Build Two Factor Authentication
Build Two Factor Authentication
Hello
I am using AppGini 5.81 and I am looking for any help to build Two Factor Authentication.
Any idea are welcome.
Thank you
I am using AppGini 5.81 and I am looking for any help to build Two Factor Authentication.
Any idea are welcome.
Thank you
Re: Build Two Factor Authentication
I have tried this Google Authenticator plugin developed by a past Appgini subscriber in previous versions of AppGini (not on Version 5.81 yet - but I can't see any reason why it won't still work OK?):
https://github.com/massyn/appgini-tools ... ticator.md
It does work well! Google Authentication is selectable and not enforced on all users. Provides QR code too. Only limitations I can recall is it doesn't allow you to disable TFA once enabled (should be able to be fixed with a bit of editing) and I don't remember it providing any manual override codes in case no Google device is handy.
I does require some editing of core Appgini files but they are very minimal and easy to track changes.
https://github.com/massyn/appgini-tools ... ticator.md
It does work well! Google Authentication is selectable and not enforced on all users. Provides QR code too. Only limitations I can recall is it doesn't allow you to disable TFA once enabled (should be able to be fixed with a bit of editing) and I don't remember it providing any manual override codes in case no Google device is handy.
I does require some editing of core Appgini files but they are very minimal and easy to track changes.
Re: Build Two Factor Authentication
Hmmm? Just checked the GoogleAuthenticatorClass.php link in that GitHub link above and I see it is now dead?
Not sure why it's no longer available and obviously I can't vouch for the code but here is a copy of the original attached if anybody is interested in giving it a go/edit:
Not sure why it's no longer available and obviously I can't vouch for the code but here is a copy of the original attached if anybody is interested in giving it a go/edit:
Re: Build Two Factor Authentication
As a matter of interest, I just tested Google Authenticator as per GitHub instructions on V5.81.
Still works although one change is necessary in inCommon.php due to hardening of password hashes in recently released versions (post V5.73).
Instead of replacing with this (final instruction):
You need to find this (around line 1050):
And replace it with this:
Seems to work well. While I can't see that it would, I'm not sure if all this creates any other security issues though...?
Still works although one change is necessary in inCommon.php due to hardening of password hashes in recently released versions (post V5.73).
Instead of replacing with this (final instruction):
Code: Select all
if(sqlValue("select count(1) from membership_users where lcase(memberID)='$username' and passMD5='$password' and isApproved=1 and isBanned=0")==1 && ($ga->TOTPauthenticate(db_link(),$username))){
Code: Select all
$redir = 'index.php';
if($_POST['signIn'] != ''){
if($_POST['username'] != '' && $_POST['password'] != ''){
$username = makeSafe(strtolower($_POST['username']));
$hash = sqlValue("select passMD5 from membership_users where lcase(memberID)='{$username}' and isApproved=1 and isBanned=0");
$password = $_POST['password'];
Code: Select all
$redir = 'index.php';
if($_POST['signIn'] != ''){
if($_POST['username'] != '' && $_POST['password'] != '' && ($ga->TOTPauthenticate(db_link(),$_POST['username']))){
$username = makeSafe(strtolower($_POST['username']));
$hash = sqlValue("select passMD5 from membership_users where lcase(memberID)='{$username}' and isApproved=1 and isBanned=0");
$password = $_POST['password'];
Re: Build Two Factor Authentication
Hello
Thank you for support and sharing, I will give a try.
Best regards,
Thank you for support and sharing, I will give a try.
Best regards,
Re: Build Two Factor Authentication
Hi peebee,
very nice. Thank you for posting (and for putting the GoogleAuthenticatorClass.php again).
I want to suggest little improvements:
a) in setup_googleauth.php we find
Replace this with
and your GA-Code will at least have the domain from the application. I have posted a request on how to get the application name ( viewtopic.php?f=2&p=11477#p11477 ). Once this is answered we can easily change $host in that code again.
b) The problem you describe here
Replace the code (once again) in incCommon.php (attention: incCommon will be created when you create your application, so all changes to this will be lost after creation and you will need to reapply your changes). Look for
replace with
What this change does: If the user has defined two-factor for himself, he needs to use it. If it has not been defined, he does not need to use it. For this the table totp_secrets is checked - from which we can easily delete entries ... Now make it easy to remove two-factor auth for/from users:
Create a new table in AppGini (after running the GooglAuthenticator once) like seen in the image. Give the admin access to all entries (only view and delete in the generated AppGini application). This way the the entries can be deleted from the table quite easily and thus two-factor-authentication being disabled for that user (again). You can allow mass delete and disable detail view (both circled).
SQL for this table:
Olaf
very nice. Thank you for posting (and for putting the GoogleAuthenticatorClass.php again).
I want to suggest little improvements:
a) in setup_googleauth.php we find
Code: Select all
echo $ga->TOTPsetupPage($memberinfo['username'],'AppGini'); // need to find a way to retreive the site name and put it in here.
