Excerpt from the documentation:

Limitations

After the initial login happened, the user is already fully authenticated to the Symfony security layer. The bundle then prevents access to secured and non-secured content by intercepting any request and showing the two-factor authentication form instead.

If you execute code based on the authentication status, make sure to take the two-factor status into account. This can be done by checking access with isGranted (security voter has to be registered, see configuration).

Warning: Just doing a getUser on security.token_storage (or the old security.context) is not secure. You will get a user object even when two-factor authentication is not complete yet.

Overall, the current implementation causes some issues, which cannot really be solved, as long as two-factor authentication doesn't become part of the actual security layer.

• #13 Two-factor authentication cannot be configured per firewall,
• #60 & #62 Issues caused by the voter, which is there to prevent execution of code. This is necessary because in the current implementation the user already has all priviledges after login, even when two-factor authentication is not completed yet.
• #70 & #71 - The bundle relies on intercepting the first kernel.request event, which causes problems in ESI environments,
• #36 Two-factor authentication form doesn't have it's own route. Instead it is shown as a replacement for the actual content, which causes problems when the current route doesn't accept POST requests.

If you configure a project with RememberMeToken then when user is re-authenticated using the RememberMe cookie - voter's return VoterInterface::ACCESS_DENIED; turn the authentication process into an infinite loop.

It happens because:

1. RememberMe listener authenticates a user
2. On voter returns ACCESS_DENIED
3. Symfony's Symfony\Component\Security\Http\Firewall\ExceptionListener exception handler checks the user is not fully authenticated and performs a redirect (through Symfony\Component\Security\Http\EntryPoint\FormAuthenticationEntryPoint::start()
4. Go to step 2

Temporary solution: disable Voter

Permanent solution: the Voter implementation (and presence at all) should be reconsidered.

I am getting this error when trying to use this library in symfony 3.4 and the library version is 2.14

here is the code //security.yml

security:

providers:
    in_memory:
        memory: ~

firewalls:
    # disables authentication for assets and the profiler, adapt it according to your needs
    dev:
        pattern: ^/(_(profiler|wdt)|css|images|js)/
        security: false

    main:
        anonymous: ~
        # activate different ways to authenticate

        # https://symfony.com/doc/current/security.html#a-configuring-how-your-users-will-authenticate
        #http_basic: ~

        # https://symfony.com/doc/current/security/form_login_setup.html
        #form_login: ~
        two_factor:
            auth_form_path: 2fa_login    # The route name you have used in the routes.yaml
            check_path: 2fa_login_check  # The route name you have used in the routes.yaml

            
access_control:
    - { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }

and i just add the this code in AppKernel.php // AppKernal.php new Scheb\TwoFactorBundle\SchebTwoFactorBundle(),

Bundle version: 4.0.14 Symfony version: 3.4.35

I installed everyhing and setup email support and when i login it redirects back to my apps home page. The token is set for your bundle and the user is partially logged in (it shows username in the dev bar). I cant get to any secure part of the site. If I visit mysite.com/2fa it will show me the 2fa and i can use it and it all works.

So the only issue is that while logging in it redirects to the wrong place:

    secured_area:
        two_factor:
            auth_form_path: 2fa_login    # The route name you have used in the routes.yaml
            check_path: 2fa_login_check  # The route name you have used in the routes.yaml
        pattern:    ^/
        form_login: ~
        logout: true
        anonymous: ~
        logout_on_user_change: true
        user_checker: adminbundle.userchecker

i am using the default routes you provide.

Bundle version: 4.x Symfony version: any

Description When the login redirects directly to the 2fa form, the provider method prepareAuthentication() and event TwoFactorAuthenticationEvents::REQUIRE are never triggered. This is only executed when the bundle force-redirects to the 2fa form.

For the email provider this means, an authentication code is not generated and no email is sent.

Workaround On login, redirect to a page that requires a fully authenticated user.

If you don't need lazy prepartion of the two-factor providers you can also use the 3.x version of the bundle.

Looks like RequestListener adds some latency, and not onCoreRequest as you'd expect, but just fetching the service from container can add ~25ms to each request.

I tried to track down the dependency graph and it goes like this: scheb_two_factor.security.request_listener -> scheb_two_factor.trusted_filter -> scheb_two_factor.provider_registry -> scheb_two_factor.security.google.provider -> scheb_two_factor.security.google.backup_code_validator -> scheb_two_factor.backup_code_validator -> scheb_two_factor.persister.doctrine.

