Bug #102081
Updated by Xavier Perseguers 7 months ago
While working on making EXT:cf_google_authenticator compatible with TYPO3 v11 and v12 and trying to use the new "mfa" field from the fe_users table instead of custom ones, I figured out there is no way to instruct the authentication process that MFA has been validated. Edit: in the mean time and since EXT:cf_google_authenticator is not properly maintained anymore, I created a fresh MFA extension EXT:mfa_frontend available off TER. h2. Context - Configure TOTP with some Frontend user. You user (you can do so with: <pre>composer req causal/mfa-frontend "dev-bugfix/102081-core-cannot-provide-totp-in-frontend"</pre> with that fork branch: https://github.com/xperseguers/cf_google_authenticator/tree/feature/native-field-mfa) - Go to the Frontend and try to login with username + password + (valid) TOTP h2. Expected You are authenticated. h2. Actual Exception MfaRequiredException (1613687097) is thrown h2. Cause The session just created does not contain the key 'mfa' set to true. h2. Further info This problem does not exist in the Backend context as the authentication with MFA is done in a 2-step process where username+password is first checked and THEN MFA is required. This is easily possible because the Backend login has a full-screen layout and may easily be replaced by another single-field MFA input form thanks to a Middleware. In a Frontend context however, it is common to ask for all 3 information (username + password + TOTP) in a single custom form tailored to the website's design. This means TOTP/MFA may be checked during the authentication process by some third-party extension like any custom authentication service authenticating with OIDC or LDAP. Problem has been spotted while working on TYPO3 v11, right when MFA support has been added to the Core but only actually implemented for Backend. Since MFA for Frontend cannot be implemented properly with current problem and MFA is very important in term of security, this ticket is marked as a bug fix going back to TYPO3 v11. The submitted patch may naturally be discussed and solution adapted if needed. The patch to apply to the bugfix branch discussed above: <pre> diff --git a/Classes/Service/MfaAuthenticationService.php b/Classes/Service/MfaAuthenticationService.php index d6727f4..ad0066d 100644 --- a/Classes/Service/MfaAuthenticationService.php +++ b/Classes/Service/MfaAuthenticationService.php @@ -50,6 +50,11 @@ class MfaAuthenticationService extends AuthenticationService // Reset failed attempts $mfa['totp']['attempts'] = 0; + // MFA has been validated, we need to instruct TYPO3 it's OK to proceed + $userSession = $this->pObj->getSession(); + $userSession->set('mfa', true); + $userSession->setUseDataForNewSession(true); + $code = static::AUTH_SUCCEED_AND_PROCEED; } else { // Increase failed attempts </pre> => Apply that patch and check with the Core patch that authentication now works properly. is in use there: https://github.com/xperseguers/cf_google_authenticator/commit/87abbef52784f9c08114da154c353492fbc987f7