Try making authenticator priority configurable

scheb · scheb · commit 9ea8e312c782 · 2025-03-22T17:27:56.000+01:00
diff --git a/app/config/packages/scheb_2fa.yaml b/app/config/packages/scheb_2fa.yaml
@@ -52,6 +52,8 @@ scheb_two_factor:
     security_tokens:
         - Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken
 
+    authenticator_priority: -50
+
     # A list of IP addresses, which will not trigger two-factor authentication
     ip_whitelist:
        - 127.0.0.2 # Used for testing
diff --git a/doc/configuration.rst b/doc/configuration.rst
@@ -78,6 +78,9 @@ Bundle Configuration
            - Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken
            - Symfony\Component\Security\Http\Authenticator\Token\PostAuthenticationToken
 
+       # Priority of the TwoFactorAuthenticator within Symfony's firewall
+       authenticator_priority: 0
+
        # A list of IP addresses or netmasks, which will not trigger two-factor authentication.
        # Supports IPv4, IPv6 and IP subnet masks.
        ip_whitelist:
diff --git a/src/bundle/DependencyInjection/Configuration.php b/src/bundle/DependencyInjection/Configuration.php
@@ -55,6 +55,7 @@ public function getConfigTreeBuilder(): TreeBuilder
                     ->prototype('scalar')->end()
                 ->end()
                 ->scalarNode('ip_whitelist_provider')->defaultValue('scheb_two_factor.default_ip_whitelist_provider')->end()
+                ->scalarNode('authenticator_priority')->defaultValue(0)->end()
                 ->scalarNode('two_factor_token_factory')->defaultValue('scheb_two_factor.default_token_factory')->end()
                 ->scalarNode('two_factor_provider_decider')->defaultValue('scheb_two_factor.default_provider_decider')->end()
                 ->scalarNode('two_factor_condition')->defaultNull()->end()
diff --git a/src/bundle/DependencyInjection/Factory/Security/TwoFactorFactory.php b/src/bundle/DependencyInjection/Factory/Security/TwoFactorFactory.php
@@ -57,8 +57,10 @@ class TwoFactorFactory implements FirewallListenerFactoryInterface, Authenticato
     public const KERNEL_ACCESS_LISTENER_DEFINITION_ID = 'scheb_two_factor.security.access_listener';
     public const FORM_LISTENER_DEFINITION_ID = 'scheb_two_factor.security.form_listener';
 
-    public function __construct(private readonly TwoFactorServicesFactory $twoFactorServicesFactory)
-    {
+    public function __construct(
+        private readonly ContainerBuilder $container,
+        private readonly TwoFactorServicesFactory $twoFactorServicesFactory,
+    ) {
     }
 
     public function addConfiguration(NodeDefinition $builder): void
@@ -169,6 +171,6 @@ public function getKey(): string
 
     public function getPriority(): int
     {
-        return 0;
+        return $this->container->getParameter('scheb_two_factor.authenticator_priority');
     }
 }
diff --git a/src/bundle/DependencyInjection/SchebTwoFactorExtension.php b/src/bundle/DependencyInjection/SchebTwoFactorExtension.php
@@ -31,6 +31,7 @@ public function load(array $configs, ContainerBuilder $container): void
         $container->setParameter('scheb_two_factor.model_manager_name', $config['model_manager_name']);
         $container->setParameter('scheb_two_factor.security_tokens', $config['security_tokens']);
         $container->setParameter('scheb_two_factor.ip_whitelist', $config['ip_whitelist']);
+        $container->setParameter('scheb_two_factor.authenticator_priority', $config['authenticator_priority']);
 
         $loader = new Loader\PhpFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
         $loader->load('security.php');
diff --git a/src/bundle/SchebTwoFactorBundle.php b/src/bundle/SchebTwoFactorBundle.php
@@ -30,7 +30,7 @@ public function build(ContainerBuilder $container): void
         $extension = $container->getExtension('security');
         assert($extension instanceof SecurityExtension);
 
-        $securityFactory = new TwoFactorFactory(new TwoFactorServicesFactory());
+        $securityFactory = new TwoFactorFactory($container, new TwoFactorServicesFactory());
         $extension->addAuthenticatorFactory($securityFactory);
     }
 }
diff --git a/tests/DependencyInjection/Factory/Security/TwoFactorFactoryTest.php b/tests/DependencyInjection/Factory/Security/TwoFactorFactoryTest.php
@@ -35,7 +35,7 @@ class TwoFactorFactoryTest extends TestCase
     public function setUp(): void
     {
         $this->servicesFactory = $this->createMock(TwoFactorServicesFactory::class);
-        $this->factory = new TwoFactorFactory($this->servicesFactory);
+        $this->factory = new TwoFactorFactory($this->servicesFactory, 0);
         $this->container = new ContainerBuilder();
         $this->container->setDefinition('scheb_two_factor.firewall_context', new Definition());
     }
diff --git a/tests/DependencyInjection/SchebTwoFactorExtensionTest.php b/tests/DependencyInjection/SchebTwoFactorExtensionTest.php
@@ -65,6 +65,7 @@ public function load_emptyConfig_setDefaultValues(): void
             'Symfony\Component\Security\Http\Authenticator\Token\PostAuthenticationToken',
         ], 'scheb_two_factor.security_tokens');
         $this->assertHasParameter([], 'scheb_two_factor.ip_whitelist');
+        $this->assertHasParameter(0, 'scheb_two_factor.authenticator_priority');
     }
 