If using lazy services and check FlagManager.isNotAuthenticated() earlier this can be optimized.

I know FlagManager does not know about providers, but maybe it can be tweaked to pull a minimal set of dependencies if FlagManager.isNotAuthenticated() is false.

The default number of digits for Google Authenticator is 6. The service scheb_two_factor.security.google takes number of digits as the first parameter in two_factor_provider_google.xml. The default is 6. Now if one wants to use more than 6 digits, one has to jump through the following hoops:

• Override scheb_two_factor.security.google to set the first constructor parameter to != 6
• Use this patch: https://github.com/sonata-project/GoogleAuthenticator/pull/103
• Modify Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Google\GoogleAuthenticator::getQRContent() to append the digits parameter (according to https://github.com/google/google-authenticator/wiki/Key-Uri-Format, keep in mind the "not yet implemented" comment is incorrect, Google Authenticator supports the digits parameter nowadays)

Example:

public function getQRContent(TwoFactorInterface $user): string
{
    return parent::getQRContent($user) . '&digits=' . $this->passCodeLength;
}

It would be nice if this could be a configuration setting. What do you think?

Bundle version: 4.18.4 Symfony version: 3.4.49 PHP version: 3.4.0

Description

After login in with username and password I expect to see the 2fa default form. What I get is a user logged in and the url bar showing "my_ domain/login". The page I'm seeing has the main layout so I expeted to get "my_ domain/" in the url bar. I can see the user menu and I can logout.

I checked the troubleshooting guide and it got me here after verifying that I have a TwoFactorToken after the login but answering "no" to the second question.

Additional Context

security:
    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
    providers:
        users_in_memory: { memory: null }
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            pattern: ^/
            provider: users_in_memory
            two_factor:
                auth_form_path: 2fa_login   
                check_path: 2fa_login_check 

            # activate different ways to authenticate
            # https://symfony.com/doc/current/security.html#firewalls-authentication

            # https://symfony.com/doc/current/security/impersonating_user.html
            # switch_user: true

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        # - { path: ^/admin, roles: ROLE_ADMIN }
        # - { path: ^/profile, roles: ROLE_USER }

        # This makes the logout route accessible during two-factor authentication. Allows the user to
        # cancel two-factor authentication, if they need to.
        - { path: ^/logout, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # This ensures that the form can only be accessed when two-factor authentication is in progress.
        - { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }

I dumped the $token and $user objects after login. ROLE_ADMIN is lost after login.

TwoFactorToken {#485 ▼
  -authenticatedToken: UsernamePasswordToken {#520 ▼
    -credentials: "*******"
    -providerKey: "main"
    -user: Users {#523 ▼
      #id: 2
      #name: null
      #lastname: null
      #channelbrandIsolation: false
      #userschannelbrand: PersistentCollection {#550 ▶}
      -googleAuthenticatorSecret: "FBMNU3YOZMUS3VTH5DULOMKAATRAC7M5O4OJ2P5BR6OW4QYP4HMA"
      #username: "*******"
      #usernameCanonical: "********"
      #email: "*************@gmail.com"
      #emailCanonical: "************@gmail.com"
      #enabled: true
      #salt: null
      #password: *******************************************************************"
      #plainPassword: null
      #lastLogin: DateTime @1623091323 {#521 ▶}
      #confirmationToken: null
      #passwordRequestedAt: null
      #groups: ArrayCollection {#517 ▶}
      #roles: array:1 [▼
        0 => "ROLE_ADMIN"
      ]
    }
    -roles: array:2 [▶]
    -authenticated: true
    -attributes: []
  }
  -credentials: null
  -providerKey: "main"
  -attributes: []
  -twoFactorProviders: array:1 [▶]
}

Users {#523 ▼
  #id: 2
  #name: null
  #lastname: null
  #channelbrandIsolation: false
  #userschannelbrand: PersistentCollection {#550 ▶}
  -googleAuthenticatorSecret: "FBMNU3YOZMUS3VTH5DULOMKAATRAC7M5O4OJ2P5BR6OW4QYP4HMA"
  #username: "miguel"
  #usernameCanonical: "******"
  #email: "********@gmail.com"
  #emailCanonical: "*********@gmail.com"
  #enabled: true
  #salt: null
  #password: "*****************************************************"
  #plainPassword: null
  #lastLogin: DateTime @1623091323 {#521 ▶}
  #confirmationToken: null
  #passwordRequestedAt: null
  #groups: ArrayCollection {#517 ▶}
  #roles: array:1 [▼
    0 => "ROLE_ADMIN"
  ]
}

