If a user who is unable to set up 2FA accidentally enables
Require two-factor authentication for everyone, they are unable to disable it until they set up 2FA.
(or they update the setting in the db:
update matomo_plugin_setting set setting_value=0 where setting_name = 'twoFactorAuthRequired'
I think this setting should only be allowed if at least one superuser has 2FA already set up (or maybe only if the current superuser has 2FA already set up)
Ideally we would get someone to activate 2FA first and then allow enabling it. That might be a bit more work though so we could maybe rather add a message
Enforcing 2FA will require all users to set up 2FA using an authenticator app. This means they need to have a device like a smartphone or computer where they can install an app..
We could have otherwise checked if the current visitor has 2FA set up and then try if we can disable a setting in the UI super easily if 2FA is disabled for the current account and adjust the message saying please set up 2FA first but it's not needed if it takes say more than 10 minutes.
I have put up a PR that just expands the text on the setting UI to provide more information about the consequences of turning on require 2fa. https://github.com/matomo-org/matomo/pull/17400
I have some questions about how to determine if the current user has 2fa enabled themselves.
The directory containing plugins/TwoFactorAuth/SystemSettings.php contains Controller.php, Validator.php, and TwoFactorAuthentication.php. The controller contains an instance of validator which contains an instance of twoFa. There are functions available on each level of that structure to determine if the user has 2fa set up. For example
Is there a preferred approach for accessing these methods (or similar) from the context of the system settings? I haven't been able to find an example of a plugin SystemSettings.php loading an instance of an object to allow it to selectively disable a setting on a per-user basis.
Hi @andyjdavis, you'd want to use the
TwoFactorAuthentication::isUserUsingTwoFactorAuthentication method. The
TwoFactorAuthentication class is injected via DI, which means how you get it varies based on how you're coding. The easiest way to do this is via
StaticContainer::get(TwoFactorAuthentication::class), however using StaticContainer is discouraged if there is a simple alternative available (this would be brought up in the review if it were the case). Here are our docs on DI in Matomo: https://developer.matomo.org/guides/dependency-injection.
https://github.com/matomo-org/matomo/pull/17400 has now merged. I believe this issue can be closed.