novactive / ez2fabundle
Novactive eZ 2FA Bundle 是一个为您的 ezplatform 项目提供两步验证功能的 eZ Platform 扩展包
Requires
- php: ^7.3
- bacon/bacon-qr-code: ^2.0
- scheb/2fa-backup-code: ^5.0
- scheb/2fa-bundle: ^5.0
- scheb/2fa-email: ^5.0
- scheb/2fa-google-authenticator: ^5.0
- scheb/2fa-totp: ^5.0
- scheb/2fa-trusted-device: ^5.0
Requires (Dev)
- phpunit/phpunit: ^9.5
This package is auto-updated.
Last update: 2024-09-17 07:36:51 UTC
README
这个仓库是一个所谓的“子树分割”:主仓库中某个目录的只读副本。它由 Composer 使用,以便开发人员可以依赖于特定的扩展包。
如果您想报告或贡献,请打开主仓库上的问题: https://github.com/Novactive/Nova-eZPlatform-Bundles
文档可通过此仓库中的 .md
文件获取,但也可以在这里打包: https://novactive.github.io/Nova-eZPlatform-Bundles/master/2FABundle/README.md.html
Novactive eZ 2FA Bundle 为您的 ezplatform/ibexa 项目提供两步验证。
安装
要求
- eZ Platform 3.1+
- PHP 7.3
使用 Composer
将库添加到您的 composer.json 中,运行 composer require novactive/ez2fabundle
以更新依赖项。
注册扩展包
然后在应用程序的 config\bundles.php
中注入扩展包。
return [ // ... Scheb\TwoFactorBundle\SchebTwoFactorBundle::class => ['all' => true], Novactive\Bundle\eZ2FABundle\NovaeZ2FABundle::class => [ 'all'=> true ], ];
添加路由
确保将此路由添加到您的路由配置中
# config/routes.yaml _novaez2fa_routes: resource: '@NovaeZ2FABundle/Resources/config/routing.yaml'
更新配置
# config/security.yaml security: ... firewalls: ... ezpublish_front: pattern: ^/ user_checker: eZ\Publish\Core\MVC\Symfony\Security\UserChecker anonymous: ~ ezpublish_rest_session: ~ form_login: require_previous_session: false csrf_token_generator: security.csrf.token_manager logout: ~ two_factor: auth_form_path: 2fa_login # The route name you have used in the routes.yaml check_path: 2fa_login_check # The route name you have used in the routes.yaml default_target_path: / # Where to redirect by default after successful authentication always_use_default_target_path: true # If it should always redirect to default_target_path ... access_control: - { path: ^/_fos_user_context_hash, role: PUBLIC_ACCESS } - { path: ^/logout, role: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/logout, role: IS_AUTHENTICATED_2FA_IN_PROGRESS } - { path: 2fa_setup$, role: ROLE_USER } - { path: 2fa_reset$, role: ROLE_USER } - { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS } - { path: ^/admin/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS } - { path: ^/_fos_user_context_hash, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
添加新配置
值可以根据项目规范进行更新
# config/packages/scheb_two_factor.yaml scheb_two_factor: backup_codes: enabled: '%nova_ez2fa.backup_codes.enabled%' # Reading the value from the nova_ez2fa.backup_codes.enabled value in parameters section manager: Novactive\Bundle\eZ2FABundle\Core\BackupCodeManager # This should either remain or be replaced with another one developed for that purpose google: enabled: true server_name: Local Ez Server # Server name used in QR code issuer: EzIssuer # Issuer name used in QR code digits: 6 # Number of digits in authentication code window: 1 # How many codes before/after the current one would be accepted as valid template: "@ezdesign/2fa/auth.html.twig" # Template for the 2FA login page # TOTP Authenticator config totp: enabled: true # If TOTP authentication should be enabled, default false server_name: Server Name # Server name used in QR code issuer: TOTP Issuer # Issuer name used in QR code window: 1 # How many codes before/after the current one would be accepted as valid template: "@ezdesign/2fa/auth.html.twig" # Template used to render the authentication form # Trusted device feature trusted_device: enabled: true # If the trusted device feature should be enabled # manager: acme.custom_trusted_device_manager # Use a custom trusted device manager lifetime: 259200 # Lifetime of the trusted device token, in