TwoFactorAdminLogin
extends AuthPluginBase
in package
Table of Contents
Constants
- ERROR_ALREADY_EXISTING_USER = 120
- ERROR_AUTH_METHOD_INVALID = 30
- ERROR_INVALID_EMAIL = 110
- ERROR_IP_LOCKED_OUT = 98
- ERROR_LDAP_CONNECTION = 130
- ERROR_LDAP_MODE = 135
- ERROR_LDAP_NO_BIND = 160
- ERROR_LDAP_NO_EMAIL = 140
- ERROR_LDAP_NO_FULLNAME = 150
- ERROR_LDAP_NO_SEARCH_RESULT = 170
- ERROR_NONE = 0
- These constants reflect the error codes to be used by the identity, they are copied from LSUserIdentity and CBaseUserIdentity for easier access.
- ERROR_NOT_ADDED = 5
- ERROR_PASSWORD_INVALID = 20
- ERROR_UNKNOWN_HANDLER = 99
- ERROR_UNKNOWN_IDENTITY = 100
- ERROR_USERNAME_INVALID = 10
- LDAP_INVALID_PASSWORD_TEXT = "INVALID_PASSWORD-LDAP_USER"
Properties
- $allowedPublicMethods : mixed
- $_password : mixed
- $_username : mixed
- $description : mixed
- $name : mixed
- $settings : mixed
- $storage : mixed
- $o2FA : mixed
Methods
- afterLoginFormSubmit() : null
- Set username and password by post request
- afterSuccessfulLogin() : void
- If force 2FA login is enabled, redirect to the 2FA page
- beforeActivate() : void
- Register new table and populate it.
- beforeAdminMenuRender() : void
- Add menue to the top bar
- beforeDeactivate() : void
- Delete the created tables again
- deleteKeyForUserId() : string
- Deletes a users secret, effectively ending the 2FA login mechanism for that user CLI version.
- deleteKeyForUserName() : string
- Deletes a users secret, effectively ending the 2FA login mechanism for that user CLI version.
- direct() : void
- Event direct happen Usage : index --target=value [--function=] [--option=]
- directCallConfirmKey() : bool
- Checks a submitted authentication code and stores the underlaying secret key into the Database.
- directCallCreateNewKey() : string
- Renders modal content for creating a new 2FA key for a user.
- directCallDeleteKey() : bool
- Deletes a users secret, effectively ending the 2FA login mechanism for that user.
- getAuthMethodName() : string
- Returns the authentication method's name
- index() : string
- Renders a list of users including their 2FA settings To be called by fullpagewrapper
- init() : mixed
- newDirectRequest() : void
- Listen to direct requests Necessary for the getMetadata function
- newLoginForm() : void
- Add Two-Factor field to login page.
- newUserSession() : void
- Control if login is successful by checking the transmitted 2FA-token value
- remoteControlLogin() : null
- Set username and password by event
- setAuthFailure() : AuthPluginBase
- Set authentication result to failure.
- setAuthPlugin() : AuthPluginBase
- Set this plugin to handle the authentication
- setAuthSuccess() : AuthPluginBase
- Set authentication result to success for the given user object.
- userindex() : string
- Renders the user configuration page To be called by fullpagewrapper
- createJSONResponse() : bool
- Generates a printed JSON-Response
- getPassword() : string|null
- Get the password (if set)
- getUserName() : string|null
- Get the username (if set)
- pageScripts() : void
- Applies the necessary page scripts to the page through CClientScript derivate
- setPassword() : AuthPluginBase
- Set the password to use for authentication
- setUsername() : AuthPluginBase
- Set the username to use for authentication
- confirmKey() : bool
- Checks a 2FA OTP authentication code against the stored secret
- get2FAObject() : TwoFactorAuth
- Creates or returns a 2FA-library object Using Rob Janssen TwoFactorAuth - Library https://github.com/RobThree/TwoFactorAuth
- getYubikeyOtpHelper() : TFAYubikeyOtpHelper
- Returns a TFAYubikeyOtpHelper instance for the given YubiKey OTP code.
