Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Two-factor authentication #13000

Merged
merged 111 commits into from
Dec 9, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
111 commits
Select commit Hold shift + click to select a range
192a765
MFA flow WIP
i-just Feb 27, 2023
8b6ff5c
MFA authentication component WIP
i-just Mar 1, 2023
f9221d3
GA OPT continued, EmailCode added
i-just Mar 1, 2023
8946b1e
started hooking up alternative options
i-just Mar 1, 2023
0db29e5
alternative mfa options hookup cont.
i-just Mar 2, 2023
216c2a5
started setting up user edit form
i-just Mar 2, 2023
daf3d36
rename all things
i-just Mar 2, 2023
7221624
separated js, tweaks
i-just Mar 2, 2023
434be1f
tweaks
i-just Mar 2, 2023
ed937e8
mfa option to mfa type
i-just Mar 2, 2023
37a75b7
save the user requireMfa property
i-just Mar 3, 2023
45ff8b7
added configurable mfa type
i-just Mar 6, 2023
27078ed
tweaks and translations
i-just Mar 8, 2023
aeb2525
compiled assets
i-just Mar 8, 2023
ed8663a
Squashed commit of the following:
i-just Mar 9, 2023
27f1d50
started on FE login adjustments
i-just Mar 9, 2023
3e66646
alternative mfa without JS
i-just Mar 13, 2023
7e2a429
don't rely on session data only
i-just Mar 13, 2023
5dbfc91
showing errors + tweaks
i-just Mar 13, 2023
b0a0319
verification email sent message
i-just Mar 13, 2023
d1f4e27
compiled assets
i-just Mar 14, 2023
29beea6
beginning of the webauthn
i-just Mar 14, 2023
ca2343f
webauthn registration cont.
i-just Mar 15, 2023
65bfd6c
handling errors and statuses
i-just Mar 15, 2023
ac96910
managing security keys
i-just Mar 15, 2023
6812d53
prep for login via webauthn
i-just Mar 17, 2023
fbd4bbf
webauthn login hooked up
i-just Mar 17, 2023
ae0ed0c
tweaks
i-just Mar 20, 2023
004a4fa
user settings for mfa
i-just Mar 20, 2023
2e6605b
global user settings continued
i-just Mar 20, 2023
87f0257
cleanup
i-just Mar 20, 2023
61ce656
auth manager changes
i-just Mar 22, 2023
1cc5931
built assets
i-just Mar 22, 2023
c71ae80
Merge branch 'develop' into feature/dev-13-mfa-v2
i-just Mar 28, 2023
e926071
removed todo comments
i-just Mar 28, 2023
f849b4e
styles adjustment
i-just Apr 4, 2023
17e0517
todo tweaks
i-just Apr 4, 2023
805ce81
Merge branch 'develop' into feature/dev-13-mfa-v2
i-just Apr 5, 2023
7dae917
submit setup form in slideout on 'enter'
i-just Apr 5, 2023
6b75c00
Merge branch '4.5' into feature/dev-13-mfa-v2
brandonkelly Apr 25, 2023
7be952f
Fixed pre-update SQL error
brandonkelly Apr 25, 2023
a9ab114
Merge branch '4.5' into feature/dev-13-mfa-v2
brandonkelly Apr 26, 2023
d8e61c2
started mfa to auth
i-just Apr 26, 2023
3e0bdca
further rename assets bundle
i-just Apr 26, 2023
d4bd4ce
more mfa to 2fa renaming
i-just Apr 26, 2023
6f55263
finish mfa to 2fa renaming
i-just Apr 27, 2023
7c9a06f
remove email code 2fa type
i-just Apr 27, 2023
06cbdc1
Merge remote-tracking branch 'origin/4.5' into feature/dev-13-mfa-v2
i-just Apr 27, 2023
786f8a8
webauthn as a 2fa method (WIP)
i-just Apr 27, 2023
3b1df7e
webauthn as 2fa method finished
i-just Apr 28, 2023
b0cb94f
removed console.log
i-just Apr 28, 2023
65aaf03
remove has2fa user param
i-just May 2, 2023
cba5847
Merge branch '5.0' into feature/dev-13-mfa-v2
i-just May 3, 2023
9db0c27
tweaks
i-just May 3, 2023
f9821f3
recovery codes WIP
i-just May 3, 2023
2727fb4
download recovery codes
i-just May 4, 2023
f9e1bbd
js amends
i-just May 4, 2023
f7e9436
missed string translations
i-just May 4, 2023
eb7fbf6
usernameless webauth (WIP)
i-just May 5, 2023
5b872f6
alternative 2fa methods amends
i-just May 10, 2023
95292f3
login and setup styling amends
i-just May 10, 2023
