Second factor ignored with ig_ldap_sso_auth ext
Hey,
actual i'm using ig_ldap_sso_auth ext for LDAP authentification in combination with active directory.
It seems like the second factor is ignored in frontend login when using the LDAP / SSO and google authenticator service.
Do you may know a solution that both services in the authentification chain could be consulted?

Detected with TYPO3 V9.5.18 and Ext:cf_google_authenticator V1.2.2

I did the installation for frontend login purpose according to your manual description. After installation I got this frontend view, see picture 1:

Afterwards if I logged in successfully I already see the protected area, even though I didn't login through 2 factor authentication! See picture 2:

My expectation was, that only after succesfull login with 2 factor authentication I can see the protected area. Have I forgot something in the configuration?

Thanks in advance for your support.

Bug report

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• I am running the latest version
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

Description:

Once OTP enabled, the corresponding checkbox is never checked when opening the User Settings:

Bug report

I'm creating a pull request with a fix for this shortly.

Prerequisites

• I am running the latest version
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

Description:

When going to User settings, the secret and QR will always be displayed.

Steps to reproduce:

1. Go to User settings --> Google Authenticator
2. Enable Google Authenticator and go through the necessary steps.
3. After saving, the QR code and secret field will still be displayed.

Expected results:

The user should be shown a field where a one-time code can be entered to disable Google Authenticator again.

Environment

TYPO3 9.5.19, PHP 7.2

Bug report

Prerequisites

• I am running the latest version
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

Description:

If I want to enable two factor auth. I receive an cast exception.

TypeError
Return value of CodeFareith\CfGoogleAuthenticator\Handler\GoogleAuthenticatorSetupHandler::hasUserEnabledAuthenticator() must be of the type boolean, integer returned

Steps to reproduce:

1. Go to Backend User modul
2. Got to Google Authenticator tab
3. Click on Enable Google Authenticator
4. Click on Save
5. See error

Expected results:

User settings saved new state.

Actual results:

exception thrown

Environment

Extension should be compatible with TYPO3 v11 and v12.

Feature request

Description

It would be great to have a version which is compatible with TYPO3 v10.x

Bug report

Prerequisites

Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

• [x ] I am running the latest version

Description:

1. The German FE translations (de.locallang.xlf) are basically missing.
2. The button text for the enable/disable buttons is hardcoded in the FE template (Templates/Frontend/Setup/Index.html)
3. Flash messages in wrong language

Steps to reproduce:

1. Run extension in a German FE

Expected results:

German translation applied consistently

Actual results:

Missing or wrong translations

Notes:

For our project I have created German translations myself. I can provide those files if you want.
BTW: I think the wording is not very consistent, ie. sometimes the term "one-time password" is used, while other times it's called "verification code"; I think this can be confusing for users.

Flash messages: as mentioned above, I have provided my own German translations in our project. But when I enable/disable 2FA in the FE, the flash message text is always in English ("Your changes have been saved successfully."), even if I'm in the German FE (and a German translation for key "setup.update.success.body" exists). Something seems to go wrong with the language service in the SetupController I guess? (That's why I classified this issue as a bug.)

Bug report

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• I am running the latest version
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

Description:

The TCA hook checks with hardcoded be_users, this makes it totally unusable for any other table (fe_users when we're talking about out-of-the-box support or custom table in case the signal has been implemented).

I see in README
'Enable Google 2FA (two factor authentication) for both, frontend- and backend accounts.'
... but then I see it:
'Unfortunately, de-/activating 2FA for frontend users is not implemented yet.'
...where is correct?

After install the Extension:

It is not possible to edit a user in "Backend User"-Modul anymore.
-> "Oops, an error occurred! Neither the 'issuer' parameter nor the 'accountName' parameter may contain a colon."

So the Manual stop's at open user and no active of 2FA is possible.

System requirements:

TYPO3 8.7.16 (no composer)
PHP 7.1

Bug report

Prerequisites

• [ x] I am running the latest version
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

Description:

Enabling google authenticator not working

Steps to reproduce:

1. Go to User settings
2. Click on Enable Google Authenticator
3. Click on Save
4. reopen user settings
5. google authenticator is disabled

Expected results:

two factor is enabled

Actual results:

two factor still disabled

Environment

typo3 9.5.9

GA config tab appears in be_users for for admins and can be used.
My problem is, that it does not show up in user settings. This is needed if non-admin users want to configure the GA login.

I can see that there is a TCA Override in sys_template.php, which does not have any effect.

