new: usr: implement the 2FA authentication (TOTP and backup codes) #4

2026-04-12 17:55:57 +02:00
parent 0144a3953c
commit fb8a54f687
23 changed files with 1603 additions and 266 deletions
--- a/config/bundles.php
+++ b/config/bundles.php
@@ -13,4 +13,5 @@ return [
    Pentatrion\ViteBundle\PentatrionViteBundle::class => ['all' => true],
    Webauthn\Bundle\WebauthnBundle::class => ['all' => true],
    Webauthn\Stimulus\WebauthnStimulusBundle::class => ['all' => true],
+    Scheb\TwoFactorBundle\SchebTwoFactorBundle::class => ['all' => true],
 ];
--- a/config/packages/scheb_2fa.yaml
+++ b/config/packages/scheb_2fa.yaml
@@ -0,0 +1,13 @@
+scheb_two_factor:
+  security_tokens:
+    - Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken
+    - Symfony\Component\Security\Http\Authenticator\Token\PostAuthenticationToken
+
+  totp:
+    enabled: true
+    issuer: "Mine Seeker"
+    server_name: "Mine Seeker"
+    template: "Security/2fa.html.twig"
+
+  backup_codes:
+    enabled: true
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -17,6 +17,14 @@ security:
      lazy: true
      provider: app_user_provider
      user_checker: App\Security\UserChecker
+      two_factor:
+        check_path: 2fa_login_check
+        auth_form_path: 2fa_login
+        auth_code_parameter_name: _auth_code
+        post_only: true
+        default_target_path: MineSeekerBundle_homepage
+        prepare_on_login: true
+        prepare_on_access_denied: true
      form_login:
        login_path: MineSeekerBundle_login
        check_path: MineSeekerBundle_login
@@ -27,11 +35,9 @@ security:
      logout:
        path: MineSeekerBundle_logout
        target: MineSeekerBundle_homepage
-      remember_me:
-        secret: '%kernel.secret%'
-        lifetime: 604800
-        remember_me_parameter: _remember_me
+      switch_user: false

  access_control:
+    - { path: ^/2fa, roles: IS_AUTHENTICATED_2FA_IN_PROGRESS }
    - { path: ^/api/webauthn/authentication/begin, roles: PUBLIC_ACCESS }
    - { path: ^/api/webauthn/authentication/complete, roles: PUBLIC_ACCESS }
--- a/config/routes/scheb_2fa.yaml
+++ b/config/routes/scheb_2fa.yaml
@@ -0,0 +1,11 @@
+2fa_login:
+    path: /2fa
+    defaults:
+        _controller: "scheb_two_factor.form_controller::form"
+    requirements:
+        _method: GET
+
+2fa_login_check:
+    path: /2fa_check
+    requirements:
+        _method: POST