- setupTotp() : mixed
- setupYubi() : mixed
Constants
ERROR_ALREADY_EXISTING_USER
public
mixed
ERROR_ALREADY_EXISTING_USER
= 120
ERROR_AUTH_METHOD_INVALID
public
mixed
ERROR_AUTH_METHOD_INVALID
= 30
ERROR_INVALID_EMAIL
public
mixed
ERROR_INVALID_EMAIL
= 110
ERROR_IP_LOCKED_OUT
public
mixed
ERROR_IP_LOCKED_OUT
= 98
ERROR_LDAP_CONNECTION
public
mixed
ERROR_LDAP_CONNECTION
= 130
ERROR_LDAP_MODE
public
mixed
ERROR_LDAP_MODE
= 135
ERROR_LDAP_NO_BIND
public
mixed
ERROR_LDAP_NO_BIND
= 160
ERROR_LDAP_NO_EMAIL
public
mixed
ERROR_LDAP_NO_EMAIL
= 140
ERROR_LDAP_NO_FULLNAME
public
mixed
ERROR_LDAP_NO_FULLNAME
= 150
ERROR_LDAP_NO_SEARCH_RESULT
public
mixed
ERROR_LDAP_NO_SEARCH_RESULT
= 170
ERROR_NONE
These constants reflect the error codes to be used by the identity, they are copied from LSUserIdentity and CBaseUserIdentity for easier access.
public
mixed
ERROR_NONE
= 0
ERROR_NOT_ADDED
public
mixed
ERROR_NOT_ADDED
= 5
ERROR_PASSWORD_INVALID
public
mixed
ERROR_PASSWORD_INVALID
= 20
ERROR_UNKNOWN_HANDLER
public
mixed
ERROR_UNKNOWN_HANDLER
= 99
ERROR_UNKNOWN_IDENTITY
public
mixed
ERROR_UNKNOWN_IDENTITY
= 100
ERROR_USERNAME_INVALID
public
mixed
ERROR_USERNAME_INVALID
= 10
LDAP_INVALID_PASSWORD_TEXT
public
mixed
LDAP_INVALID_PASSWORD_TEXT
= "INVALID_PASSWORD-LDAP_USER"
Properties
$allowedPublicMethods
public
mixed
$allowedPublicMethods
= ['userindex', 'index']
Tags
$_password
protected
mixed
$_password
= null
$_username
protected
mixed
$_username
= null
$description
protected
static mixed
$description
= 'Add two-factor authentication to your admin login'
$name
protected
static mixed
$name
= 'TwoFactorAdminLogin'
$settings
protected
mixed
$settings
= array('force2fa' => array('type' => 'select', 'label' => 'Prompt to activate 2FA on login', 'default' => '0', 'options' => ['0 ' => 'No', '1' => 'Only prompt, no enforcement', '2' => 'Always enforce 2FA activation'], 'help' => 'Upon login, users who have not enabled two-factor authentication (2FA) will be prompted to set it up.'), 'separatorTotp' => array('type' => 'separator', 'title' => 'TOTP Settings'), 'issuer' => array('type' => 'string', 'label' => 'Issuer', 'default' => 'LimeSurvey Survey Software', 'help' => 'This will be displayed in the 2FA app as issuer name.'), 'digits' => array('type' => 'string', 'label' => 'Code length', 'default' => '6', 'help' => 'The number of digits the resulting codes will be. Leave it at 6 for best compatibility.'), 'period' => array('type' => 'string', 'label' => 'Time period', 'default' => '30', 'help' => 'The number of seconds a code will be valid. Please leave it at 30 for best compatibility.'), 'leeway' => array('type' => 'string', 'label' => 'Discrepancy', 'default' => '5', 'help' => 'What amount of discrepancy in seconds is allowed for the client.'), 'algorithm' => array('type' => 'select', 'label' => 'Algorithm', 'default' => 'sha1', 'options' => ['sha1' => 'SHA1 (Default)', 'sha256 ' => 'SHA256', 