Code: Select all
echo $ga->TOTPsetupPage($memberinfo['username'],$host); // need to find a way to retreive the site name and put it in here.
b) The problem you describe here
can be worked around like this:
Replace the code (once again) in incCommon.php (attention: incCommon will be created when you create your application, so all changes to this will be lost after creation and you will need to reapply your changes). Look for
Code: Select all
function logInMember() {
$redir = 'index.php';
if($_POST['signIn'] != '') {
if($_POST['username'] != '' && $_POST['password'] != '') {
Code: Select all
function logInMember() {
$redir = 'index.php';
if($_POST['signIn'] != '') {
//start https://github.com/massyn/appgini-tools/blob/master/google-authenticator.md
//old: if($_POST['username'] != '' && $_POST['password'] != '') {
//new: if($_POST['username'] != '' && $_POST['password'] != '' && ($TwoFactor == 1)) {
$curr_dir = dirname(__FILE__);
require_once "$curr_dir/hooks/GoogleAuthenticatorClass.php";
$ga = new framework_GoogleAuthenticator();
$username = makeSafe(strtolower($_POST['username']));
$sqlTwoFactor = "SELECT Count(uid) AS c FROM totp_secrets WHERE uid = '" . $username ."';";
$testTwoFactorUser = sqlValue($sqlTwoFactor);
$TwoFactor = 0;
if ($testTwoFactorUser == 1) {
if ($ga->TOTPauthenticate(db_link(),$username)) {
$TwoFactor = 1;
}
} else {
$TwoFactor = 1;
}
if($_POST['username'] != '' && $_POST['password'] != '' && ($TwoFactor === 1)) {
//end https://github.com/massyn/appgini-tools/blob/master/google-authenticator.md
What this change does: If the user has defined two-factor for himself, he needs to use it. If it has not been defined, he does not need to use it. For this the table totp_secrets is checked - from which we can easily delete entries ... Now make it easy to remove two-factor auth for/from users:
Create a new table in AppGini (after running the GooglAuthenticator once) like seen in the image. Give the admin access to all entries (only view and delete in the generated AppGini application). This way the the entries can be deleted from the table quite easily and thus two-factor-authentication being disabled for that user (again). You can allow mass delete and disable detail view (both circled).
SQL for this table:
Code: Select all
CREATE TABLE `totp_secrets` (
`uid` varchar(50) NOT NULL,
`secret` varchar(30) DEFAULT NULL,
`datetime` datetime DEFAULT NULL,
`ip_address` varchar(30) DEFAULT NULL,
PRIMARY KEY (`uid`),
UNIQUE KEY `uid_unique` (`uid`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
Some postings I was involved, you might find useful:
Multi Path Upload (MPU) / dynamic upload folder; SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button
Multi Path Upload (MPU) / dynamic upload folder; SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button
Re: Build Two Factor Authentication
Hi,
I decided to make it a little easier to implement and use: Now the user can remove the two factor authentication of him/herself in the same form (you still need to adjust incCommon.php):
Download Olaf
I decided to make it a little easier to implement and use: Now the user can remove the two factor authentication of him/herself in the same form (you still need to adjust incCommon.php):
Download Olaf
Some postings I was involved, you might find useful:
Multi Path Upload (MPU) / dynamic upload folder; SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button
Multi Path Upload (MPU) / dynamic upload folder; SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button
Re: Build Two Factor Authentication
Hi,
added one more line to allow access to the page only for logged in users.
Also added some (simple) docs: From my former posting and the github page in a single txt file.
Download: Olaf
added one more line to allow access to the page only for logged in users.
Also added some (simple) docs: From my former posting and the github page in a single txt file.
Download: Olaf
Some postings I was involved, you might find useful:
Multi Path Upload (MPU) / dynamic upload folder; SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button
Multi Path Upload (MPU) / dynamic upload folder; SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button
Re: Build Two Factor Authentication
Thanks for putting in the effort Olaf, much appreciated. I haven't tried your version yet but I'll give it a go as soon as time permits.
Re: Build Two Factor Authentication
Hi,
thanks. I have added localization (translation) to the twofactor-auth and added the possibility to have the actual app title as GA title.
Download Olaf
thanks. I have added localization (translation) to the twofactor-auth and added the possibility to have the actual app title as GA title.
Download Olaf
Some postings I was involved, you might find useful:
Multi Path Upload (MPU) / dynamic upload folder; SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button
Multi Path Upload (MPU) / dynamic upload folder; SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button
Re: Build Two Factor Authentication
Has anybody managed to securely implement this Google 2FA or any other TOTP/2FA for that matter into latest AppGini V22.11?
The new resources/lib/Authentication.php (since Appgini V5.98) is making things much more difficult and I'm not having any success.
I'm happy to assist with a reasonable $contribution for time to anyone able to assist with a working model if that helps.
The new resources/lib/Authentication.php (since Appgini V5.98) is making things much more difficult and I'm not having any success.
I'm happy to assist with a reasonable $contribution for time to anyone able to assist with a working model if that helps.
Re: Build Two Factor Authentication
Hi,peebee wrote: ↑2022-02-01 04:47Has anybody managed to securely implement this Google 2FA or any other TOTP/2FA for that matter into latest AppGini V22.11?
The new resources/lib/Authentication.php (since Appgini V5.98) is making things much more difficult and I'm not having any success.
I'm happy to assist with a reasonable $contribution for time to anyone able to assist with a working model if that helps.
first of all, I'm not a programmer, so my changes should definitely be reviewed carefully. However, they can probably serve as a good starting point for people who know more about this. Here’s what I’ve changed compared to the original approach:
The QR code is no longer generated locally but via an interface (I kept encountering error messages with the local generation). Therefore, I fundamentally modified the setup_googleauth.php file to achieve this. Additionally, I significantly updated the how-to guide since the authentication process now works differently in AG.
Feel free to download my first version from GitHub, and I’d be happy to receive constructive feedback for improvements.
https://github.com/meickert/appgini-googleauthenticator
Best regards,
Marcus
Re: Build Two Factor Authentication
Hi Marcus,
thanks for sharing.
Olaf
thanks for sharing.
Olaf
Some postings I was involved, you might find useful:
Multi Path Upload (MPU) / dynamic upload folder; SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button
Multi Path Upload (MPU) / dynamic upload folder; SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button