stackoom
  简体   繁体   中英

Laravel 5.1 login with mfa token

 原文  2015-10-07 21:08:00       php/ laravel/ login/ authorization/ laravel-5.1

Question

I'm trying to get the a login with mfa to work. I'm using the https://github.com/antonioribeiro/google2fa package.

Basically the user-migration looks like this 

class CreateUsersTable extends Migration {
/**
 * Run the migrations.
 *
 * @return void
 */
public function up() {
    Schema::create('users', function (Blueprint $table) {
        $table->increments('id');
        $table->string('name');
        $table->string('email')->unique();
        $table->string('password', 60);
        $table->rememberToken();
        $table->string('google2fa_secret');
        $table->boolean('useMfa')->default(false);;
        $table->timestamps();
    });
}
...

If the user has not yet activated mfa I create a new secret every time the user opens the profile page. 

    if(!$user->useMfaToken()){
        $google2fa = new Google2FA();
        $user->google2fa_secret = $google2fa->generateSecretKey();
        $user->save();
        $google2fa_url = $google2fa->getQRCodeGoogleUrl(
            'DatenPro.de',
            $user->email,
            $user->google2fa_secret
        );
    }

If the user enters the secret for finalizing the activation of mfa this will be executed: 

public function saveMfa(){
    $user = \Auth::user();
    $secret = \Input::get('secret');
    $google2fa = new Google2FA();
    $valid = $google2fa->verifyKey($user->google2fa_secret, $secret);
    if($valid){
        $user->useMfa = true;
        $user->save();
        return redirect()->back()->withMessage('mfa sucessfully activated');
    }
...

Now I'm working on the login with a mfa-token. I want that the user has the option to enter the token at the login page, if he has already activated it, otherwise if the mfa-Checkbox is deselected the "secret" text-input is hidden. 

Email:    __________
Password: __________
Use Mfa:  [x]
Secret:    __________

Where do I have to put the checks of the mfa token? I have read about it to check it through a middleware and a session-variable, but this seems kind of wrong.

1 answers

solution1
 0 ACCPTED  2015-10-07 21:08:00

Just figured it out before posting.

You can implement a "authenticated"-method in the AuthController. This could look like this: 

public function authenticated($request, $user){        
    if($user->useMfaToken()){
        $secret = \Input::get('secret');
        $google2fa = new Google2FA();
        $validMfaToken = $google2fa->verifyKey($user->google2fa_secret, $secret);
    }else{
        $validMfaToken = true;
    }
    if($validMfaToken){
        return redirect()->intended('dashboard');
    }
    Auth::logout();
    return redirect($this->loginPath)
        ->withInput($request->only('email', 'remember'))
        ->withErrors([
            'secret' => 'mfa token was not corret',
        ]);
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Laravel 5.1 Token Mismatch on Login form POST Social login in laravel 5.1? Laravel 5.1 steam login Laravel 5.1 bcrypt and login laravel 5.1 login not working Facebook Socialite login with Laravel 5.1 Laravel 5.1: Auth::login() not persisting Laravel 5.1 Login Session Message Laravel 5.1 authentication login not working Laravel 5.1 user login not working
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM