[#26253] - [4.0] Enforce2fa
- Fixed in Code Base
- 19 Oct 2019
- Medium
- Build: 4.0-dev
- # 26253
- Diff
- AlexKirndoerfer:enforce2fa
- Pending Hound Hound is busy sniffing around... Details
User tests: Successful: Unsuccessful:
Summary of Changes
Added Enforce Two Factor Authentication to the core.
This change is supposed to force the user both in Back- and or Frontend to first setup their Two Factor Authentication before being able to proceed.
The enforcement triggers when the user tries to navigate somewhere else or the page is being reloaded.
Testing Instructions
- Setup Joomla! 4.0-dev build
- In the menu go the System
- Click on Plugins
- Then search for Two Factor Authentication
- Enable a Two Factor Authentication Plugin of your choice
- Edit the Two Factor Authentication Methode that you choose
- Select where the Authentication should be enabled Front- or Backend or Both (default is both Front- and Backend)
- After that click save & close
- In the menu now go again to System
- Click on Global Configuration
- Now scrolle down and click on Users at the bottom left
- At the bottom there should be a label Enforce Two Factor Authentication
- Select now where and if Two Factor Authentication should be enforced, note it should be the same setting as in point 8
- After that click save & close.
- Now depending on your settings go to the Frontend and log in or try to navigate somewhere else.
Expected result
You will be redirected to your user edit page until you finished successfully setting up Two Factor Authentication.
Documentation Changes Required
Description of the feature in the documentation, hence it is a core feature
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | SQL Administration com_admin Postgresql com_config Language & Strings Installation Front End Plugins |
| Labels |
Added:
?
?
|
||
infograf768
- | Title |
|
||||||
Why are plugin options in Global Configuration?
I think it maybe makes more sense to put it in User Manager but this is a case where I don't think it necessarily makes sense to have them in the plugin. The plugin exists to force a redirect on every page but it's more like an extension to com_users than it is something truly independent
If the redirect is performed by the plugin (it is), the configuration options should be in the plugin. No need to couple it with anything here.
If the redirect is performed by the plugin (it is), the configuration options should be in the plugin.
We are doing the same thing with the Recaptcha.
Why are plugin options in Global Configuration?
They are not really the plugin options, someone can provide another plugin to enforce 2FA. Just as we do with reCaptcha.
They are not really the plugin options, someone can provide another plugin to enforce 2FA. Just as we do with reCaptcha.
Not a valid comparison. Captcha is a plugin group. This is a single system plugin. Unless you want to add enforce2fa plugin group and add selector for choosing which plugin from the group to use (please don't), the options should really be in the plugin.
Looking at how the plugin is now, we might as well move the code into the core and out of the plugin. How is that for an idea?
Looking at how the plugin is now, we might as well move the code into the core and out of the plugin. How is that for an idea?
I dont see this as functionally any different to the password requirements code which is just part of core without a plugin
(not comparing the aims etc of the code just the method of implementation)
Looking at how the plugin is now, we might as well move the code into the core and out of the plugin. How is that for an idea?
That would work, if you actually want TFA coupled with the application. Looking at existing TFA code I can't really tell whether it's hardcoded intentionally or because our login forms don't support plugins.
| Category | SQL Administration com_admin Postgresql com_config Language & Strings Installation Front End Plugins | ⇒ | SQL Administration com_admin Postgresql com_config Language & Strings Installation Libraries |
| Category | SQL Administration com_admin Postgresql com_config Language & Strings Installation Libraries | ⇒ | Administration com_config Language & Strings Libraries |
Moved enforce2fa to the core and updated the initial comment
| Category | Administration com_config Language & Strings Libraries | ⇒ | Administration com_users Language & Strings Libraries |
Cache the result of the plugins in the session so that it's only done on the first page load per user being checked. Should reduce the performance hit.
added the use of sessions to determine whether the user has already setup 2fa
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/26253.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/26253.
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-10-19 21:49:50 |
| Closed_By | ⇒ | wilsonge | |
| Labels |
Added:
?
|
||
Thankyou again for coding this!
Still think it's bad idea to use plugin params like this.
I'm happy to see us find a way to improve that if we can find something straightforward
Why are plugin options in Global Configuration?