seconds extend_lifetime: false # Automatically extend lifetime of the trusted cookie on re-login cookie_name: trusted_device # Name of the trusted device cookie cookie_secure: true # Set the 'Secure' (HTTPS Only) flag on the trusted device cookie cookie_same_site: "lax" # The same-site option of the cookie, can be "lax", "strict" or null # cookie_domain: "" # Domain to use when setting the cookie, fallback to the request domain if not set cookie_path: "/" # Path to use when setting the cookie email: enabled: true # If email authentication should be enabled, default false mailer: Novactive\Bundle\eZ2FABundle\Core\AuthCodeMailer # Use alternative service to send the authentication code code_generator: Novactive\Bundle\eZ2FABundle\Core\EmailCodeGenerator # Use alternative service to generate authentication code sender_email: me@example.com # Sender email address sender_name: John Doe # Sender name digits: 6 # Number of digits in authentication code template: "@ezdesign/2fa/auth.html.twig" # Template used to render the authentication form # The security token classes, which trigger two-factor authentication. # By default the bundle only reacts to Symfony's username+password authentication. If you want to enable # two-factor authentication for other authentication methods, add their security token classes. # See the configuration reference at https://github.com/scheb/two-factor-bundle/blob/4.x/Resources/doc/configuration.md security_tokens: - Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken # If you're using guard-based authentication, you have to use this one: # - Symfony\Component\Security\Guard\Token\PostAuthenticationGuardToken # If you're using authenticator-based security (introduced in Symfony 5.1), you have to use this one: # - Symfony\Component\Security\Http\Authenticator\Token\PostAuthenticationToken # Whether to use the backup codes or not should be specified here in parameters section, then used in scheb_two_factor.backup_codes # It's done this way in order to let the user customize if the backup codes should be generated or not parameters: nova_ez2fa.backup_codes.enabled: true
如果启用了电子邮件方法,则应在 .env 文件中指定 MAILER_DSN 环境变量
有关 scheb_two_factor 的完整参考,请访问以下资源: https://github.com/scheb/two-factor-bundle/blob/4.x/Resources/doc/configuration.md
注意事项:此扩展包支持 Siteaccess,因此每个 Siteaccess 可以有不同的认证方法。
# config/packages/nova_ez2fa.yaml nova_ez2fa: system: # Available mobile methods - google, totp, microsoft or null. # If microsoft is selected the totp mechanism is still used but the config is forced and static so Microsoft Authenticator app can be used. # Email method can also be enabled or disabled for each siteaccess # If 2fa_force_setup is true then the User must always set up 2FA upon authentication and reset function is off default: 2fa_mobile_method: google 2fa_email_method_enabled: true 2fa_force_setup: false site: 2fa_mobile_method: totp # if microsoft method set - the config is forced to: algorithm: sha1, period: 30, digits: 6 config: algorithm: sha1 #(md5, sha1, sha256, sha512) period: 30 digits: 6 2fa_email_method_enabled: true 2fa_force_setup: false
在数据库中创建表
请参阅文件 bundle/Resources/sql/schema.sql
针对 HTTP 缓存的特别说明
重要!:对于 HTTP 缓存系统(例如 Varnish 或 Fastly),以下逻辑应得到实施
if (req.url ~ "^/2fa") { return (pass); }
并且它应该在 call ez_user_context_hash
行之前添加。
我们需要它,以便在发送 /2fa 请求时避免触发 X User Hash 机制,因此 /_fos_user_context_hash
请求不会因为此扩展包而返回 302 重定向响应。
升级说明
手动删除特定用户的 2FA 记录
如果某些用户需要从数据库中删除其 2FA 记录才能不输入 2FA 代码登录,请运行以下命令 acx:users:remove-2fa
并指定用户的登录名
php ezplatform/bin/console nova:2fa:remove-secret-key user_login
注意事项:如果您已为用户设置了 2FA 并计划通过 2FA 设置页面上的相应链接进行重置,请不要在重置之前更改当前 Siteaccess 的方法!因为在这种情况下,假定密钥将被从新方法而不是旧方法中删除,因此重置将不会起作用!