'md5' => 'MD5'], 'help' => 'Please keep in mind, that most tools only work with SHA1 hashing.'), 'SecretLength' => array('type' => 'int', 'label' => 'Secret length', 'default' => '', 'htmlOptions' => ['min' => 128, 'placeholder' => 128], 'help' => 'Length of the secret in bits. Minimum and default are 128.'), 'separatorYubi' => array('type' => 'separator', 'title' => 'YubiKey Settings'), 'yubiClientId' => array('type' => 'string', 'label' => 'YubiCloud - Client ID', 'default' => '', 'help' => 'Your YubiCloud Client ID.'), 'yubiSecretKey' => array('type' => 'password', 'label' => 'YubiCloud - Secret Key', 'default' => '', 'help' => 'Optional - if set (recommended), the YubiCloud responses authenticity will be verified. Get it from the <a href="https://upgrade.yubico.com/getapikey/">Yubico API key signup</a>.'))
$storage
protected
mixed
$storage
= 'DbStorage'
$o2FA
private
mixed
$o2FA
= \null
Methods
afterLoginFormSubmit()
Set username and password by post request
public
afterLoginFormSubmit() : null
Return values
nullafterSuccessfulLogin()
If force 2FA login is enabled, redirect to the 2FA page
public
afterSuccessfulLogin() : void
beforeActivate()
Register new table and populate it.
public
beforeActivate() : void
beforeAdminMenuRender()
Add menue to the top bar
public
beforeAdminMenuRender() : void
beforeDeactivate()
Delete the created tables again
public
beforeDeactivate() : void
deleteKeyForUserId()
Deletes a users secret, effectively ending the 2FA login mechanism for that user CLI version.
public
deleteKeyForUserId(PluginEvent $oEvent, mixed $iUserId) : string
Returns a String
Parameters
- $oEvent : PluginEvent
- $iUserId : mixed
Return values
stringdeleteKeyForUserName()
Deletes a users secret, effectively ending the 2FA login mechanism for that user CLI version.
public
deleteKeyForUserName(PluginEvent $oEvent, mixed $sUserName) : string
Returns a String
Parameters
- $oEvent : PluginEvent
- $sUserName : mixed
Return values
stringdirect()
Event direct happen Usage : index --target=value [--function=] [--option=]
public
direct() : void
directCallConfirmKey()
Checks a submitted authentication code and stores the underlaying secret key into the Database.
public
directCallConfirmKey(PluginEvent $oEvent, CHttpRequest $oRequest) : bool
Returns a JSON document
Parameters
- $oEvent : PluginEvent
- $oRequest : CHttpRequest
Return values
booldirectCallCreateNewKey()
Renders modal content for creating a new 2FA key for a user.
public
directCallCreateNewKey(PluginEvent $oEvent, CHttpRequest $oRequest) : string
Generates a secret (respecting the SecretLength setting, minimum 128 bits), builds a QR code data URI for the secret, and returns the rendered partial HTML. If the caller lacks permission to create keys for the target user, renders an error partial.
Parameters
- $oEvent : PluginEvent
-
The plugin event that triggered this call.
- $oRequest : CHttpRequest
-
The current HTTP request.
