Links

This is a random selection of links related to my blog.

Personal Websites

Projects

scheb/two-factor-bundle   
A Symfony bundle providing two-factor authentication 

scheb/yahoo-finance-api  
A PHP library for Yahoo Finance API 

scheb/tombstone  
Dead code detection with tombstones for PHP

scheb/in-memory-data-storage  
A simple in-memory data storage for PHP

Open Apexx  
The open source distribution of my CMS from 2005

15 thoughts on “Links

  • November 15, 2017 at 10:32
    Permalink

    Hi Christian,
    My name is Pawel.

    Thank for great bundles.

    I develop project where should be two-step-authentication. I want use your two-factor-bundle as foundation for our authentication system.
    Do you support this bundle for current symfony versions (3.3, 3.4, 4.*)?

    You choose that after autentiticate by login&password user fully authenticated to the Symfony security layer. Why do you not create middle status for user already autentiticate by login&password?

    Reply
  • November 18, 2017 at 12:02
    Permalink

    Hi Pawel!

    Yes, two-factor-bundle supports the latest versions of Symfony. Just updated the composer.jso to support the upcoming Symfony 4.0.

    The reason why the bundle it put on top of a fully-authenticated user is, that I did not find any better solution until now. Introducing a new intermediate state is not possible (at least I did not find a way), because the existing states are hard-coded into the security layer and not really extensible.

    I did some experiments with a different integration a while ago. The goal was to get the bundle fully integrated into the security layer. I was trying to get some help from the Symfony developers to get the implementation right, but didn’t manage to get someone to help me. So it is somewhat stuck now. If you want to have a look at what I tried, there’s a branch with my results: https://github.com/scheb/two-factor-bundle/tree/firewall-integration

    Nevertheless the current implementation of the bundle is working, as long as you’re aware of its limitations.

    Reply
  • March 7, 2020 at 12:51
    Permalink

    Hi Scheb,

    I am a fan of your work and it’s amazing. I’m currently trying to figure out how to implement the Two-factor-bundle that you created. I did it successfully in a test project:
    https://gitlab.com/jp.fortuno/symfony-4-2fa.git

    I’m a symfony noob, I’m trying to implement it in one of my clients existing project (but I’m a symfony noob). They are using Symfony 4.4 and PHP 7.2 . What happens is that it creates an ‘infinite loop’ in the supports method of the project by redirecting to the path 2fa back to login, then back to 2fa.. etc.. I can’t seem to implement it there. Can you help ?

    Reply
  • March 8, 2020 at 12:55
    Permalink

    I tried your app and can’t find what’s wrong. After login, I’m shown the 2fa form, I’m providing my GoogleAuthenticator code and then I’m redirected to the admin page. No infinite loop :/

    Reply
    • March 8, 2020 at 14:43
      Permalink

      yeah, the example I have tried works, I’m talking about one of my clients projects which is bigger, do you think you could help? I have not shared the code for this one yet.

      Reply
      • March 8, 2020 at 15:07
        Permalink

        I suspect the 2fa path is not matching the firewall’s pattern. So when you access the 2fa form, the authentication token is not available, therefore it requires you to login. And login (which is within the firewall’s pattern) then redirects back to 2fa form, because you’re already logged in.

        Reply
  • March 9, 2020 at 05:32
    Permalink

    I’m not sure where that fails, I know this is not enough code but.. here’s a sample…


    class FormLoginAuthenticator extends AbstractGuardAuthenticator implements PasswordAuthenticatedInterface
    {
    use TargetPathTrait;

    private $router;
    private $encoder;
    private $em;
    private $csrfTokenManager;
    /**
    * @var GoogleAuthenticatorInterface
    */
    private $googleAuthenticator;
    /**
    * @var LoggerInterface
    */
    private $loginLogger;

    public function supports(Request $request)
    {
    $this->loginLogger->info('path loaded : '.$request->getPathInfo());
    if (
    $request->getPathInfo() != '/login_check'
    ) {
    return false;
    }