(TYPO3 8.7.24)

Hello!

I've just installed your extension from EM (TYPO3 8.7.15) and when accessing the backend user module and EDIT one of the users, I get this error message:
Return value of CodeFareith\CfGoogleAuthenticator\Hook\UserSettings::initializeTemplateView() must be an instance of TYPO3\CMS\Fluid\View\StandaloneView, none returned

Also if i add a return $templateView; to method initializeTemplateView, i get no QR Code in the Backend View!

Kind regards,
Christian

Bug report

Prerequisites

Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

• I am running the latest version
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

Description:

Trying to open the page with the "Google Two-Factor-Authentication Setup" plugin throws an error

Steps to reproduce:

1. open setup page
2. See error

Expected results:

Setup page opens

Actual results:

Error message (shortened): ... must be an instance of CodeFareith\CfGoogleAuthenticator\Controller\Frontend\Context, instance of TYPO3\CMS\Core\Context\Context given ...

Notes:

Adding use TYPO3\CMS\Core\Context\Context;fixes the problem

According to composer.json, this extension should be available off packagist under https://packagist.org/packages/codefareith/cf-google-authenticator

Since this is not published there, it is not possible to install it "easily" with a composer-based TYPO3 installation.

Is it true, that only Admins can enable this Option for Backend users?

If i enable the Plugin in the Backend Group the user only see a blank tab "Google Authenticator". How can i enable the Checkbox in the user Settings for each User/Usergrup?

Thanks.

In my project I am centralizing the management of users into a custom "members" table and I hook into the authentication process (both Backend and Frontend) to check credentials against my custom members table and create/update TYPO3 users dynamically, a bit like when dealing with LDAP authentication.

I would like to add support for 2FA.

Solution

• Extend my own ext_tables.sql to include your 2 database fields
• Override my members TCA with something like:

if (ExtensionManagementUtility::isLoaded('cf_google_authenticator')) {
    \call_user_func(
        function () {
            ExtensionManagementUtility::addTCAcolumns(
                'tx_myext_domain_model_member',
                [
                    'tx_cfgoogleauthenticator_enabled' => [
                        'exclude' => true,
                        'label' => PathUtility::makeLocalLangLinkPath(
                            'be_users.tx_cfgoogleauthenticator_enabled',
                            'locallang_db.xlf'
                        ),
                        'config' => [
                            'type' => 'check'
                        ]
                    ],
                    'tx_cfgoogleauthenticator_secret' => [
                        'exclude' => true,
                        'label' => PathUtility::makeLocalLangLinkPath(
                            'be_users.tx_cfgoogleauthenticator_secret',
                            'locallang_db.xlf'
                        ),
                        'config' => [
                            'type' => 'user',
                            'userFunc' => UserSettings::class . '->createSecretField'
                        ]
                    ]
                ]
            );

            ExtensionManagementUtility::addToAllTCAtypes(
                'tx_myext_domain_model_member',
                'tx_cfgoogleauthenticator_enabled,tx_cfgoogleauthenticator_secret',
                '',
                'after:password' // Add the 2FA after our custom field "password"
            );
        }
    );
}

This effectively shows the 2FA fields. Now, in order to work a bit further and prevent anyone from disabling 2FA for some arbitrary user w/o providing a proper code, we need to extend your method \CodeFareith\CfGoogleAuthenticator\Handler\GoogleAuthenticatorSetupHandler::isUsersTable() so that the custom members table is considered a "users" table as well.

This is something that can easily be done with a hook there.

I already have a working solution so that the "TCA" part of this feature request is ready. However I know that I will need to somehow invoke your authentication code in my own authentication service and thus I suggest that this ticket is really about implementing support from A to Z and I will possibly suggest some (hopefully) minor additional changes to your extension to support this use case.

Bug report

Description:

Saving a BE user record does not update the fields tx_cfgoogleauthenticator_enabled and tx_cfgoogleauthenticator_secret.

Steps to reproduce:

1. Go to Backend users
2. Click on the edit button of a BE user
3. Go to the Google Authenticator tab
4. Check the Enable Google Authenticator
5. Save the record

Expected results:

The Enable Google Authenticator field stays checked

Actual results:

The Enable Google Authenticator field is not checked, the fields tx_cfgoogleauthenticator_enabled and tx_cfgoogleauthenticator_secret in the table be_users are not updated.