Return values
string —Rendered HTML of the modal content or an error partial.
directCallDeleteKey()
Deletes a users secret, effectively ending the 2FA login mechanism for that user.
public
directCallDeleteKey(PluginEvent $oEvent, CHttpRequest $oRequest) : bool
Returns a JSON document
Parameters
- $oEvent : PluginEvent
- $oRequest : CHttpRequest
Return values
boolgetAuthMethodName()
Returns the authentication method's name
public
static getAuthMethodName() : string
Return values
stringindex()
Renders a list of users including their 2FA settings To be called by fullpagewrapper
public
index() : string
Return values
stringinit()
public
init() : mixed
newDirectRequest()
Listen to direct requests Necessary for the getMetadata function
public
newDirectRequest() : void
newLoginForm()
Add Two-Factor field to login page.
public
newLoginForm() : void
newUserSession()
Control if login is successful by checking the transmitted 2FA-token value
public
newUserSession() : void
remoteControlLogin()
Set username and password by event
public
remoteControlLogin() : null
Return values
nullsetAuthFailure()
Set authentication result to failure.
public
setAuthFailure([int|null $code = self::ERROR_UNKNOWN_IDENTITY ][, string|null $message = '' ][, PluginEvent|null $event = null ]) : AuthPluginBase
Parameters
- $code : int|null = self::ERROR_UNKNOWN_IDENTITY
-
Any of the constants defined in this class
- $message : string|null = ''
-
An optional message to return about the failure
- $event : PluginEvent|null = null
Return values
AuthPluginBasesetAuthPlugin()
Set this plugin to handle the authentication
public
setAuthPlugin([PluginEvent|null $event = null ]) : AuthPluginBase
Parameters
- $event : PluginEvent|null = null
Return values
AuthPluginBasesetAuthSuccess()
Set authentication result to success for the given user object.
public
setAuthSuccess(User $user[, PluginEvent|null $event = null ]) : AuthPluginBase
Parameters
- $user : User
- $event : PluginEvent|null = null
Return values
AuthPluginBaseuserindex()
Renders the user configuration page To be called by fullpagewrapper
public
userindex() : string
Return values
stringcreateJSONResponse()
Generates a printed JSON-Response
protected
createJSONResponse(bool $success, string $message[, array<string|int, mixed> $data = [] ]) : bool
Parameters
- $success : bool
- $message : string
- $data : array<string|int, mixed> = []
Return values
bool —$success
getPassword()
Get the password (if set)
protected
getPassword() : string|null
Return values
string|nullgetUserName()
Get the username (if set)
protected
getUserName() : string|null
Return values
string|nullpageScripts()
Applies the necessary page scripts to the page through CClientScript derivate
protected
pageScripts() : void
setPassword()
Set the password to use for authentication
protected
setPassword(string $password) : AuthPluginBase
Parameters
- $password : string
Return values
AuthPluginBasesetUsername()
Set the username to use for authentication
protected
setUsername(string $username) : AuthPluginBase
Parameters
- $username : string
-
The username
Return values
AuthPluginBaseconfirmKey()
Checks a 2FA OTP authentication code against the stored secret
private
confirmKey(TFAUserKey $tfaModel, string $authenticationCode) : bool
Parameters
- $tfaModel : TFAUserKey
- $authenticationCode : string
Return values
bool —true on authentication code matching stored secret key
get2FAObject()
Creates or returns a 2FA-library object Using Rob Janssen TwoFactorAuth - Library https://github.com/RobThree/TwoFactorAuth
private
get2FAObject() : TwoFactorAuth
Return values
TwoFactorAuthgetYubikeyOtpHelper()
Returns a TFAYubikeyOtpHelper instance for the given YubiKey OTP code.
private
getYubikeyOtpHelper(string $otpCode) : TFAYubikeyOtpHelper
Parameters
- $otpCode : string
-
the YubiKey OTP code
Return values
TFAYubikeyOtpHelper —the YubiKey OTP helper
setupTotp()
private
setupTotp(mixed $tfaUserKey, mixed $confirmationKey) : mixed
Parameters
- $tfaUserKey : mixed
- $confirmationKey : mixed
setupYubi()
private
setupYubi(mixed $tfaUserKey, mixed $yubiOtp) : mixed
Parameters
- $tfaUserKey : mixed
- $yubiOtp : mixed