Automatically disable 2FA in developer mode, with optional toggle to fall back.

Author: markshust

Plugin/BypassTwoFactorAuth.php

@@ -14,7 +14,8 @@
 class BypassTwoFactorAuth
 {
  const XML_PATH_CONFIG_ENABLE = 'twofactorauth/general/enable';
- const XML_PATH_CONFIG_DISABLE_DEV_2FA = 'twofactorauth/general/disable_developer_auth';
+ const XML_PATH_CONFIG_ENABLE_FOR_API_TOKEN_GENERATION = 'twofactorauth/general/enable_for_api_token_generation';
+ const XML_PATH_CONFIG_DISABLE_IN_DEVELOPER_MODE = 'twofactorauth/general/disable_in_developer_mode';
 
  /** @var ScopeConfigInterface */
  private $scopeConfig;
@@ -37,11 +38,12 @@ public function __construct(
 
  /**
  * Enables the bypass of 2FA for admin access.
- * This can be useful within development & integration environments.
+ * This can be useful for within development & integration environments.
  *
  * If 2FA is enabled, return the original result.
- * If 2FA is disabled, always return true so all requests bypass 2FA.
- * If 2FA is disabled only for developer mode, return true when in developer mode to bypass 2FA.
+ * If developer mode is enabled, 2FA is disabled unless "Disable 2FA in developer mode" is set to No.
+ *
+ * Returning true in this function bypasses 2FA.
  *
  * NOTE: Always keep 2FA enabled within production environments for security purposes.
  *
@@ -53,17 +55,16 @@ public function afterIsGranted(
  TfaSession $subject,
  $result
  ): bool {
- // 2FA is always disabled.
- if (!$this->scopeConfig->isSetFlag(self::XML_PATH_CONFIG_ENABLE)) {
- return true;
- }
+ $is2faEnabled = $this->scopeConfig->isSetFlag(self::XML_PATH_CONFIG_ENABLE);
+ $isDeveloperMode = $this->appState->getMode() == State::MODE_DEVELOPER;
+ $alwaysDisableInDeveloperMode = $this->scopeConfig->isSetFlag(self::XML_PATH_CONFIG_DISABLE_IN_DEVELOPER_MODE);
 
- // 2FA is disabled only for developer mode.
- if ($this->scopeConfig->isSetFlag(self::XML_PATH_CONFIG_DISABLE_DEV_2FA)
- && $this->appState->getMode() == State::MODE_DEVELOPER) {
- return true;
+ if ($isDeveloperMode && $alwaysDisableInDeveloperMode) {
+ $is2faEnabled = false;
  }
 
- return $result;
+ return $is2faEnabled
+ ? $result
+ : true;
  }
 }

Plugin/BypassTwoFactorAuthForApiTokenGeneration.php

@@ -5,6 +5,7 @@
 
 use Closure;
 use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\App\State;
 use Magento\Framework\Exception\AuthenticationException;
 use Magento\Framework\Exception\InputException;
 use Magento\Framework\Exception\LocalizedException;
@@ -17,30 +18,39 @@
  */
 class BypassTwoFactorAuthForApiTokenGeneration
 {
- const XML_PATH_CONFIG_ENABLE_FOR_API_TOKEN_GENERATION = 'twofactorauth/general/enable_for_api_token_generation';
+ /** @var AdminTokenServiceInterface */
+ private $adminTokenService;
 
  /** @var ScopeConfigInterface */
  private $scopeConfig;
 
- /** @var AdminTokenServiceInterface */
- private $adminTokenService;
+ /** @var State */
+ private $appState;
 
  /**
  * BypassTwoFactorAuthForApiTokenGeneration constructor.
  * @param AdminTokenServiceInterface $adminTokenService
  * @param ScopeConfigInterface $scopeConfig
+ * @param State $appState
  */
  public function __construct(
  AdminTokenServiceInterface $adminTokenService,
- ScopeConfigInterface $scopeConfig
+ ScopeConfigInterface $scopeConfig,
+ State $appState
  ) {
  $this->scopeConfig = $scopeConfig;
  $this->adminTokenService = $adminTokenService;
+ $this->appState = $appState;
  }
 
  /**
  * Enables the bypass of 2FA for API token generation.
- * This can be useful for third-party vendors during module development.
+ * This can be useful for within development & integration environments.
+ *
+ * If 2FA is enabled, return the original result.
+ * If developer mode is enabled, 2FA is disabled unless "Disable 2FA in developer mode" is set to No.
+ *
+ * Calling createAdminAccessToken within this function bypasses 2FA.
  *
  * NOTE: Always keep 2FA enabled within production environments for security purposes.
  *
@@ -59,7 +69,19 @@ public function aroundCreateAdminAccessToken(
  $username,
  $password
  ): string {
- return $this->scopeConfig->isSetFlag(self::XML_PATH_CONFIG_ENABLE_FOR_API_TOKEN_GENERATION)
+ $is2faEnabled = $this->scopeConfig->isSetFlag(
+ BypassTwoFactorAuth::XML_PATH_CONFIG_ENABLE_FOR_API_TOKEN_GENERATION
+ );
+ $isDeveloperMode = $this->appState->getMode() == State::MODE_DEVELOPER;
+ $alwaysDisableInDeveloperMode = $this->scopeConfig->isSetFlag(
+ BypassTwoFactorAuth::XML_PATH_CONFIG_DISABLE_IN_DEVELOPER_MODE
+ );
+
+ if ($isDeveloperMode && $alwaysDisableInDeveloperMode) {
+ $is2faEnabled = false;
+ }
+
+ return $is2faEnabled
  ? $proceed($username, $password)
  : $this->adminTokenService->createAdminAccessToken($username, $password);
  }

etc/adminhtml/system.xml

@@ -8,18 +8,15 @@
  <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
  <comment>Warning: Enabling 2FA will immediately prompt admin user for OTP code.</comment>
  </field>
- <field id="disable_developer_auth" translate="label" type="select" sortOrder="150" showInDefault="1" canRestore="1">
- <label>Disable Developer Mode 2FA</label>
- <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
- <comment>Disable 2FA only when Magento is in developer mode.</comment>
- <depends>
- <field id="enable">1</field>
- </depends>
- </field>
  <field id="enable_for_api_token_generation" translate="label" type="select" sortOrder="200" showInDefault="1" canRestore="1">
  <label>Enable 2FA for API Token Generation</label>
  <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
  </field>
+ <field id="disable_in_developer_mode" translate="label" type="select" sortOrder="150" showInDefault="1" canRestore="1">
+ <label>Disable 2FA in Developer Mode</label>
+ <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
+ <comment>When set to No the above settings are used, otherwise 2FA is disabled in developer mode.</comment>
+ </field>
  <field id="force_providers">
  <depends>
  <field id="enable">1</field>

etc/config.xml

@@ -5,6 +5,7 @@
  <general>
  <enable>1</enable>
  <enable_for_api_token_generation>1</enable_for_api_token_generation>
+ <disable_in_developer_mode>1</disable_in_developer_mode>
  </general>
  </twofactorauth>
  </default>