70abc1a
check if browser supports platform authenticators
i-just May 10, 2023
674233d
aaand a bug fix
i-just May 10, 2023
6ab9881
elevate session with passkey (WIP)
i-just May 11, 2023
3e2f89b
webauthn js tweaks
i-just May 12, 2023
8906eeb
only use usernameless for login, not elevating session and auth manager
i-just May 12, 2023
cbfde49
Merge branch '5.0' into feature/dev-13-mfa-v2
i-just May 12, 2023
ce8c4e7
only show passkey option if user has security keys set up
i-just May 12, 2023
c93f0df
improved error handling
i-just May 12, 2023
287cdd9
is 2fa required bugfix - don't count webauthn
i-just May 16, 2023
f6d8184
default passkey name
i-just May 16, 2023
665b2ac
if platform auth not available hide passkey option
i-just May 16, 2023
c3cfc7b
@since tag updates
i-just May 16, 2023
40012cd
bug fixes & compiled assets
i-just May 16, 2023
3c1006e
add security key - double-click prevention
i-just May 16, 2023
a411fca
Merge branch '5.0' into feature/dev-13-mfa-v2
i-just May 22, 2023
be383be
tweaks
i-just May 22, 2023
fb499c2
Merge branch '5.0' into feature/dev-13-mfa-v2
i-just May 25, 2023
aa8a5d1
accessibility adjustments
i-just May 25, 2023
66eaeac
Merge branch '5.0' into feature/dev-13-mfa-v2
i-just Sep 27, 2023
446a254
Merge branch '5.0' into feature/dev-13-mfa-v2
i-just Oct 17, 2023
8c08b6d
bring back autofocus
i-just Oct 17, 2023
248e37c
tweaks
i-just Oct 17, 2023
8b56da2
more tweaks
i-just Oct 17, 2023
bd2926b
namespace changes & cleanup
i-just Oct 17, 2023
4312590
Merge branch '5.0' into feature/dev-13-mfa-v2
brandonkelly Oct 18, 2023
c111382
Merge branch '5.0' into feature/dev-13-mfa-v2
brandonkelly Nov 15, 2023
abd7fad
_accountfields → _profile-fields
brandonkelly Nov 15, 2023
472716b
Merge branch '5.0' into feature/dev-13-mfa-v2
brandonkelly Nov 16, 2023
c8c391d
Merge branch '5.0' into feature/dev-13-mfa-v2
brandonkelly Nov 17, 2023
394564e
Merge branch '5.0' into feature/dev-13-mfa-v2
brandonkelly Nov 19, 2023
065e361
Merge branch '5.0' into feature/dev-13-mfa-v2
brandonkelly Nov 21, 2023
88abb03
Merge branch '5.0' into feature/dev-13-mfa-v2
brandonkelly Nov 21, 2023
abeffcb
Merge branch '5.0' into feature/dev-13-mfa-v2
brandonkelly Nov 21, 2023
8652107
Merge branch '5.0' into feature/dev-13-mfa-v2
brandonkelly Nov 22, 2023
bd17df5
Merge branch '5.0' into feature/dev-13-mfa-v2
brandonkelly Nov 27, 2023
9a42e8e
Merge branch '5.0' into feature/dev-13-mfa-v2
brandonkelly Nov 28, 2023
d75367d
Changed some code
brandonkelly Dec 7, 2023
2153493
Drop the Require 2FA setting for now
brandonkelly Dec 7, 2023
d8c7295
Fix 'undefined' error
brandonkelly Dec 7, 2023
e7fc838
Abort passkey setup if the name prompt is cancelled
brandonkelly Dec 7, 2023
29a6310
Codes
brandonkelly Dec 7, 2023
8bd50b4
Bring back “Require Two-Step Verification” user setting
brandonkelly Dec 7, 2023
cc39a23
.first
brandonkelly Dec 7, 2023
384faf1
Show user validation errors
brandonkelly Dec 8, 2023
394cf40
Always require user emails, but only validate uniqueness for active/p…
brandonkelly Dec 8, 2023
863cf36
Users service cleanup + show validation flash errors for activation r…
brandonkelly Dec 9, 2023
90e371c
Make it possible to view unsaved + unpublished draft users
brandonkelly Dec 9, 2023
c445292
Fixed Admin setting
brandonkelly Dec 9, 2023
f6fb203
Cleanup
brandonkelly Dec 9, 2023
32ef81e
Release notes
brandonkelly Dec 9, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 45 additions & 3 deletions CHANGELOG-WIP.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,20 +9,32 @@
- Entry edit pages now include quick links to other sections’ index sources.