    return true;
    }


    access_control:
    - { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api/user/*, roles: ROLE_MERCHANT }
    - { path: ^/api/merchant/*, roles: ROLE_MERCHANT }
    - { path: ^/api/test, roles: ROLE_MERCHANT }
    - { path: ^/api/watchdog, roles: ROLE_MERCHANT }
    - { path: ^/v1/*, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/%app.locales%/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/%app.locales%/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/%app.locales%/create, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/%app.locales%/forgotten-password, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/%app.locales%/password/reset, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/%app.locales%/password/change, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/%app.locales%/register/confirm, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    # - { path: ^/register/confirm, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/_errors/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/admin/*, roles: ROLE_MANAGER }
    - { path: ^/%app.locales%/admin/*, roles: ROLE_MANAGER }
    - { path: ^user/*, roles: ROLE_USER }
    - { path: ^/%app.locales%/user/*, roles: ROLE_USER }
    - { path: ^/merchant/*, roles: ROLE_USER }
    - { path: ^/%app.locales%/merchant/*, roles: ROLE_USER }
    - { path: ^/, roles: ROLE_USER }
    # This makes the logout route available during two-factor authentication, allows the user to cancel
    - { path: ^/logout, role: IS_AUTHENTICATED_ANONYMOUSLY }
    # This ensures that the form can only be accessed when two-factor authentication is in progress
    - { path: ^/2fa, roles: IS_AUTHENTICATED_2FA_IN_PROGRESS}
    role_hierarchy:
    ROLE_JEDI: [ROLE_MANAGER, ROLE_USER]
    ROLE_MERCHANT_MANAGER: [ROLE_USER, ROLE_MANAGER]
    ROLE_MERCHANT: [ROLE_USER, ROLE_MERCHANT]
    # ROLE_JEDI: [ROLE_ADMIN, ROLE_MERCHANT, ROLE_USER]
    # ROLE_ADMIN: [ROLE_MERCHANT, ROLE_USER]
    # ROLE_MERCHANT: [ROLE_USER]

    access_decision_manager:
    strategy: unanimous

    Reply
    • March 9, 2020 at 10:26
      Permalink

      Could you please provide your firewall configuration? Ideally, the whole security.yaml.

      Reply
      • March 10, 2020 at 07:08
        Permalink

        Hope you could open it. If you need more files from the project like the voters, or security controller or any other files, let me know.

        Reply
  • March 11, 2020 at 13:02
    Permalink

    what’s the easiest way to send the files to you?

    Reply
    • March 11, 2020 at 20:51
      Permalink

      Either post it here, create an issue on Github or send it to me via email to mail[at]christianscheb.de

      Reply
    • March 13, 2020 at 16:24
      Permalink

      “access_control” rules are check in that exact order. Your configuration looks like this:


      [...]
      - { path: ^/, roles: ROLE_USER }
      - { path: ^/logout, role: IS_AUTHENTICATED_ANONYMOUSLY }
      - { path: ^/2fa, roles: IS_AUTHENTICATED_2FA_IN_PROGRESS}

      “^/” with ROLE_USER will match any path. So when this rule is reached it definitely matches, therefore all the rules coming afterwards will not be evaluated. So your rules for logout and 2fa are impossible to be checked. I suspect this is where the issue comes from. I’d recommend to move the rules for logout and 2fa up to the very top of the rule list, so that they’re checked first.

      Reply
      • March 15, 2020 at 18:04
        Permalink

        awesome ! and thanks a lot, I will try this early tomorrow morning

        Reply
      • March 16, 2020 at 06:25
        Permalink

        true. indeed! the order under ‘access_control’ changed everything.

        in addition to this, i had to add the key ‘IS_AUTHENTICATED_2FA_IN_PROGRESS’ to my UserVoter file which was checking a series of strings. I’m going to try and implement my own template now.

        Reply

Leave a Reply to Christian Scheb Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.