existing project (but I’m a symfony noob). They are using Symfony 4.4 and PHP 7.2 . What happens is that it creates an ‘infinite loop’ in the supports method of the project by redirecting to the path 2fa back to login, then back to 2fa.. etc.. I can’t seem to implement it there. Can you help ?
I tried your app and can’t find what’s wrong. After login, I’m shown the 2fa form, I’m providing my GoogleAuthenticator code and then I’m redirected to the admin page. No infinite loop :/
yeah, the example I have tried works, I’m talking about one of my clients projects which is bigger, do you think you could help? I have not shared the code for this one yet.
I suspect the 2fa path is not matching the firewall’s pattern. So when you access the 2fa form, the authentication token is not available, therefore it requires you to login. And login (which is within the firewall’s pattern) then redirects back to 2fa form, because you’re already logged in.
I’m not sure where that fails, I know this is not enough code but.. here’s a sample…
class FormLoginAuthenticator extends AbstractGuardAuthenticator implements PasswordAuthenticatedInterface
{
use TargetPathTrait;
private $router;
private $encoder;
private $em;
private $csrfTokenManager;
/**
* @var GoogleAuthenticatorInterface
*/
private $googleAuthenticator;
/**
* @var LoggerInterface
*/
private $loginLogger;
public function supports(Request $request)
{
$this->loginLogger->info('path loaded : '.$request->getPathInfo());
if (
$request->getPathInfo() != '/login_check'
) {
return false;
}
return true;
}
access_control:
- { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/user/*, roles: ROLE_MERCHANT }
- { path: ^/api/merchant/*, roles: ROLE_MERCHANT }
- { path: ^/api/test, roles: ROLE_MERCHANT }
- { path: ^/api/watchdog, roles: ROLE_MERCHANT }
- { path: ^/v1/*, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/%app.locales%/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/%app.locales%/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/%app.locales%/create, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/%app.locales%/forgotten-password, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/%app.locales%/password/reset, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/%app.locales%/password/change, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/%app.locales%/register/confirm, roles: IS_AUTHENTICATED_ANONYMOUSLY }
# - { path: ^/register/confirm, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/_errors/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/*, roles: ROLE_MANAGER }
- { path: ^/%app.locales%/admin/*, roles: ROLE_MANAGER }
- { path: ^user/*, roles: ROLE_USER }
- { path: ^/%app.locales%/user/*, roles: ROLE_USER }
- { path: ^/merchant/*, roles: ROLE_USER }
- { path: ^/%app.locales%/merchant/*, roles: ROLE_USER }
- { path: ^/, roles: ROLE_USER }
# This makes the logout route available during two-factor authentication, allows the user to cancel
- { path: ^/logout, role: IS_AUTHENTICATED_ANONYMOUSLY }
# This ensures that the form can only be accessed when two-factor authentication is in progress
- { path: ^/2fa, roles: IS_AUTHENTICATED_2FA_IN_PROGRESS}
role_hierarchy:
ROLE_JEDI: [ROLE_MANAGER, ROLE_USER]
ROLE_MERCHANT_MANAGER: [ROLE_USER, ROLE_MANAGER]
ROLE_MERCHANT: [ROLE_USER, ROLE_MERCHANT]
# ROLE_JEDI: [ROLE_ADMIN, ROLE_MERCHANT, ROLE_USER]
# ROLE_ADMIN: [ROLE_MERCHANT, ROLE_USER]
# ROLE_MERCHANT: [ROLE_USER]
access_decision_manager:
strategy: unanimous
Could you please provide your firewall configuration? Ideally, the whole security.yaml.
Hope you could open it. If you need more files from the project like the voters, or security controller or any other files, let me know.
Not sure where you’ve put it, I did not receive anything.
what’s the easiest way to send the files to you?
Either post it here, create an issue on Github or send it to me via email to mail[at]christianscheb.de
“access_control” rules are check in that exact order. Your configuration looks like this:
[...]
- { path: ^/, roles: ROLE_USER }
- { path: ^/logout, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/2fa, roles: IS_AUTHENTICATED_2FA_IN_PROGRESS}
“^/” with ROLE_USER will match any path. So when this rule is reached it definitely matches, therefore all the rules coming afterwards will not be evaluated. So your rules for logout and 2fa are impossible to be checked. I suspect this is where the issue comes from. I’d recommend to move the rules for logout and 2fa up to the very top of the rule list, so that they’re checked first.
awesome ! and thanks a lot, I will try this early tomorrow morning
true. indeed! the order under ‘access_control’ changed everything.
in addition to this, i had to add the key ‘IS_AUTHENTICATED_2FA_IN_PROGRESS’ to my UserVoter file which was checking a series of strings. I’m going to try and implement my own template now.