- Asset edit pages now include quick links to other volumes’ index sources.
- Entry conditions can now have a “Matrix field” rule. ([#13794](https://github.com/craftcms/cms/discussions/13794))
- User addresses can now be displayed as an embedded element index.
- Selected elements within relational fields now include a context menu with “View in a new tab”, “Edit”, and “Remove” options.
- Selected elements within relational fields now include a dedicated drag handle.
- Selected assets within Assets fields no longer open the file preview modal when their thumbnail is clicked on. The “Preview file” quick action, or the <kbd>Shift</kbd> + <kbd>Spacebar</kbd> keyboard shortcut, can be used instead.
- Improved the styling of element chips.
- Improved checkbox-style deselection behavior for control panel items, to account for double-clicks.
- Table views are no longer available for element indexes on mobile.

### User Management
- Added two-step verification support, with built-in “Authenticator App” (TOTP) and “Recovery Codes” methods. Additional methods can be provided by plugins.
- Added a “Require Two-Step Verification” system setting, which can be set to “All users”, “Admins”, and individual user groups.
- Added passkey support (authentication via fingerprint or facial recognition).
- User account settings are now split into “Profile”, “Addresses”, and “Permissions” pages, plus “Password & Verification” and “Passkeys” pages when editing one’s own account.
- Users’ “Username”, “Full Name”, “Photo”, and “Email” native fields can now be managed via the user field layout, and now show up alongside custom fields within user slideouts.
- Users with more than 50 addresses will now display them as a paginated element index.
- New users are now created in an unpublished draft state, so adding a user photo, addresses, and permissions can each be done before the user is fully saved.
- The login page now includes a “Sign in with a passkey” button.
- The login modal and elevated session modal have been redesigned to be consistent with the login page.
- User sessions are now treated as elevated immediately after login, per the `elevatedSessionDuration` config setting.

### Accessibility
- Improved source item navigation for screen readers. ([#12054](https://github.com/craftcms/cms/pull/12054))
- Content tab menus are now implemented as disclosure menus. ([#12963](https://github.com/craftcms/cms/pull/12963))
- Element selection modals now show checkboxes for selectable elements.
- Elements within relational fields are no longer focusable at the container level.
- Relational fields now use the proper list semantics.
- Improved the accessibility of the login page, login modal, and elevated session modal.

### Administration
- Field layouts can now designate an Assets field as the source for elements’ thumbnails. ([#12484](https://github.com/craftcms/cms/discussions/12484), [#12706](https://github.com/craftcms/cms/discussions/12706))
Expand Down Expand Up @@ -67,6 +79,12 @@
- The `assets/move-asset` and `assets/move-folder` actions no longer include `success` keys in responses. ([#12159](https://github.com/craftcms/cms/pull/12159))
- The `assets/upload` controller action now includes `errors` object in failure responses. ([#12159](https://github.com/craftcms/cms/pull/12159))
- Element action triggers’ `validateSelection()` and `activate()` methods are now passed an `elementIndex` argument, with a reference to the trigger’s corresponding element index.
- Added `craft\auth\methods\AuthMethodInterface`.
- Added `craft\auth\methods\BaseAuthMethod`.
- Added `craft\auth\methods\RecoveryCodes`.
- Added `craft\auth\methods\TOTP`.
- Added `craft\auth\passkeys\CredentialRepository`.
- Added `craft\base\ApplicationTrait::getAuth()`.
- Added `craft\base\Element::EVENT_DEFINE_ACTION_MENU_ITEMS`.
- Added `craft\base\Element::EVENT_DEFINE_INLINE_ATTRIBUTE_INPUT_HTML`.
- Added `craft\base\Element::crumbs()`.
Expand Down Expand Up @@ -123,6 +141,7 @@
- Added `craft\elements\NestedElementManager`.
- Added `craft\elements\Tag::gqlTypeName()`.