My routing.yml has:

2fa_login:
    path: /2fa
    defaults:
        # "scheb_two_factor.form_controller" references the controller service provided by the bundle.
        # You don't HAVE to use it, but - except you have very special requirements - it is recommended.
        _controller: "scheb_two_factor.form_controller:form"

In my config.yml:

scheb_two_factor:
    google:
        enabled: true
        server_name: ddd               # Server name used in QR code
        issuer: ddd              # Issuer name used in QR code
        digits: 6                      # Number of digits in authentication code
        window: 1                      # How many codes before/after the current one would be accepted as valid
    security_tokens:
        - Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken
        - Acme\AuthenticationBundle\Token\CustomAuthenticationToken

Bundle version: 4.16.0 and also tried downgrading to 3.29.0 Symfony version: 4.3.3

Description

Followed Troubleshooting guide and reached at step 5 which returns email as one value in array.

config\packages\security.yaml

security:
    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
    encoders:
        FOS\UserBundle\Model\UserInterface: bcrypt

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_ADMIN

    providers:
#        in_memory: { memory: ~ }
        fos_userbundle:
            id: fos_user.user_provider.username
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            provider: fos_userbundle
            pattern: ^/
            user_checker: fos_user.user_checker
            form_login:
                provider: fos_userbundle
                csrf_token_generator: security.csrf.token_manager
            logout:
                handlers: [app_logoutlistener]
            anonymous:    true
            access_denied_handler: App\Security\AccessDeniedHandler
            two_factor:
                provider: fos_userbundle
                auth_form_path: /2fa                  # Path or route name of the two-factor form
                check_path: /2fa_check                # Path or route name of the two-factor code check
                #post_only: false                      # If the check_path should accept the code only as a POST request
                default_target_path: /                # Where to redirect by default after successful authentication
                always_use_default_target_path: false # If it should always redirect to default_target_path
                auth_code_parameter_name: _auth_code  # Name of the parameter for the two-factor authentication code
                trusted_parameter_name: _trusted      # Name of the parameter for the trusted device option
                multi_factor: false                   # If ALL active two-factor methods need to be fulfilled
                                                      # (multi-factor authentication)

            # activate different ways to authenticate

            # http_basic: true
            # https://symfony.com/doc/current/security.html#a-configuring-how-your-users-will-authenticate

            # form_login: true
            # https://symfony.com/doc/current/security/form_login_setup.html

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        - { path: ^/api/mobile/, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api/backend/, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/application$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/logout, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/notification/add, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/user/enroll, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
        - { path: ^/, role: ROLE_USER }
        # - { path: ^/admin, roles: ROLE_ADMIN }
        # - { path: ^/profile, roles: ROLE_USER }

config\routes.yaml

filter_sidebar:
    path: /filter_sidebar
    controller: Symfony\Bundle\FrameworkBundle\Controller\TemplateController
    defaults:
        # the path of the template to render
        template:  'filter_sidebar.html.twig'

fos_user:
    resource: "@FOSUserBundle/Resources/config/routing/all.xml"

css_route:
       path: /agenda_dynamic_style
       controller: App\Controller\StyleController::style

2fa_login:
    path: /2fa
    defaults:
        # "scheb_two_factor.form_controller" references the controller service provided by the bundle.
        # You don't HAVE to use it, but - except you have very special requirements - it is recommended.
        _controller: "scheb_two_factor.form_controller:form"

2fa_login_check:
    path: /2fa_check

config\packages\scheb_two_factor.yaml

scheb_two_factor:
    security_tokens:
        - Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken
        # If you're using guard-based authentication, you have to use this one:
        # - Symfony\Component\Security\Guard\Token\PostAuthenticationGuardToken
    
    email:
        enabled: true                  # If email authentication should be enabled, default false
        #mailer: app.custom_mailer_service  # Use alternative service to send the authentication code
        #code_generator: app.custom_code_generator_service  # Use alternative service to generate authentication code
        sender_email: "%env(resolve:MAILER_USER)%"   # Sender email address
        sender_name: "%env(resolve:MAILER_USER)%"       # Sender name
        digits: 6                      # Number of digits in authentication code
        template: security/2fa_form.html.twig   # Template used to render the authentication form
    