     /**
@@ -100,6 +101,7 @@ public function load_fullConfig_setConfigValues(): void
         $this->assertHasParameter('/cookie-path', 'scheb_two_factor.trusted_device.cookie_path');
         $this->assertHasParameter(['Symfony\Component\Security\Core\Authentication\Token\SomeToken'], 'scheb_two_factor.security_tokens');
         $this->assertHasParameter(['127.0.0.1', '10.0.0.0/8', '192.168.0.0/16'], 'scheb_two_factor.ip_whitelist');
+        $this->assertHasParameter(-50, 'scheb_two_factor.authenticator_priority');
     }
 
     /**
@@ -649,6 +651,7 @@ private function getFullConfig(): array
     - 127.0.0.1
     - ['10.0.0.0/8', '192.168.0.0/16']
 ip_whitelist_provider: acme_test.ip_whitelist_provider
+authenticator_priority: -50
 two_factor_token_factory: acme_test.two_factor_token_factory
 two_factor_provider_decider: acme_test.two_factor_provider_decider
 two_factor_condition: acme_test.two_factor_condition
diff --git a/tests/SchebTwoFactorBundleTest.php b/tests/SchebTwoFactorBundleTest.php
@@ -28,6 +28,13 @@ public function build_initializeBundle_addCompilerPass(): void
             $this->isInstanceOf(MailerCompilerPass::class),
         ];
 
+        // Expect parameter to be read
+        $containerBuilder
+            ->expects($this->any())
+            ->method('getParameter')
+            ->with('scheb_two_factor.authenticator_priority')
+            ->willReturn(0);
+
         // Expect compiler pass to be added
         $containerBuilder
             ->expects($this->exactly(count($compilerPasses)))

Original file line number	Diff line number	Diff line change
`@@ -57,8 +57,10 @@ class TwoFactorFactory implements FirewallListenerFactoryInterface, Authenticato`
`57`	`57`	`public const KERNEL_ACCESS_LISTENER_DEFINITION_ID = 'scheb_two_factor.security.access_listener';`
`58`	`58`	`public const FORM_LISTENER_DEFINITION_ID = 'scheb_two_factor.security.form_listener';`
`59`	`59`
`60`		`- public function __construct(private readonly TwoFactorServicesFactory $twoFactorServicesFactory)`
`61`		`- {`
	`60`	`+ public function __construct(`
	`61`	`+ private readonly ContainerBuilder $container,`
	`62`	`+ private readonly TwoFactorServicesFactory $twoFactorServicesFactory,`
	`63`	`+ ) {`
`62`	`64`	`}`
`63`	`65`
`64`	`66`	`public function addConfiguration(NodeDefinition $builder): void`
`@@ -169,6 +171,6 @@ public function getKey(): string`
`169`	`171`
`170`	`172`	`public function getPriority(): int`
`171`	`173`	`{`
`172`		`- return 0;`
	`174`	`+ return $this->container->getParameter('scheb_two_factor.authenticator_priority');`
`173`	`175`	`}`
`174`	`176`	`}`
Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ public function build(ContainerBuilder $container): void`
`30`	`30`	`$extension = $container->getExtension('security');`
`31`	`31`	`assert($extension instanceof SecurityExtension);`
`32`	`32`
`33`		`- $securityFactory = new TwoFactorFactory(new TwoFactorServicesFactory());`
	`33`	`+ $securityFactory = new TwoFactorFactory($container, new TwoFactorServicesFactory());`
`34`	`34`	`$extension->addAuthenticatorFactory($securityFactory);`
`35`	`35`	`}`
`36`	`36`	`}`
Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ class TwoFactorFactoryTest extends TestCase`
`35`	`35`	`public function setUp(): void`
`36`	`36`	`{`
`37`	`37`	`$this->servicesFactory = $this->createMock(TwoFactorServicesFactory::class);`
`38`		`- $this->factory = new TwoFactorFactory($this->servicesFactory);`
	`38`	`+ $this->factory = new TwoFactorFactory($this->servicesFactory, 0);`
`39`	`39`	`$this->container = new ContainerBuilder();`
`40`	`40`	`$this->container->setDefinition('scheb_two_factor.firewall_context', new Definition());`
`41`	`41`	`}`