users
users copied to clipboard
CakeDC
2FA (TOTP and U2F) on a per user basis
Hello,
This is related to #404 :wink:
It would be great if both U2F and TOTP second factor authentication could be enabled on a per user basis.
Right now, when it is enabled, all users must use it (however some users do not have an U2F security key or a smartphone, so they cannot or do not want to add this second layer of security).
It's a good feature and should not be hard to archive since we can extend the https://github.com/CakeDC/auth/blob/6.next/src/Authentication/DefaultU2fAuthenticationChecker.php
I've coded that in my app
something link that:
add a new field in users table to hold this configuration
// migration file
public function change()
{
$table = $this->table('users');
$table->addColumn('two_steps', 'boolean', [
'default' => 0,
'null' => false,
]);
$table->update();
}
creating a new checker
// src/Authentication/DefaultOneTimePasswordAuthenticationChecker.php
declare(strict_types=1);
namespace App\Authentication;
use CakeDC\Auth\Authentication\DefaultOneTimePasswordAuthenticationChecker as CakeDCAuthentication;
/**
* Default class to check if two factor authentication is enabled and required
*
* @package CakeDC\Auth\Authentication
*/
class DefaultOneTimePasswordAuthenticationChecker extends CakeDCAuthentication
{
/**
* Check if two factor authentication is required for a user
*
* @param array $user user data
*
* @return bool
*/
public function isRequired(?array $user = null)
{
return parent::isRequired($user) && $user['two_steps'];
}
}
Configuring the your user.php to use the new checker
$config = [
'OneTimePasswordAuthenticator' => [
// custom checker to skip 2FA by user settings
'checker' => \App\Authentication\DefaultOneTimePasswordAuthenticationChecker::class,
],
this should be enough!
But I agree this should be added on the plugin itself =)
@viniciusbig solution works like a charm, even with latest CakeDC/Users 11 version 👍🏻 Thank you very much!
