我正在我的 Laravel 8 应用程序中实现双因素身份验证 (2FA)。
每次用户登录时都会应用2FA。但是,我并不觉得每次都需要2FA,我什至觉得它很烦人。作为一种解决方案,我正在考虑仅在用户从新设备连接时应用它。有没有人已经做过或者可以给我一些必要的改变的提示?
问问题
961 次
2 回答
3
我明白了。以下是我遵循的步骤:
在配置文件 fortify.php 我添加了
'pipelines' => [ 'login' => [ App\Actions\Fortify\RedirectIfTwoFactorAuthenticatable::class, Laravel\Fortify\Actions\AttemptToAuthenticate::class, Laravel\Fortify\Actions\PrepareAuthenticatedSession::class, ] ]我已将字段 two_factor_cookies 添加到 User 类中。
我已经定制了 Fortify 的 RedirectIfTwoFactorAuthenticatable 类:
<?php namespace App\Actions\Fortify; use Laravel\Fortify\Actions\RedirectIfTwoFactorAuthenticatable as DefaultRedirectIfTwoFactorAuthenticatable; use Laravel\Fortify\TwoFactorAuthenticatable; class RedirectIfTwoFactorAuthenticatable extends DefaultRedirectIfTwoFactorAuthenticatable { /** * Handle the incoming request. * * @param \Illuminate\Http\Request $request * @param callable $next * @return mixed */ public function handle($request, $next) { $user = $this->validateCredentials($request); if (optional($user)->two_factor_secret && in_array(TwoFactorAuthenticatable::class, class_uses_recursive($user)) && $this->checkIfUserDeviceHasNotCookie($user)) { return $this->twoFactorChallengeResponse($request, $user); } return $next($request); } /** * This checks if the user's device has the cookie stored * in the database. * * @param \App\Models\User\User $user * @return bool */ protected function checkIfUserDeviceHasNotCookie($user) { $two_factor_cookies = json_decode($user->two_factor_cookies); if (!is_array($two_factor_cookies)){ $two_factor_cookies = []; } $two_factor_cookie = \Cookie::get('2fa'); return !in_array($two_factor_cookie,$two_factor_cookies); } }在 FortifyServiceProvider 中,我添加了一个自定义的 TwoFactorLoginResponse。
<?php namespace App\Providers; use App\Actions\Fortify\CreateNewUser; use App\Actions\Fortify\ResetUserPassword; use App\Actions\Fortify\UpdateUserPassword; use App\Actions\Fortify\UpdateUserProfileInformation; use App\Http\Responses\FailedPasswordResetLinkRequestResponse; use App\Http\Responses\FailedPasswordResetResponse; use App\Http\Responses\LockoutResponse; use App\Http\Responses\LoginResponse; use App\Http\Responses\LogoutResponse; use App\Http\Responses\PasswordResetResponse; use App\Http\Responses\RegisterResponse; use App\Http\Responses\SuccessfulPasswordResetLinkRequestResponse; use App\Http\Responses\TwoFactorLoginResponse; use App\Http\Responses\VerifyEmail; use Illuminate\Cache\RateLimiting\Limit; use Illuminate\Http\Request; use Illuminate\Support\Facades\RateLimiter; use Illuminate\Support\ServiceProvider; use Laravel\Fortify\Contracts\FailedPasswordResetLinkRequestResponse as FailedPasswordResetLinkRequestResponseContract; use Laravel\Fortify\Contracts\FailedPasswordResetResponse as FailedPasswordResetResponseContract; use Laravel\Fortify\Contracts\LockoutResponse as LockoutResponseContract; use Laravel\Fortify\Contracts\LoginResponse as LoginResponseContract; use Laravel\Fortify\Contracts\LogoutResponse as LogoutResponseContract; use Laravel\Fortify\Contracts\PasswordResetResponse as PasswordResetResponseContract; use Laravel\Fortify\Contracts\RegisterResponse as RegisterResponseContract; use Laravel\Fortify\Contracts\SuccessfulPasswordResetLinkRequestResponse as SuccessfulPasswordResetLinkRequestResponseContract; use Laravel\Fortify\Contracts\TwoFactorLoginResponse as TwoFactorLoginResponseContract; use Laravel\Fortify\Fortify; class FortifyServiceProvider extends ServiceProvider { /** * Register any application services. * * @return void */ public function register() { $this->registerResponseBindings(); } /** * Register the response bindings. * * @return void */ protected function