Comments (14)
Since you obviously reached step "3) On login, do you reach the end (return statement) of method Scheb\TwoFactorBundle\Security\Authentication\Provider\AuthenticationProviderDecorator::authenticate()" from the troubleshooting guide: What is the class of $token
that you see here in line 94:
That class must be listed in security_tokens
in the configuration.
from two-factor-bundle.
Hey Scheb, thanks for your reply! I've added my token to security_tokens
and now I'm getting as far as step 5. The method is returning an array containing the string 'google'. The user does have a googleAuthenticatorSecret defined and the method isGoogleAuthenticatorSecretEnabled() in the User model does return true.
However I'm still not being prompted for the Google Authenticator code. Do you have any idea as to what could be the problem now?
from two-factor-bundle.
What's the security token that you see in your session after login? Is it a TwoFactorToken
or something else? You should see that in the debug toolbar.
And could you please post your security.yaml
, thanks.
from two-factor-bundle.
It is a TwoFactorToken.
security:
encoders:
AppBundle\Entity\User: bcrypt
# https://symfony.com/doc/current/security.html#b-configuring-how-users-are-loaded
providers:
fos_userbundle:
id: fos_user.user_provider.username
api_key_user_provider:
id: AppBundle\Security\ApiKeyUserProvider
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^(?!/api|/login$|/2fa|/2fa_check|/resetting)\S+
logout_on_user_change: true
stateless: false
anonymous: ~
form_login:
default_target_path: dashboard
logout: ~
remember_me:
secret: '%secret%'
guard:
authenticators:
- app.security.login_form_authenticator
two_factor:
csrf_token_generator: security.csrf.token_manager
auth_form_path: 2fa_login # The route name you have used in the routes.yaml
check_path: 2fa_login_check # The route name you have used in the routes.yaml
access_control:
- { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
from two-factor-bundle.
That firewall pattern looks interesting. Could it be that the path you're ending up after login doesn't match the firewall pattern?
from two-factor-bundle.
The path I end up in after login in is the dashboard route, which does match the route specified in the firewall for form_login.
I updated the LoginFormAuthenticator to explicitly redirect the user to 2fa_login_check route (even though this should depend on if user has 2fa enabled) and that seems to have helped but now I'm getting an error saying that Symfony can't find the controller for the path /2fa_check
Am I missing some config options for this route? I copied this from the installation instructions:
2fa_login:
path: /2fa
defaults:
_controller: "scheb_two_factor.form_controller:form"
2fa_login_check:
path: /2fa_check
from two-factor-bundle.
The check path is only accessiable via POST, it is there to validate the 2fa code. You want to force the redirect to the 2fa_login
route to display the 2fa form.
The bundle automatically redirects to the 2fa form whenever you try to access a path that is somehow "secured". Paths that are not within the firewall (don't match the pattern
) and paths that are explicitly configured for anonymous access (IS_AUTHENTICATED_ANONYMOUSLY
) don't do that redirect.
from two-factor-bundle.
Alright, so I'm now displaying the 2fa_login form, but when I try to submit the code it's calling my default login authenticator and failing because it's setup to use username and password and not the auth_code for authentication. Is this normal? I would've expected the form to submit to a different authenticator to verify the validity of the auth_code.
from two-factor-bundle.
No that's not normal. I have no idea why your normal authenticator triggers. The requirements for that authenticator shouldn't be fulfilled.
Are you really posting the 2fa code against /2fa_check
?
from two-factor-bundle.
I am, this is my request header:
POST /2fa_check HTTP/1.1
Host: localhost:8000
Connection: keep-alive
Content-Length: 73
Pragma: no-cache
Cache-Control: no-cache
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8000/2fa
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=1rsbeqc2t7a9q8vtion1r5cmf0
POST data:
_auth_code: 191684
_csrf_token: pekDTEJjnHvtCocMtAOFNbBVeJxB9669aBIRGBq9Gdg
Response Header:
HTTP/1.1 302 Found
Cache-Control: max-age=0, must-revalidate, private
Content-Type: text/html; charset=UTF-8
Date: Fri, 16 Apr 2021 11:09:33 GMT
Date: Fri, 16 Apr 2021 11:09:33 GMT
Expires: Fri, 16 Apr 2021 11:09:33 GMT
Host: localhost:8000
Location: /login
Set-Cookie: sf_redirect=%7B%22token%22%3A%224f84b2%22%2C%22route%22%3A%222fa_login_check%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%22n%5C%2Fa%22%2C%22status_code%22%3A302%2C%22status_text%22%3A%22Found%22%7D; path=/; httponly
X-Debug-Token: 4f84b2
X-Debug-Token-Link: http://localhost:8000/_profiler/4f84b2
X-Powered-By: PHP/7.2.24-0ubuntu0.18.04.7
Content-Length: 268
The redirect of course happens due to my default login authenticator getting called.
Do I maybe need to define explicitly what controller the route 2fa_check should use?
from two-factor-bundle.
No, the /2fa_check
path doesn't need a controller. It's handled completely by the firewall.
You should check where that redirect is coming from. What is causing the application to redirect back to the login form.
I suspect this is caused by your weird firewall pattern
. I don't really understand what you're trying to achieve with that pattern. According to my understanding of the regex, this pattern would exclude the /2fa_check
path from the firewall. If that's the case, that's definitly wrong. Both the /2fa
and the /2fa_check
path must be included in the firewall's pattern, otherwise the authentication process doesn't work.
from two-factor-bundle.
Yeah that was a mistake, I've removed them from the firewall but the issue still persists.
The redirect is coming from LoginFormAuthenticator because of course it tries to authenticate the user with the username and password but it's not available because it's getting the post data from the 2fa form, so it only gets auth_code. So it then redirects the user to the login page and displays an error message.
The question is, why is LoginFormAuthenticator being called in the first place? Do I have to specify another authenticator on the firewall?
from two-factor-bundle.
The question is, why is LoginFormAuthenticator being called in the first place? Do I have to specify another authenticator on the firewall?
I can't tell you that. To my understanding, an authenticator is only called when its supports()
method returns true
.
from two-factor-bundle.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from two-factor-bundle.
Related Issues (20)
- Use multiple interfaces, one with JWT and API HOT 8
- Resent email authentication code HOT 8
- Type error: Too few arguments to function Scheb\TwoFactorBundle\Controller\FormController::__construct(), 0 passed HOT 2
- Two-factor authentication form is not shown after login HOT 16
- LogoutHandlerInterface is deprecated since Symfony 5.1 HOT 6
- No Two factor form after logging in (no redirect) HOT 7
- User Deprecated HOT 1
- Authenticate two factor in one request (with json_login) HOT 4
- Called providers session value is never unset HOT 4
- How to use the two factor auth in combination with manual authentication HOT 3
- Doesn't work in PROD works in DEV HOT 2
- 2FA by api + jwt HOT 8
- FatalThrowableError in RememberMeServicesDecoratorCompilerPass HOT 4
- impossible to go through page 2fa during login HOT 8
- How to change default path 2fa HOT 1
- Infinite login loop when updating user credentials HOT 2
- Login via email failed HOT 7
- 2fa form is not being shown HOT 16
- Session id changes after 2fa succeed. And UsernamePasswordToken cannot be loaded from Redis. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from two-factor-bundle.