通过 
搜索
搜索netgen / ibexa-2fa-bundle
Netgen ibexa 2FA Bundle 是一个为您的 ezplatform 项目提供双因素认证的 ibexa 插件
0.1.0-alpha4
2024-01-26 13:21 UTC
Requires
- php: ^8.1
- bacon/bacon-qr-code: ^2.0
- scheb/2fa-backup-code: ^5.13
- scheb/2fa-bundle: ^5.13
- scheb/2fa-email: ^5.13
- scheb/2fa-google-authenticator: ^5.13
- scheb/2fa-totp: ^5.13
- scheb/2fa-trusted-device: ^5.13
Requires (Dev)
- phpunit/phpunit: ^9.5
This package is auto-updated.
Last update: 2024-08-26 14:54:43 UTC
README
此插件处于 alpha 阶段,不建议用于生产环境。
此存储库是从 Novactive/NovaeZ2FABundle 分支出来的,并升级以支持 Ibexa 4.x
Netgen Ibexa 2FA Bundle 为您的 ibexa 项目提供双因素认证。
安装
需求
- Ibexa 4.x
- PHP 8.1
使用 Composer
将库添加到您的 composer.json 中,运行 composer require netgen/ibexa2fabundle 以更新依赖项。
注册插件
然后将在您的应用程序的 config\bundles.php 中注入插件。
return [ // ... Scheb\TwoFactorBundle\SchebTwoFactorBundle::class => ['all' => true], Netgen\Bundle\Ibexa2FABundle\NetgenIbexa2FABundle::class => [ 'all'=> true ], ];
添加路由
请确保将此路由添加到您的路由中
# config/app/routes.yaml _netgen_ibexa2fa_routes: resource: '@NetgenIbexa2FABundle/Resources/config/routing.yaml'
更新配置
# config/security.yaml security: ... firewalls: ... ibexa_front: pattern: ^/ user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker anonymous: ~ ibexa_rest_session: ~ form_login: require_previous_session: false csrf_token_generator: security.csrf.token_manager logout: ~ two_factor: auth_form_path: 2fa_login # The route name you have used in the routes.yaml check_path: 2fa_login_check # The route name you have used in the routes.yaml default_target_path: / # Where to redirect by default after successful authentication always_use_default_target_path: true # If it should always redirect to default_target_path ... access_control: - { path: ^/_fos_user_context_hash, role: PUBLIC_ACCESS } - { path: ^/logout, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/logout, role: IS_AUTHENTICATED_2FA_IN_PROGRESS } - { path: 2fa_setup$, role: ROLE_USER } - { path: 2fa_reset$, role: ROLE_USER } - { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS } - { path: ^/admin/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS } - { path: ^/_fos_user_context_hash, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
添加新配置
值可以根据项目规范进行更新
# config/packages/scheb_two_factor.yaml scheb_two_factor: backup_codes: enabled: '%netgen_ibexa2fa.backup_codes.enabled%' # Reading the value from the nova_ez2fa.backup_codes.enabled value in parameters section manager: Netgen\Bundle\Ibexa2FABundle\Core\BackupCodeManager # This should either remain or be replaced with another one developed for that purpose google: enabled: true server_name: Local Ibexa Server # Server name used in QR code issuer: IbexaIssuer # Issuer name used in QR code digits: 6 # Number of digits in authentication code window: 1 # How many codes before/after the current one would be accepted as valid template: "@ibexadesign/2fa/auth.html.twig" # Template for the 2FA login page # TOTP Authenticator config totp: enabled: true # If TOTP authentication should be enabled, default false server_name: Server Name # Server name used in QR code issuer: TOTP Issuer # Issuer name used in QR code window: 1 # How many codes before/after the current one would be accepted as valid template: "@ibexadesign/2fa/auth.html.twig" # Template used to render the authentication form # Trusted device feature trusted_device: enabled: true # If the trusted device feature should be enabled # manager: acme.custom_trusted_device_manager # Use a custom trusted device manager lifetime: 259200 # Lifetime of the trusted device token, in seconds extend_lifetime: false # Automatically extend lifetime of the trusted