registerResponseBindings() { $this->app->singleton(LoginResponseContract::class, LoginResponse::class); $this->app->singleton(LogoutResponseContract::class, LogoutResponse::class); $this->app->singleton(TwoFactorLoginResponseContract::class, TwoFactorLoginResponse::class); $this->app->singleton(RegisterResponseContract::class, RegisterResponse::class); $this->app->singleton(LockoutResponseContract::class, LockoutResponse::class); $this->app->singleton(SuccessfulPasswordResetLinkRequestResponseContract::class, SuccessfulPasswordResetLinkRequestResponse::class); $this->app->singleton(FailedPasswordResetLinkRequestResponseContract::class, FailedPasswordResetLinkRequestResponse::class); $this->app->singleton(PasswordResetResponseContract::class, PasswordResetResponse::class); $this->app->singleton(FailedPasswordResetResponseContract::class, FailedPasswordResetResponse::class); } /** * Bootstrap any application services. * * @return void */ public function boot() { Fortify::ignoreRoutes(); Fortify::loginView(function () { return view('auth.login'); }); Fortify::twoFactorChallengeView('auth.two-factor-challenge'); Fortify::confirmPasswordView(function (Request $request) { if ($request->ajax()) { return view('auth.confirm-password-form'); } else { return view('auth.confirm-password'); } }); Fortify::requestPasswordResetLinkView(function () { return view('auth.forgot-password'); }); Fortify::resetPasswordView(function ($request) { return view('auth.reset-password', ['request' => $request,'token' => $request->route('token')]); }); Fortify::registerView(function () { return view('auth.register'); }); Fortify::verifyEmailView(function () { return view('auth.verify'); }); Fortify::createUsersUsing(CreateNewUser::class); Fortify::updateUserProfileInformationUsing(UpdateUserProfileInformation::class); Fortify::updateUserPasswordsUsing(UpdateUserPassword::class); Fortify::resetUserPasswordsUsing(ResetUserPassword::class); /*RateLimiter::for('login', function (Request $request) { return Limit::perMinute(5)->by($request->email.$request->ip()); });*/ RateLimiter::for('two-factor', function (Request $request) { return Limit::perMinute(5)->by($request->session()->get('login.id')); }); } }最后,TwoFactorLoginResponse:
<?php namespace App\Http\Responses; use Illuminate\Http\JsonResponse; use Laravel\Fortify\Contracts\TwoFactorLoginResponse as TwoFactorLoginResponseContract; class TwoFactorLoginResponse implements TwoFactorLoginResponseContract { /** * Create an HTTP response that represents the object. * * @param \Illuminate\Http\Request $request * @return \Symfony\Component\HttpFoundation\Response */ public function toResponse($request) { $user = \Auth::user(); $this->storeCookieIfNotInDB($user); $role = $user->role; if ($request->wantsJson()) { return new JsonResponse('', 204); } if ($role == "0") { return redirect()->route('user.home'); } else { return redirect()->route('admin.home'); } } /** * Store the cookie if it is not in the database. * * @param \App\Models\User\User $user * @return void */ protected function storeCookieIfNotInDB($user) { $two_factor_cookies = json_decode($user->two_factor_cookies); if (!is_array($two_factor_cookies)){ $two_factor_cookies = []; } $two_factor_cookie = \Cookie::get('2fa'); if (!in_array($two_factor_cookie,$two_factor_cookies)) { $two_factor_cookie = md5(now()); $two_factor_cookies[] = $two_factor_cookie; if (count($two_factor_cookies) > 3) { array_shift($two_factor_cookies); } $user->two_factor_cookies = json_encode($two_factor_cookies); $user->save(); $lifetime = 60 * 24 * 365; //one year \Cookie::queue('2fa',$two_factor_cookie,$lifetime); } } }
登录后,它将查找 cookie 2fa。如果其内容存储在数据库中,则无需再次输入代码。为了防止无限的 cookie 内容保存在数据库中,您可以添加最大限制(我已将其设置为 3)。
感谢 Maarten Veerman 的初始帮助。
于 2021-04-18T17:03:10.993 回答
2
pipelines.login你可以在你的 fortify 配置文件中创建一个条目。
解决方案是:
- 创建配置条目
- 复制上述文件第 84 行中的管道设置。
- 创建一个自定义
AttemptToAuthenticate类,确保管道配置指向您的新类。 - 使新类扩展默认的强化
AttemptToAuthenticate类。 - 覆盖该
handle函数,在新函数中添加您的逻辑,您可以在其中检查设备上的 cookie。
于 2021-04-16T19:07:36.623 回答