5. Two-step Validation (with Google Authenticator)¶
The SonataUserBundle
provides an optional layer of security by including a support for a Two-step Validation process.
When the option is enabled, the login process is done with the following workflow:
- the user enters the login and password
- if the user get the correct credentials, then a code validation form is displayed
- at this point, the user must enter a time based code provided by the Google Authenticator application
- the code is valid only once per minute
So if your login and password are compromised then the hacker must also hold your phone!
5.1. Installation¶
1 | composer require sonata-project/google-authenticator
|
Edit the configuration file:
1 2 3 4 5 6 7 8 9 10 | # config/packages/sonata_user.yaml
sonata_user:
google_authenticator:
enabled: true
server: yourserver.com
trusted_ip_list:
- 127.0.0.1
forced_for_role:
- ROLE_ADMIN
|
Also, if you want to use trusted_ip_list
and forced_for_role
configuration nodes for automatically setting the secret to user
(secret - a connection between user and device that will scans QR-code)
and showing QR-code in login form, you need to set the success handler
in your firewall to sonata.user.google.authenticator.success_handler
, example:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | # config/packages/security.yaml
security:
firewalls:
# Disabling the security for the web debug toolbar, the profiler and Assetic.
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
# -> custom firewall for the admin area of the URL
admin:
pattern: /admin(.*)
context: user
form_login:
provider: fos_userbundle
login_path: /admin/login
use_forward: false
check_path: /admin/login_check
failure_path: null
success_handler: sonata.user.google.authenticator.success_handler
|
Then after success login, if the user needs to use 2FA and has no secret, a QR code will be shown in the login form.
Now if the User::twoStepVerificationCode
property is not null, then a second form will be displayed.