feat: Initial 2FA implementation with Scheb\TwoFactorBundle

composer.json

@@ -52,6 +52,10 @@
         "psr/container": "2.*",
         "psr/log": "3.0.2 as 1.1.4",
         "ramsey/uuid-doctrine": "2.*",
+        "scheb/2fa-bundle": "^7.11.0",
+        "scheb/2fa-backup-code": "^7.11.0",
+        "scheb/2fa-google-authenticator": "^7.11.0",
+        "scheb/2fa-totp": "^7.11.0",
         "stof/doctrine-extensions-bundle": "^1.7",
         "symfony/apache-pack": "^1.0",
         "symfony/asset": "7.2.*",

config/bundles.php

@@ -25,4 +25,5 @@
     Nelmio\SecurityBundle\NelmioSecurityBundle::class => ['all' => true],
     BabDev\PagerfantaBundle\BabDevPagerfantaBundle::class => ['all' => true],
     Stof\DoctrineExtensionsBundle\StofDoctrineExtensionsBundle::class => ['all' => true],
+    Scheb\TwoFactorBundle\SchebTwoFactorBundle::class => ['all' => true],
 ];

config/packages/scheb_2fa.yaml

@@ -0,0 +1,23 @@
+# config/packages/scheb_2fa.yaml
+scheb_two_factor:
+    backup_codes:
+        enabled: true
+    totp:
+        enabled: true                  # If TOTP authentication should be enabled, default false
+        server_name: bewelcome.com     # Server name used in QR code
+        issuer: BeWelcome              # Issuer name used in QR code
+        leeway: 60                     # Acceptable time drift in seconds, must be less or equal than the TOTP period
+        parameters:                    # Additional parameters added in the QR code
+            # image: 'https://my-service/img/logo.png'
+            image: 'https://miro.medium.com/v2/resize:fill:128:128/1*65AfOY_oNSTe2G1bFMwQ4A.jpeg'
+        template: security/2fa_form.html.twig
+    google:
+        enabled: true
+        server_name: bewelcome.com     # Server name used in QR code
+        issuer: BeWelcome              # Issuer name used in QR code
+        leeway: 60                     # Acceptable time drift in seconds, must be less or equal than the TOTP period
+        template: security/2fa_form.html.twig
+    security_tokens:
+        # - Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken
+        # Symfony 7.2 default enable_authenticator_manager, per profiler _security_skipped_authenticators
+        - Symfony\Component\Security\Http\Authenticator\Token\PostAuthenticationToken

config/packages/security.yaml

@@ -66,7 +66,12 @@ security:
 
 #            access_denied_handler: App\Security\AccessDeniedHandler
 
+            two_factor:
+                auth_form_path: 2fa_login
+                check_path: 2fa_login_check
+
     access_control:
+        - { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
         - { path: ^/$, roles: PUBLIC_ACCESS }
         - { path: ^/login, roles:  PUBLIC_ACCESS }
         - { path: ^/about, roles:  PUBLIC_ACCESS }
@@ -98,6 +103,7 @@ security:
         - { path: ^/members/avatar/, roles: PUBLIC_ACCESS }
         - { path: ^/deleteprofile, roles: PUBLIC_ACCESS }
         - { path: ^/password/check, roles: PUBLIC_ACCESS }
+        - { path: ^/logout, roles:  PUBLIC_ACCESS }
         - { path: ^/admin, roles: ROLE_ADMIN }
         - { path: ^/api, roles: PUBLIC_ACCESS }
         - { path: ^/, roles: ROLE_USER }

config/routes/scheb_2fa.yaml

@@ -0,0 +1,9 @@
+# config/routes/scheb_2fa.yaml
+2fa_login:
+    path: /2fa
+    # "scheb_two_factor.form_controller" references the controller service provided by the bundle.
+    # You don't HAVE to use it, but - except you have very special requirements - it is recommended.
+    controller: "scheb_two_factor.form_controller::form"
+
+2fa_login_check:
+    path: /2fa_check

src/Entity/Member.php

@@ -25,6 +25,11 @@
 use Symfony\Component\PasswordHasher\Hasher\PasswordHasherAwareInterface;
 use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
+use Scheb\TwoFactorBundle\Model\Totp\TotpConfiguration;
+use Scheb\TwoFactorBundle\Model\Totp\TotpConfigurationInterface;
+use Scheb\TwoFactorBundle\Model\Google\TwoFactorInterface;
+use Scheb\TwoFactorBundle\Model\Totp\TwoFactorInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
 
 /**
  * @SuppressWarnings("PHPMD")
@@ -37,7 +42,8 @@ class Member
         \Serializable,
         UserInterface,
         PasswordHasherAwareInterface,
-        PasswordAuthenticatedUserInterface
+        PasswordAuthenticatedUserInterface,
+        TwoFactorInterface
 {
     public const ROLE_ADMIN_ACCEPTER = 'ROLE_ADMIN_ACCEPTER';
     public const ROLE_ADMIN_ADMIN = 'ROLE_ADMIN_ADMIN';
@@ -277,6 +283,21 @@ class Member
 
     private ?Language $preferredLanguage = null;
 
