-
Notifications
You must be signed in to change notification settings - Fork 25
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
26 changed files
with
322 additions
and
218 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
docs/en/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
--- | ||
title: Authenticators | ||
--- | ||
|
||
# Authenticators | ||
|
||
[CHILDREN includeFolders] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
11 changes: 9 additions & 2 deletions
11
docs/en/creating-mfa-method-backend.md → ...methods/02_creating-mfa-method-backend.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
--- | ||
title: Creating new MFA methods | ||
--- | ||
|
||
# Creating new MFA methods | ||
|
||
[CHILDREN includeFolders] |
10 changes: 7 additions & 3 deletions
10
docs/en/local-development.md → docs/en/03_local-development.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,17 +1,22 @@ | ||
--- | ||
title: Configuring encryption providers | ||
--- | ||
|
||
# Configuring encryption providers | ||
|
||
By default this module uses [defuse/php-encryption](https://github.com/defuse/php-encryption) as its encryption adapter | ||
for secret information that must be persisted to a data store, such as a TOTP secret. | ||
|
||
You can add your own implementation if you would like to use something different, by implementing | ||
`EncryptionAdapterInterface` and configuring your service class with Injector. The interface is deliberately simple, | ||
[`EncryptionAdapterInterface`](api:SilverStripe\MFA\Service\EncryptionAdapterInterface) and configuring your service class with Injector. The interface is deliberately simple, | ||
and takes `encrypt()` and `decrypt()` methods with a payload and an encryption key argument. | ||
|
||
```yaml | ||
```yml | ||
SilverStripe\Core\Injector\Injector: | ||
SilverStripe\MFA\Service\EncryptionAdapterInterface: | ||
class: App\MFA\ReallyStrongEncryptionAdapter | ||
``` | ||
**Please note:** this is different from the `PasswordEncryptor` API provided by silverstripe/framework | ||
because we need two-way encryption (as opposed to one-way hashing) for MFA. | ||
> [!NOTE] | ||
> This is different from the `PasswordEncryptor` API provided by silverstripe/framework | ||
> because we need two-way encryption (as opposed to one-way hashing) for MFA. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
--- | ||
title: Data store interfaces | ||
--- | ||
|
||
# Data store interfaces | ||
|
||
Since the MFA architecture is largely designed to be decoupled, we use a [`StoreInterface`](api:SilverStripe\MFA\Store\StoreInterface) implementation to retain | ||
data between requests. The default implementation for this interface is [`SessionStore`](api:SilverStripe\MFA\Store\SessionStore) which stores data using the | ||
Silverstripe CMS [`Session`](api:SilverStripe\Control\Session) API provided by silverstripe/framework. | ||
|
||
If you need to use a different storage mechanism (e.g. Redis, DynamoDB etc) you can implement and configure your | ||
own `StoreInterface`, and register it with Injector: | ||
|
||
```yml | ||
SilverStripe\Core\Injector\Injector: | ||
SilverStripe\MFA\Store\StoreInterface: | ||
class: App\MFA\RedisStoreInterface | ||
``` | ||
> [!NOTE] | ||
> The store should always be treated as a server side implementation. It's not a good idea to implement | ||
> a client store e.g. cookies. | ||
## Adjusting what goes into the store | ||
By default, the entire [`HTTPRequest`](api:SilverStripe\Control\HTTPRequest) object is saved to the store during the multi-factor authentication process. We | ||
exclude the `Password` field from the request by default, but if you need to exclude other fields, you can add an | ||
extension, for example: | ||
|
||
```php | ||
// app/src/MFA/Extensions/MyLoginHandlerExtension.php | ||
namespace App\MFA\Extensions; | ||
use SilverStripe\Control\HTTPRequest; | ||
use SilverStripe\MFA\Store\StoreInterface; | ||
// Apply extension to SilverStripe\MFA\Authenticator\LoginHandler | ||
class MyLoginHandlerExtension extends Extension | ||
{ | ||
public function onBeforeSaveRequestToStore(HTTPRequest $request, StoreInterface $store): void | ||
{ | ||
$request->offsetUnset('MySecretField'); | ||
} | ||
} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
--- | ||
title: Security | ||
--- | ||
|
||
# Security | ||
|
||
## Login attempts | ||
|
||
The MFA module makes use of the framework's [`LoginAttempt`](api:SilverStripe\Security\LoginAttempt) API to ensure that a user can only attempt to register | ||
or verify a MFA method a certain number of times. Since it re-uses the core API, it also shares the maximum number | ||
of attempts with login attempts themselves. | ||
|
||
For example: if the maximum number of login attempts ([`Member.lock_out_after_incorrect_logins`](api:SilverStripe\Security\Member->lock_out_after_incorrect_logins)) is 5, and a user | ||
incorrectly enters their password twice, correctly enters it once, then incorrectly enters a TOTP code three times, | ||
they will be registered as locked out for a specified period of time ([`Member.lock_out_delay_mins`](api:SilverStripe\Security\Member->lock_out_delay_mins)). In this case, | ||
the user will be shown a message when trying to verify their TOTP code similar to "Your account is temporarily locked. | ||
Please try again later." | ||
|
||
For more information on this, see [Secure Coding](https://docs.silverstripe.org/en/developer_guides/security/secure_coding/#other-options). | ||
|
||
## Related links | ||
|
||
- [MFA encryption providers](encryption.md) | ||
- [silverstripe/security-extensions documentation](https://github.com/silverstripe/silverstripe-security-extensions) |
Oops, something went wrong.