novactive/ez2fabundle

Novactive eZ 2FA Bundle 是一个为您的 ezplatform 项目提供两步验证功能的 eZ Platform 扩展包

安装: 8,536

依赖项: 0

建议者: 0

安全: 0

星标: 3

关注者: 9

分支: 2

开放问题: 0

类型:ezplatform-bundle

v1.4.4 2022-01-14 18:36 UTC

This package is auto-updated.

Last update: 2024-09-17 07:36:51 UTC


README

这个仓库是一个所谓的“子树分割”:主仓库中某个目录的只读副本。它由 Composer 使用,以便开发人员可以依赖于特定的扩展包。

如果您想报告或贡献,请打开主仓库上的问题: https://github.com/Novactive/Nova-eZPlatform-Bundles

文档可通过此仓库中的 .md 文件获取,但也可以在这里打包: https://novactive.github.io/Nova-eZPlatform-Bundles/master/2FABundle/README.md.html

Novactive eZ 2FA Bundle 为您的 ezplatform/ibexa 项目提供两步验证。

安装

要求

  • eZ Platform 3.1+
  • PHP 7.3

使用 Composer

将库添加到您的 composer.json 中,运行 composer require novactive/ez2fabundle 以更新依赖项。

注册扩展包

然后在应用程序的 config\bundles.php 中注入扩展包。

    return [
        // ...
        Scheb\TwoFactorBundle\SchebTwoFactorBundle::class => ['all' => true],
        Novactive\Bundle\eZ2FABundle\NovaeZ2FABundle::class => [ 'all'=> true ],
    ];

添加路由

确保将此路由添加到您的路由配置中

# config/routes.yaml

_novaez2fa_routes:
    resource: '@NovaeZ2FABundle/Resources/config/routing.yaml'

更新配置

# config/security.yaml

security:
    ...
    firewalls:
        ...
        ezpublish_front:
            pattern: ^/
            user_checker: eZ\Publish\Core\MVC\Symfony\Security\UserChecker
            anonymous: ~
            ezpublish_rest_session: ~
            form_login:
                require_previous_session: false
                csrf_token_generator: security.csrf.token_manager
            logout: ~
            two_factor:
                auth_form_path: 2fa_login    # The route name you have used in the routes.yaml
                check_path: 2fa_login_check  # The route name you have used in the routes.yaml
                default_target_path: /                # Where to redirect by default after successful authentication
                always_use_default_target_path: true  # If it should always redirect to default_target_path
    
    ...
    access_control:
        - { path: ^/_fos_user_context_hash, role: PUBLIC_ACCESS }
        - { path: ^/logout, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/logout, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
        - { path: 2fa_setup$, role: ROLE_USER }
        - { path: 2fa_reset$, role: ROLE_USER }
        - { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
        - { path: ^/admin/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
        - { path: ^/_fos_user_context_hash, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }

添加新配置

值可以根据项目规范进行更新

# config/packages/scheb_two_factor.yaml

scheb_two_factor:

    backup_codes:
        enabled: '%nova_ez2fa.backup_codes.enabled%' # Reading the value from the nova_ez2fa.backup_codes.enabled value in parameters section
        manager: Novactive\Bundle\eZ2FABundle\Core\BackupCodeManager # This should either remain or be replaced with another one developed for that purpose

    google:
        enabled: true
        server_name: Local Ez Server                # Server name used in QR code
        issuer: EzIssuer                            # Issuer name used in QR code
        digits: 6                                   # Number of digits in authentication code
        window: 1                                   # How many codes before/after the current one would be accepted as valid
        template: "@ezdesign/2fa/auth.html.twig"    # Template for the 2FA login page

    # TOTP Authenticator config
    totp:
        enabled: true                               # If TOTP authentication should be enabled, default false
        server_name: Server Name                    # Server name used in QR code
        issuer: TOTP Issuer                         # Issuer name used in QR code
        window: 1                                   # How many codes before/after the current one would be accepted as valid
        template: "@ezdesign/2fa/auth.html.twig"    # Template used to render the authentication form

