Project

General

Profile

Actions

Bug #103932

open

getRecoveryCodes mfa fallback provider is always loaded in Frontend mode

Added by Rasmus Sallling 21 days ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Authentication
Start date:
2024-05-27
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.3
Tags:
Complexity:
medium
Is Regression:
Yes
Sprint Focus:

Description

I've been looking into the performance of TYPO3v12 and spotted some behavior of the MFA logic that seems dubious.

The MFA logic seems to currently only be supported in Backend mode, but because the logic is implemented in AbstractUserAuthentication and not in BackendUserAuthentication.php, some of the MFA logic is actually run for both backend and frontend. The "checkAuthentication" function calls "evaluateMfaRequirements" in both frontend and backend.
Aside from probably being unnecessary at this point, it also has moderate response time consequences. ~11ms are used to load the RecoveryCodesProvider class for every single request in our setup, and I believe that is with completely default MFA settings. It looks like more or less all this time is spent in DependencyInjection. I'm not completely sure why this isn't cached in the DI cache, but it doesn't seem to be.

I would have sent a patch, but I'm unsure of how to approach this issue, I see a few options:

1: Only call "evaluateMfaRequirements" in the backend context. Since TYPO3 officially doesn't support it in Frontend, this would seem reasonable, but I guess it could break some usage scenarios. Also silly, if there are features on the way to support it in frontend.
2: Add an option to disable it in frontend.
3: Change the dependency injection, so that the needed providers (RecoveryCodesProvider and others) are cached in the DI cache.

This seems to have been introduced in TYPO3v12 at some point.

No data to display

Actions

Also available in: Atom PDF