- Added `craft\elements\User::GQL_TYPE_NAME`.
- Added `craft\elements\User::authenticateWithPasskey()`.
- Added `craft\elements\conditions\ElementConditionInterface::getFieldLayouts()`.
- Added `craft\elements\conditions\entries\MatrixFieldConditionRule`.
- Added `craft\elements\db\EagerLoadInfo`.
Expand All @@ -148,6 +167,11 @@
- Added `craft\fieldlayoutelements\BaseField::thumbHtml()`.
- Added `craft\fieldlayoutelements\BaseField::thumbable()`.
- Added `craft\fieldlayoutelements\CustomField::$handle`.
- Added `craft\fieldlayoutelements\TextField::inputAttributes()`.
- Added `craft\fieldlayoutelements\users\EmailField`.
- Added `craft\fieldlayoutelements\users\FullNameField`.
- Added `craft\fieldlayoutelements\users\PhotoField`.
- Added `craft\fieldlayoutelements\users\UsernameField`.
- Added `craft\fields\Addresses`.
- Added `craft\fields\Matrix::EVENT_DEFINE_ENTRY_TYPES`.
- Added `craft\fields\Matrix::getEntryTypes()`.
Expand Down Expand Up @@ -189,6 +213,7 @@
- Added `craft\models\Section::getCpEditUrl()`.
- Added `craft\models\Volume::getSubpath()`.
- Added `craft\models\Volume::setSubpath()`.
- Added `craft\services\Auth`.
- Added `craft\services\Entries::refreshEntryTypes()`.
- Added `craft\services\Fields::$fieldContext`, which replaces `craft\services\Content::$fieldContext`.
- Added `craft\services\Fields::getAllLayouts()`.
Expand Down Expand Up @@ -251,10 +276,14 @@
- `craft\elements\Entry::getSection()` can now return `null`, for nested entries.
- `craft\elements\User::getAddresses()` now returns a collection.
- `craft\enums\LicenseKeyStatus` is now an enum.
- `craft\events\AuthenticateUserEvent::$password` can now be null, if the user is being authenticated with a passkey.
- `craft\fields\BaseOptionsField::$multi` and `$optgroups` properties are now static.
- `craft\fields\Matrix::$propagationMethod` now has a type of `craft\enums\PropagationMethod`.
- `craft\gql\mutations\Entry::createSaveMutations()` now accepts a `$section` argument.
- `craft\helpers\Cp::fieldHtml()` now supports a `labelExtra` config value.
- `craft\helpers\Db::parseParam()`, `parseDateParam()`, `parseMoneyParam()`, and `parseNumericParam()` now return `null` instead of an empty string if no condition should be applied.
- `craft\helpers\Html::normalizeTagAttributes()` now supports a `removeClass` key.
- `craft\helpers\Html::tag()` and `beginTag()` now ensure that the passed-in attributes are normalized.
- `craft\helpers\StringHelper::toString()` now supports backed enums.
- `craft\i18n\I18N::getPrimarySiteLocale()` is now deprecated. `craft\models\Site::getLocale()` should be used instead.
- `craft\i18n\I18N::getPrimarySiteLocaleId()` is now deprecated. `craft\models\Site::$language` should be used instead.
Expand All @@ -265,8 +294,15 @@
- `craft\services\Elements::duplicateElement()` no longer has a `$trackDuplication` argument.
- `craft\services\Plugins::getPluginLicenseKeyStatus()` now returns a `craft\enums\LicenseKeyStatus` case.
- `craft\services\ProjectConfig::saveModifiedConfigData()` no longer has a `$writeExternalConfig` argument, and no longer writes out updated project config YAML files.
- `craft\helpers\Html::tag()` and `beginTag()` now ensure that the passed-in attributes are normalized.
- `craft\helpers\Html::normalizeTagAttributes()` now supports a `removeClass` key.
- `craft\services\Users::activateUser()` now has a `void` return type, and throws an `InvalidElementException` in case of failure.
- `craft\services\Users::deactivateUser()` now has a `void` return type, and throws an `InvalidElementException` in case of failure.
- `craft\services\Users::removeCredentials()` now has a `void` return type, and throws an `InvalidElementException` in case of failure.
- `craft\services\Users::shunMessageForUser()` now has a `void` return type, and throws an `InvalidElementException` in case of failure.
- `craft\services\Users::suspendUser()` now has a `void` return type, and throws an `InvalidElementException` in case of failure.