    # Trusted device feature
    trusted_device:
        enabled: true                                   # If the trusted device feature should be enabled
        # manager: acme.custom_trusted_device_manager   # Use a custom trusted device manager
        lifetime: 259200                                # Lifetime of the trusted device token, in seconds
        extend_lifetime: false                          # Automatically extend lifetime of the trusted cookie on re-login
        cookie_name: trusted_device                     # Name of the trusted device cookie
        cookie_secure: true                             # Set the 'Secure' (HTTPS Only) flag on the trusted device cookie
        cookie_same_site: "lax"                         # The same-site option of the cookie, can be "lax", "strict" or null
        # cookie_domain: ""                             # Domain to use when setting the cookie, fallback to the request domain if not set
        cookie_path: "/"                                # Path to use when setting the cookie

    email:
        enabled: true                            # If email authentication should be enabled, default false
        mailer: Novactive\Bundle\eZ2FABundle\Core\AuthCodeMailer # Use alternative service to send the authentication code
        code_generator: Novactive\Bundle\eZ2FABundle\Core\EmailCodeGenerator # Use alternative service to generate authentication code
        sender_email: me@example.com             # Sender email address
        sender_name: John Doe                    # Sender name
        digits: 6                                # Number of digits in authentication code
        template: "@ezdesign/2fa/auth.html.twig" # Template used to render the authentication form

    # The security token classes, which trigger two-factor authentication.
    # By default the bundle only reacts to Symfony's username+password authentication. If you want to enable
    # two-factor authentication for other authentication methods, add their security token classes.
    # See the configuration reference at https://github.com/scheb/two-factor-bundle/blob/4.x/Resources/doc/configuration.md
    security_tokens:
        - Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken
        # If you're using guard-based authentication, you have to use this one:
        # - Symfony\Component\Security\Guard\Token\PostAuthenticationGuardToken
        # If you're using authenticator-based security (introduced in Symfony 5.1), you have to use this one:
        # - Symfony\Component\Security\Http\Authenticator\Token\PostAuthenticationToken

# Whether to use the backup codes or not should be specified here in parameters section, then used in scheb_two_factor.backup_codes
# It's done this way in order to let the user customize if the backup codes should be generated or not
parameters:
    nova_ez2fa.backup_codes.enabled: true

如果启用了电子邮件方法,则应在 .env 文件中指定 MAILER_DSN 环境变量

有关 scheb_two_factor 的完整参考,请访问以下资源: https://github.com/scheb/two-factor-bundle/blob/4.x/Resources/doc/configuration.md

注意事项:此扩展包支持 Siteaccess,因此每个 Siteaccess 可以有不同的认证方法。

# config/packages/nova_ez2fa.yaml

nova_ez2fa:
    system:
        # Available mobile methods - google, totp, microsoft or null.
        # If microsoft is selected the totp mechanism is still used but the config is forced and static so Microsoft Authenticator app can be used.
        # Email method can also be enabled or disabled for each siteaccess
        # If 2fa_force_setup is true then the User must always set up 2FA upon authentication and reset function is off
        default:
            2fa_mobile_method: google
            2fa_email_method_enabled: true
            2fa_force_setup: false
        site:
            2fa_mobile_method: totp
            # if microsoft method set - the config is forced to: algorithm: sha1, period: 30, digits: 6
            config:
                algorithm: sha1 #(md5, sha1, sha256, sha512)
                period: 30
                digits: 6
            2fa_email_method_enabled: true
            2fa_force_setup: false

在数据库中创建表

请参阅文件 bundle/Resources/sql/schema.sql

针对 HTTP 缓存的特别说明

重要!:对于 HTTP 缓存系统(例如 Varnish 或 Fastly),以下逻辑应得到实施

if (req.url ~ "^/2fa") {
    return (pass);
}

并且它应该在 call ez_user_context_hash 行之前添加。

我们需要它,以便在发送 /2fa 请求时避免触发 X User Hash 机制,因此 /_fos_user_context_hash 请求不会因为此扩展包而返回 302 重定向响应。

升级说明

手动删除特定用户的 2FA 记录

如果某些用户需要从数据库中删除其 2FA 记录才能不输入 2FA 代码登录,请运行以下命令 acx:users:remove-2fa 并指定用户的登录名

php ezplatform/bin/console nova:2fa:remove-secret-key user_login

注意事项:如果您已为用户设置了 2FA 并计划通过 2FA 设置页面上的相应链接进行重置,请不要在重置之前更改当前 Siteaccess 的方法!因为在这种情况下,假定密钥将被从新方法而不是旧方法中删除,因此重置将不会起作用!