scheb/two-factor-bundle

Extended support for various pre login checks

simonberger opened this issue · 5 comments

I have some requirements for processes running before the user is fully logged into the application. They can all be considered as multi authentication steps. But not in the ordinary way we look at Two Factor Authentication. So I had a test with this bundle to add a multi authentication with an eula form beside the normal Totp auth. Up to this point it works but the current state of this bundle is rather limited to the scenario of a simple code based authentication with the one parameter passable to validateAuthenticationCode. This makes it complicated or impossible to add some more advanced forms.
Do you already know of some uses of this package in this area and / or are you interested to open it in this direction?
For the mentioned part of the potential extensions, passing the whole request object to validateAuthenticationCode would be helpful. I had just a quick look into the code and saw that this might be not (easily) possible as the request seems not to be available at this point anymore.

scheb commented

Hey there!

No, I don't know any such use-cases and I actually believe it's a bit of a misuse of the bundle. I don't see the immediate need to extend the interface to provide the whole request object, because for the principle of two-factor authentication ("challenge -> answer") this simple interface works well (at least it did all the years the the bundle exists).

So I'll not keep you from implementing it that way, I believe you can judge your implementation options better than me ;). If you need to get the entire request object to make things work, you still have the option to inject the request_stack service into your code and get it from there. $requestStack->getMasterRequest() is probably what you're looking for. Then you can get whatever data you need to make things works.

Hope this helps. Please understand I'm not going to introduce a breaking change for a use-case that's outside of what this bundle is supposed to do.

Don't worry. The issue was mainly meant to ask or give idea for an extension of the scope of this bundle. I am aware that my use case is a bit beyond what it is meant for.

There isn't (or at least I don't know of) another bundle that enables us to do a task on an already authorized user without being able to call any other protected route.

Probably another package providing a similar "login interruption" with a less specific interface and use case would be interesting.

scheb commented

Probably another package providing a similar "login interruption" with a less specific interface and use case would be interesting.

Interesting idea, I have to think about that 🤔

I actually believe such a mechanism should be part of the security-bundle, but it doesn't, so the bundle is working around this limitation on multiple corners. I remember there used to be a discussion somewhere in the Symfony issue space around extending the security-bundle into such a direction, but so far haven't seen any progress.

I actually believe such a mechanism should be part of the security-bundle, but it doesn't, so the bundle is working around this limitation on multiple corners. I remember there used to be a discussion somewhere in the Symfony issue space around extending the security-bundle into such a direction, but so far haven't seen any progress.

I absolutely agree to your opinion. I also read this or a similar symfony issue some time ago but didn't find it again on a short search recently.

Update:
I think it was this symfony/symfony#28868

scheb commented

That one and then there's this one: symfony/symfony#30914

Actually just found some other cross-linked issue symfony/symfony#35860 which worries me a bit, since this would break essential mechanics of this bundle. Thankfully, someone already pointed out the dependency.

Well, let's see.