    trusted_device:
        enabled: false                 # If the trusted device feature should be enabled
        #manager: acme.custom_trusted_device_manager  # Use a custom trusted device manager
        lifetime: 5184000              # Lifetime of the trusted device token
        extend_lifetime: false         # Automatically extend lifetime of the trusted cookie on re-login
        cookie_name: trusted_device    # Name of the trusted device cookie
        cookie_secure: false           # Set the 'Secure' (HTTPS Only) flag on the trusted device cookie
        cookie_same_site: "lax"        # The same-site option of the cookie, can be "lax", "strict" or null
        cookie_domain: ".example.com"  # Domain to use when setting the cookie, fallback to the request domain if not set
        cookie_path: "/"               # Path to use when setting the cookie
    
    backup_codes:
        enabled: false                 # If the backup code feature should be enabled
        #manager: acme.custom_backup_code_manager  # Use a custom backup code manager

    # The service which is used to persist data in the user object. By default Doctrine is used. If your entity is
    # managed by something else (e.g. an API), you have to implement a custom persister
    #persister: acme.custom_persister

    # If your Doctrine user object is managed by a model manager, which is not the default one, you have to
    # set this option. Name of entity manager or null, which uses the default one.
    model_manager_name: ~

    # A list of IP addresses or netmasks, which will not trigger two-factor authentication.
    # Supports IPv4, IPv6 and IP subnet masks.
    ip_whitelist:
        #- 127.0.0.1 # One IPv4
        #- 192.168.0.0/16 # IPv4 subnet
        #- 2001:0db8:85a3:0000:0000:8a2e:0370:7334 # One IPv6
        #- 2001:db8:abcd:0012::0/64 # IPv6 subnet

    # If you want to have your own implementation to retrieve the whitelisted IPs.
    # The configuration option "ip_whitelist" becomes meaningless in such a case.
    #ip_whitelist_provider: acme.custom_ip_whitelist_provider

    # If you want to exchange/extend the TwoFactorToken class, which is used by the bundle, you can have a factory
    # service providing your own implementation.
    #two_factor_token_factory: acme.custom_two_factor_token_factory

src\Entity\User.php

<?php

namespace App\Entity;

use Doctrine\Common\Collections\ArrayCollection;
use Doctrine\Common\Collections\Collection;
use Doctrine\ORM\Mapping as ORM;
use Symfony\Component\Validator\Constraints as Assert;
use Doctrine\ORM\Mapping\AttributeOverrides;
use Doctrine\ORM\Mapping\AttributeOverride;
use FOS\UserBundle\Model\User as BaseUser;
...
use Scheb\TwoFactorBundle\Model\Email\TwoFactorInterface;

class User extends BaseUser implements TwoFactorInterface
{
     /**
     * @ORM\Column(type="integer", nullable=true)
     */
    private $authCode;

...
    public function isEmailAuthEnabled(): bool
    {
        return true; // This can be a persisted field to switch email code authentication on/off
    }

    public function getEmailAuthRecipient(): string
    {
        return $this->email;
    }

    public function getEmailAuthCode(): string
    {
        return $this->authCode;
    }

    public function setEmailAuthCode(string $authCode): void
    {
        $this->authCode = $authCode;
    }

Additional Context

Using FOSUserBundle for authentication. Using Doctrine2 behavioral extension for soft-delete (just for the info, because another extension, audit logger extension, I once used had event subscriber priority related issue, could that be the case?).

Bundle version: 4.7.0 Symfony version: 4.3.4

Description After updating from 4.6.0 to 4.7.0 I get never ending redirects after submitting the verify code. Any idea what it could be?

Hey there Scheb, after a few days I decided I should make an issue here to ask for some clarifications. I consider the steps for the integration of your package to not be so clear when it comes to Symfony 4.

What I have done so far:

1. Added the appropriate variables to my User entity (with getters and setters).
2. Used Symfony Flex for the scheb_two_factor configuration files.
3. Since I want to use google authenticator (I did setup google in my configuration file 'enabled: true').
4. Went to my security file and added the path ^/2fa;

Now... I have already updated my user registration process in order for them to have a secret key generated and I also generated the QR codes in the backend (even though I am going to use React as a frontend engine).

What I am missing is this:

1. How do I use your twig template in a controller?
2. How do I get to check the code the user gets from google authenticator?

When I go to localhost:8000/2fa I get the following error: "A Token was not found in the TokenStorage".

I am kind of a newbie to Symfony and backend overall and I am either missing steps or the documentation is not very beginner friendly. I intend to make a tutorial for beginners once I get it up and running with React (since there are no tutorials regarding this).

Thank you for your time (I would also love to talk with you in private chat if you want to).