- `craft\services\Users::unlockUser()` now has a `void` return type, and throws an `InvalidElementException` in case of failure.
- `craft\services\Users::unshunMessageForUser()` now has a `void` return type, and throws an `InvalidElementException` in case of failure.
- `craft\services\Users::unsuspendUser()` now has a `void` return type, and throws an `InvalidElementException` in case of failure.
- `craft\services\Users::verifyEmailForUser()` now has a `void` return type, and throws an `InvalidElementException` in case of failure.
- Deprecated the `_elements/element.twig` control panel template. `elementChip()` or `elementCard()` should be used instead.
- Deprecated the `cp.elements.element` control panel template hook.
- Deprecated `craft\events\DefineElementInnerHtmlEvent`.
Expand Down Expand Up @@ -308,6 +344,7 @@
- Removed `craft\events\BlockTypesEvent`.
- Removed `craft\events\FieldGroupEvent`.
- Removed `craft\events\RegisterUserActionsEvent`.
- Removed `craft\fieldlayoutelements\users\AddressesField`.
- Removed `craft\fields\Matrix::EVENT_SET_FIELD_BLOCK_TYPES`.
- Removed `craft\fields\Matrix::PROPAGATION_METHOD_ALL`. `craft\enums\PropagationMethod::All` should be used instead.
- Removed `craft\fields\Matrix::PROPAGATION_METHOD_CUSTOM`. `craft\enums\PropagationMethod::Custom` should be used instead.
Expand Down Expand Up @@ -379,6 +416,7 @@
- Removed `craft\web\CpScreenResponseBehavior::$contextMenuHtml`. `$contextMenuItems` should be used instead.
- Removed `craft\web\CpScreenResponseBehavior::contextMenuHtml()`. `contextMenuItems()` should be used instead.
- Removed `craft\web\CpScreenResponseBehavior::contextMenuTemplate()`. `contextMenuItems()` should be used instead.
- Removed `craft\web\User::startElevatedSession()`. `login()` should be used instead.
- Added `Craft.BaseElementSelectInput::defineElementActions()`.
- Added `Craft.CP::setSiteCrumbMenuItemStatus()`.
- Added `Craft.CP::showSiteCrumbMenuItem()`.
Expand All @@ -394,7 +432,11 @@
### System
- Craft now requires PHP 8.2 or later.
- Craft now requires the Symfony Filesystem component directly.
- Craft now requires `bacon/bacon-qr-code`.
- Craft now requires `composer/semver` directly.
- Craft now requires `pragmarx/google2fa`.
- Craft now requires `pragmarx/recovery`.
- Craft now requires `web-auth/webauthn-lib`.
- Craft no longer requires `composer/composer`.
- New database tables now default to the `utf8mb4` charset, and the `utf8mb4_0900_ai_ci` or `utf8mb4_unicode_ci` collation, on MySQL. Existing installs should run `db/convert-charset` after upgrading, to ensure all tables have consistent charsets and collations. ([#11823](https://github.com/craftcms/cms/discussions/11823))
- The `defaultTemplateExtensions` config setting now lists `twig` before `html` by default. ([#11809](https://github.com/craftcms/cms/discussions/11809))
Expand Down
4 changes: 4 additions & 0 deletions composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
"ext-pcre": "*",
"ext-pdo": "*",
"ext-zip": "*",
"bacon/bacon-qr-code": "^2.0",
"commerceguys/addressing": "^1.2",
"composer/semver": "^3.3.2",
"craftcms/plugin-installer": "~1.6.0",
Expand All @@ -47,6 +48,8 @@
"moneyphp/money": "^4.0",
"monolog/monolog": "^2.3",
"pixelandtonic/imagine": "~1.3.3.1",
"pragmarx/google2fa": "^8.0",
"pragmarx/recovery": "^0.2.1",
"samdark/yii2-psr-log-target": "^1.1.3",
"seld/cli-prompt": "^1.0.4",
"symfony/filesystem": "^6.3",
Expand All @@ -56,6 +59,7 @@
"theiconic/name-parser": "^1.2",
"twig/twig": "~3.4.3",
"voku/stringy": "^6.4.0",
"web-auth/webauthn-lib": "^3.3",
"webonyx/graphql-php": "~14.11.5",
"yiisoft/yii2": "~2.0.48.1",
"yiisoft/yii2-debug": "~2.1.22.0",
Expand Down
Loading