Environment

Notes:

If I update directly the fields tx_cfgoogleauthenticator_enabled (1) and tx_cfgoogleauthenticator_secret (with the secret key provided when enabling Enable Google Authenticator) in the table be_users the BE loggin works as expected entering the authentication code, so the issue here is that the database is not updated when saving the record and the authentication code is never required.

Bug report

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• [x ] I am running the latest version
• [x ] I checked the documentation and found no answer
• [x ] I checked to make sure that this issue has not already been filed

Description:

Cannot activate Google Authenticator for my own backend user account

Steps to reproduce:

Go to your backend user settings by clicking "settings" at the top, above "logout"

Expected results:

Every user should be able to activate google authenticator. I cannot do it for 100 people with my admin account.

Actual results:

The tab "Google Authenticator" is shown, but it's empty.

Environment

Typo3 8.7.32

Screenshot(s)

Describe the bug
If there is a other extension which also use the use statement
use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
Typo3 will cause a error after the ext_localconf.php files are concat together.

To Reproduce
Steps to reproduce the behavior:

1. Install eg. cal extension
2. enable both extension in extension manager
3. clear the cache, reload
4. See error

Fatal error: Cannot use TYPO3\CMS\Core\Utility\ExtensionManagementUtility as ExtensionManagementUtility because the name is already in use in /var/cache/code/cache_core/ext_localconf_05e147782991a22d15dff84c7d4bfbf58f60a911.php on line 3587

Feature request

Description

Frontend User may be related to some other business domain model object as I'm actually using (having a "member" DMO which is mapped to a Backend or a Frontend user from TYPO3 depending on the context).

When the setup controller is being used, thus in the context of a Frontend User, a signal would allow any further processing.

Type of change

• New feature (non-breaking change which adds functionality)

Bug report

Prerequisites

• [x ] I am running the latest version
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

Description:

cache produce error.
strict_types should be removed from ext_localconf.php

Fatal error: strict_types declaration must be the very first statement in the script in /var/www/html/var/cache/code/cache_core/ext_localconf_9f9d6f92c02010d691198254786d5dfe61eff9c1.php on line 1847

If you try to save the 2FA settings via the frontend while not logged into the backend, the following exception will be thrown:

TypeError
Return value of CodeFareith\CfGoogleAuthenticator\Controller\Frontend\SetupController::getLanguageService() must be an instance of TYPO3\CMS\Core\Localization\LanguageService, null returned

Bug report

Prerequisites

• I am running the latest version
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

Description:

I'm getting a bunch of deprecation notices whenever I try to add/edit a be_user and I can't enable the checkbox provided by this extension.

TYPO3 Deprecation Notice
Core: Error handler (BE): TYPO3 Deprecation Notice: CodeFareith\CfGoogleAuthenticator\Traits\GeneralUtilityObjectManager will be removed in v1.2.0. in /var/www/html/web/typo3conf/ext/cf_google_authenticator/Classes/Traits/GeneralUtilityObjectManager.php line 39

Also after checking the 2fauth checkbox and saving, TYPO3 backend reloads and the checkbox is unchecked again. I can't properly enable it. Tried including your typoscript template, DB compare but no success.

Steps to reproduce:

1. Go to 'backend users'
2. Click on 'add or edit'
3. Go to the authenticator checkbox and try enabling & saving the user
4. See unchecked checkbox & deprecation notices

Expected results:

A checked checkbox that stays checked and activates the 2f auth behavior for the given user.

Actual results:

Unchecked checkbox after checking and saving.

Environment

TYPO3 v8.27

Screenshot(s)

If the models FrontendUser and/or BackendUser are extended by a third-party extension, one of the two errors may occur when submitting the 2FA setup forms:

1. the error message "The given one-time password is invalid or has expired" appears
2. a type mismatch exception is thrown

After installing you extension i can't login with accounts without 2FA.

After searching a bit, it seems, that you responseCode in the Service are not correct.
AUTH_FAIL_AND_PROCEED should be 100 according to the documentation.

Maybe you can check it. Sorry, if it is wrong and my fault, just trying to help ;)

For the authUser() method, you will want to take care about the return values. If your service should be the final authority for authentication, it should not only have a high priority, but also return values which stop the service chain (i.e. a negative value for failed authentication, 200 or more for a successful one). On the other hand, if your service is an alternative authentication, but should fall back on TYPO3 CMS if unavailable, you will want to return 100 on failure, so that the default service can take over.
https://docs.typo3.org/typo3cms/CoreApiReference/latest/ApiOverview/Authentication/Index.html#developing-an-authentication-service