+    /**
+     * @ORM\Column(type="json")
+     */
+    private array $backupCodes = [];
+
+    /**
+     * @ORM\Column(type="string", nullable=true)
+     */
+    private ?string $totpSecret;
+
+    /**
+     * @ORM\Column(type="string", nullable=true)
+     */
+    private ?string $googleAuthenticatorSecret;
+
     public function __construct()
     {
         $this->addresses = new ArrayCollection();
@@ -1550,4 +1571,72 @@ public function getTranslatedFields(): Collection
     {
         return $this->translatedFields;
     }
+
+
+    /**
+     * Check if it is a valid backup code.
+     */
+    public function isBackupCode(string $code): bool
+    {
+        return in_array($code, $this->backupCodes);
+    }
+
+    /**
+     * Invalidate a backup code
+     */
+    public function invalidateBackupCode(string $code): void
+    {
+        $key = array_search($code, $this->backupCodes);
+        if ($key !== false){
+            unset($this->backupCodes[$key]);
+        }
+    }
+
+    /**
+     * Add a backup code
+     */
+    public function addBackUpCode(string $backUpCode): void
+    {
+        if (!in_array($backUpCode, $this->backupCodes)) {
+            $this->backupCodes[] = $backUpCode;
+        }
+    }
+
+    public function isTotpAuthenticationEnabled(): bool
+    {
+        return $this->totpSecret ? true : false;
+    }
+
+    public function getTotpAuthenticationUsername(): string
+    {
+        return $this->username;
+    }
+
+    public function getTotpAuthenticationConfiguration(): ?TotpConfigurationInterface
+    {
+        // You could persist the other configuration options in the user entity to make it individual per user.
+        $period = 20;
+        $digits = 6;
+        return null !== $this->totpSecret ? new TotpConfiguration($this->totpSecret, TotpConfiguration::ALGORITHM_SHA1, $period, $digits) : null;
+    }
+
+    public function isGoogleAuthenticatorEnabled(): bool
+    {
+        return null !== $this->googleAuthenticatorSecret;
+    }
+
+    public function getGoogleAuthenticatorUsername(): string
+    {
+        return $this->username;
+    }
+
+    public function getGoogleAuthenticatorSecret(): ?string
+    {
+        return $this->googleAuthenticatorSecret;
+    }
+
+    public function setGoogleAuthenticatorSecret(?string $googleAuthenticatorSecret): void
+    {
+        $this->googleAuthenticatorSecret = $googleAuthenticatorSecret;
+    }
 }

templates/security/2fa_form.html.twig

@@ -0,0 +1,39 @@
+{% extends "base.html.twig" %}
+
+{% block body %}
+    <h1>Two-Factor Authentication</h1>
+
+    {% if authenticationError %}
+        <p class="error">{{ authenticationError|trans(authenticationErrorData, 'SchebTwoFactorBundle') }}</p>
+    {% endif %}
+
+    <form class="form" action="{{ checkPathUrl ? checkPathUrl: path(checkPathRoute) }}" method="post">
+        <p class="widget">
+            <label for="_auth_code">Enter authentication code for provider <code>{{ twoFactorProvider }}</code>:</label>
+            <input id="_auth_code" type="text" name="{{ authCodeParameterName }}" autocomplete="one-time-code" autofocus />
+            <button type="submit" name="submit-button">Send Code</button> or <a href="{{ logoutPath }}">Cancel 2FA</a>
+        </p>
+
+        {% if twoFactorProvider == "email" %}
+            <p>Hint: The current authentication code is: <code>{{ app.user.emailAuthCode }}</code></p>
+        {% endif %}
+
+        {% if displayTrustedOption %}
+            <p><label for="_trusted"><input id="_trusted" type="checkbox" name="{{ trustedParameterName }}" /> {{ "trusted"|trans({}, 'SchebTwoFactorBundle') }}</label></p>
+        {% endif %}
+
+        {% if availableTwoFactorProviders|length > 1 %}
+            <hr/>
+            <p>Choose authentication method:
+                {% for provider in availableTwoFactorProviders %}
+                    <a href="{{ path("2fa_login", {"preferProvider": provider}) }}">{{ provider }}</a>
+                    {% if not loop.last %}, {% endif %}
+                {% endfor %}
+            </p>
+        {% endif %}
+
+        {% if isCsrfProtectionEnabled %}
+            <input type="hidden" name="{{ csrfParameterName }}" value="{{ csrf_token(csrfTokenId) }}">
+        {% endif %}
+    </form>
+{% endblock %}