cookie on re-login cookie_name: trusted_device # Name of the trusted device cookie cookie_secure: true # Set the 'Secure' (HTTPS Only) flag on the trusted device cookie cookie_same_site: "lax" # The same-site option of the cookie, can be "lax", "strict" or null # cookie_domain: "" # Domain to use when setting the cookie, fallback to the request domain if not set cookie_path: "/" # Path to use when setting the cookie email: enabled: true # If email authentication should be enabled, default false mailer: Netgen\Bundle\Ibexa2FABundle\Core\AuthCodeMailer # Use alternative service to send the authentication code code_generator: Netgen\Bundle\Ibexa2FABundle\Core\EmailCodeGenerator # Use alternative service to generate authentication code sender_email: me@example.com # Sender email address sender_name: John Doe # Sender name digits: 6 # Number of digits in authentication code template: "@ibexadesign/2fa/auth.html.twig" # Template used to render the authentication form # The security token classes, which trigger two-factor authentication. # By default the bundle only reacts to Symfony's username+password authentication. If you want to enable # two-factor authentication for other authentication methods, add their security token classes. # See the configuration reference at https://github.com/scheb/two-factor-bundle/blob/4.x/Resources/doc/configuration.md security_tokens: - Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken # If you're using guard-based authentication, you have to use this one: # - Symfony\Component\Security\Guard\Token\PostAuthenticationGuardToken # If you're using authenticator-based security (introduced in Symfony 5.1), you have to use this one: # - Symfony\Component\Security\Http\Authenticator\Token\PostAuthenticationToken # Whether to use the backup codes or not should be specified here in parameters section, then used in scheb_two_factor.backup_codes # It's done this way in order to let the user customize if the backup codes should be generated or not parameters: nova_ez2fa.backup_codes.enabled: true
如果启用了电子邮件方法,则应在 .env 文件中指定 MAILER_DSN 环境变量
有关 scheb_two_factor 的完整参考,请访问以下资源:https://github.com/scheb/2fa/blob/6.x/doc/configuration.rst
注意事项:此插件是 Siteaccess 兼容的,因此每个 Siteaccess 可以有不同的认证方法。
# config/packages/nova_ez2fa.yaml netgen_ibexa2fa: system: # Available mobile methods - google, totp, microsoft or null. # If microsoft is selected the totp mechanism is still used but the config is forced and static so Microsoft Authenticator app can be used. # Email method can also be enabled or disabled for each siteaccess # If 2fa_force_setup is true then the User must always set up 2FA upon authentication and reset function is off default: 2fa_mobile_method: google 2fa_email_method_enabled: true 2fa_force_setup: false site: 2fa_mobile_method: totp # if microsoft method set - the config is forced to: algorithm: sha1, period: 30, digits: 6 config: algorithm: sha1 #(md5, sha1, sha256, sha512) period: 30 digits: 6 2fa_email_method_enabled: true 2fa_force_setup: false parameters: netgen_ibexa2fa.backup_codes.enabled: true
在数据库中创建表
请参阅文件 bundle/Resources/sql/schema.sql
HTTP 缓存的特殊说明
重要!:对于 HTTP 缓存系统(例如 Varnish 或 Fastly),应实现以下逻辑
if (req.url ~ "^/2fa") { return (pass); }
并且应添加在 call ez_user_context_hash 行之前。
我们需要它,以避免在发送 /2fa 请求时触发 X User Hash 机制,因此 /_fos_user_context_hash 请求不会因为此插件而返回 302 重定向响应。
手动删除特定用户的 2FA 记录
如果某些用户需要从数据库中删除其 2FA 记录以能够登录而无需输入 2FA 代码,请运行以下命令 acx:users:remove-2fa 并指定用户的登录名
php ezplatform/bin/console nova:2fa:remove-secret-key user_login
注意事项:如果您已经为用户设置了 2FA,并且您将根据 2FA 设置页上的相应链接重置它,那么在这样做之前不要更改当前 Siteaccess 的方法!因为在这种情况下,假设密钥将被移除以用于新方法而不是旧方法,因此重置将不会工作!