@Findus23 opened this Issue on March 17th 2021 Member

reported in https://forum.matomo.org/t/problem-with-the-two-factor-authentication-setting/41128

If a user who is unable to set up 2FA accidentally enables Require two-factor authentication for everyone, they are unable to disable it until they set up 2FA.
(or they update the setting in the db:

update matomo_plugin_setting
set setting_value=0
where setting_name = 'twoFactorAuthRequired'

)

I think this setting should only be allowed if at least one superuser has 2FA already set up (or maybe only if the current superuser has 2FA already set up)

@tsteur commented on March 18th 2021 Member

Ideally we would get someone to activate 2FA first and then allow enabling it. That might be a bit more work though so we could maybe rather add a message Enforcing 2FA will require all users to set up 2FA using an authenticator app. This means they need to have a device like a smartphone or computer where they can install an app..

We could have otherwise checked if the current visitor has 2FA set up and then try if we can disable a setting in the UI super easily if 2FA is disabled for the current account and adjust the message saying please set up 2FA first but it's not needed if it takes say more than 10 minutes.

@andyjdavis commented on March 28th 2021 Contributor

I have put up a PR that just expands the text on the setting UI to provide more information about the consequences of turning on require 2fa. https://github.com/matomo-org/matomo/pull/17400

I have some questions about how to determine if the current user has 2fa enabled themselves.

The directory containing plugins/TwoFactorAuth/SystemSettings.php contains Controller.php, Validator.php, and TwoFactorAuthentication.php. The controller contains an instance of validator which contains an instance of twoFa. There are functions available on each level of that structure to determine if the user has 2fa set up. For example
Validator::check2FaEnabled()
Validator::checkVerified2FA()

Is there a preferred approach for accessing these methods (or similar) from the context of the system settings? I haven't been able to find an example of a plugin SystemSettings.php loading an instance of an object to allow it to selectively disable a setting on a per-user basis.

@diosmosis commented on March 28th 2021 Member

Hi @andyjdavis, you'd want to use the TwoFactorAuthentication::isUserUsingTwoFactorAuthentication method. The TwoFactorAuthentication class is injected via DI, which means how you get it varies based on how you're coding. The easiest way to do this is via StaticContainer: StaticContainer::get(TwoFactorAuthentication::class), however using StaticContainer is discouraged if there is a simple alternative available (this would be brought up in the review if it were the case). Here are our docs on DI in Matomo: https://developer.matomo.org/guides/dependency-injection.

@andyjdavis commented on April 13th 2021 Contributor

https://github.com/matomo-org/matomo/pull/17400 has now merged. I believe this issue can be closed.

@diosmosis commented on April 13th 2021 Member

Fixed by #17400

This Issue was closed on April 13th 2021
Powered by GitHub Issue Mirror