Updates per code review for #4

Author: markshust

CHANGELOG.md

@@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [1.1.0] - 2020-01-12
+
+### Added
+- Support to disable 2FA for API token generation ([#1](https://github.com/markshust/magento2-module-disabletwofactorauth/issues/1)).
+
+### Updated
+- Updated docblocks and other minor formatting issues.
+- Updated REAMDE to make it more explicit not to disable 2FA within production environments.
+
 ## [1.0.0] - 2020-08-10
 
 ### Added

Plugin/BypassTwoFactorAuth.php

@@ -6,29 +6,46 @@
 use Magento\Framework\App\Config\ScopeConfigInterface;
 use Magento\TwoFactorAuth\Model\TfaSession;
 
+/**
+ * Class BypassTwoFactorAuth
+ * @package MarkShust\DisableTwoFactorAuth\Plugin
+ */
 class BypassTwoFactorAuth
 {
+ const XML_PATH_CONFIG_ENABLE = 'twofactorauth/general/enable';
+
  /** @var ScopeConfigInterface */
- private $scopeConfig;
+ private ScopeConfigInterface $scopeConfig;
 
+ /**
+ * BypassTwoFactorAuth constructor.
+ * @param ScopeConfigInterface $scopeConfig
+ */
  public function __construct(
  ScopeConfigInterface $scopeConfig
  ) {
  $this->scopeConfig = $scopeConfig;
  }
 
  /**
- * If the TwoFactorAuth module Enable setting is set to false, always return true here so all requests bypass 2FA.
- * Otherwise, return the original result.
+ * Enables the bypass of 2FA for admin access.
+ * This can be useful within development & integration environments.
+ *
+ * If 2FA is enabled, return the original result.
+ * If 2FA is disabled, always return true so all requests bypass 2FA.
+ *
+ * NOTE: Always keep 2FA enabled within production environments for security purposes.
  *
  * @param TfaSession $subject
  * @param $result
  * @return bool
  */
- public function afterIsGranted(TfaSession $subject, $result): bool
- {
- return !$this->scopeConfig->isSetFlag('twofactorauth/general/enable')
- ? true
- : $result;
+ public function afterIsGranted(
+ TfaSession $subject,
+ $result
+ ): bool {
+ return $this->scopeConfig->isSetFlag(self::XML_PATH_CONFIG_ENABLE)
+ ? $result
+ : true;
  }
 }

Plugin/BypassTwoFactorAuthForApiTokenGeneration.php

@@ -0,0 +1,66 @@
+<?php
+declare(strict_types=1);
+
+namespace MarkShust\DisableTwoFactorAuth\Plugin;
+
+use Closure;
+use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\Exception\AuthenticationException;
+use Magento\Framework\Exception\InputException;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Integration\Api\AdminTokenServiceInterface;
+use Magento\TwoFactorAuth\Model\AdminAccessTokenService;
+
+/**
+ * Class BypassWebApiTwoFactorAuth
+ * @package MarkShust\DisableTwoFactorAuth\Plugin
+ */
+class BypassTwoFactorAuthForApiTokenGeneration
+{
+ const XML_PATH_CONFIG_ENABLE_FOR_API_TOKEN_GENERATION = 'twofactorauth/general/enable_for_api_token_generation';
+
+ /** @var ScopeConfigInterface */
+ private ScopeConfigInterface $scopeConfig;
+
+ /** @var AdminTokenServiceInterface */
+ private AdminTokenServiceInterface $adminTokenService;
+
+ /**
+ * BypassTwoFactorAuthForApiTokenGeneration constructor.
+ * @param AdminTokenServiceInterface $adminTokenService
+ * @param ScopeConfigInterface $scopeConfig
+ */
+ public function __construct(
+ AdminTokenServiceInterface $adminTokenService,
+ ScopeConfigInterface $scopeConfig
+ ) {
+ $this->scopeConfig = $scopeConfig;
+ $this->adminTokenService = $adminTokenService;
+ }
+
+ /**
+ * Enables the bypass of 2FA for API token generation.
+ * This can be useful for third-party vendors during module development.
+ *
+ * NOTE: Always keep 2FA enabled within production environments for security purposes.
+ *
+ * @param AdminAccessTokenService $subject
+ * @param Closure $proceed
+ * @param $username
+ * @param $password
+ * @return string
+ * @throws AuthenticationException
+ * @throws InputException
+ * @throws LocalizedException
+ */
+ public function aroundCreateAdminAccessToken(
+ AdminAccessTokenService $subject,
+ Closure $proceed,
+ $username,
+ $password
+ ): string {
+ return $this->scopeConfig->isSetFlag(self::XML_PATH_CONFIG_ENABLE_FOR_API_TOKEN_GENERATION)
+ ? $proceed($username, $password)
+ : $this->adminTokenService->createAdminAccessToken($username, $password);
+ }
+}

Plugin/BypassWebApiTwoFactorAuth.php

@@ -42,14 +42,25 @@ bin/magento setup:upgrade
 This module keeps 2FA enabled by default. This is to prevent any unexpected side effects or security loopholes from
 being introduced during automated installation processes.
 
-After installing the module, one can disable 2FA by going to **Admin > Stores > Settings > Configuration >
-Security > 2FA**, and setting *Enable 2FA* to **No**.
+### Disable 2FA
 
-This setting can also be toggled to a 1 or 0 to respectively enable or disable 2FA from the command-line console:
+Enables the bypass of 2FA for admin access. This can be useful within development & integration environments.
 
-```
-bin/magento config:set twofactorauth/general/enable 0
-```
+Visit **Admin > Stores > Settings > Configuration > Security > 2FA** and set *Enable 2FA* to **No**.
+
+CLI: `bin/magento config:set twofactorauth/general/enable 0`
+
+*NOTE: Always keep 2FA enabled within production environments for security purposes.*
+
+### Disable 2FA for API Token Generation
+
+Enables the bypass of 2FA for API token generation. This can be useful for third-party vendors during module development.
+
+Visit **Admin > Stores > Settings > Configuration > Security > 2FA** and set *Enable 2FA for API Token Generation* to **No**.
+
+CLI: `bin/magento config:set twofactorauth/general/enable_for_api_token_generation 0`
+
+*NOTE: Always keep 2FA enabled within production environments for security purposes.*
 
 ## License
 

README.md

@@ -6,7 +6,7 @@
  "magento/framework": ">=103"
  },
  "type": "magento2-module",
- "version": "1.0.0",
+ "version": "1.1.0",
  "license": [
  "MIT"
  ],

composer.json

@@ -1,16 +1,15 @@
 <?xml version="1.0"?>
-<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Config:etc/system_file.xsd">
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Config:etc/system_file.xsd">
  <system>
  <section id="twofactorauth">
  <group id="general">
- <field id="enable" translate="label" type="select" sortOrder="1" showInDefault="1" canRestore="1">
+ <field id="enable" translate="label" type="select" sortOrder="100" showInDefault="1" canRestore="1">
  <label>Enable 2FA</label>
  <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
  <comment>Warning: Enabling 2FA will immediately prompt admin user for OTP code.</comment>
  </field>
- <field id="enable_api" translate="label" type="select" sortOrder="100" showInDefault="1" canRestore="1">
- <label>Enable 2FA for token service</label>
+ <field id="enable_for_api_token_generation" translate="label" type="select" sortOrder="200" showInDefault="1" canRestore="1">
+ <label>Enable 2FA for API Token Generation</label>
  <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
  </field>
  <field id="force_providers">

etc/adminhtml/system.xml

@@ -1,11 +1,10 @@
 <?xml version="1.0"?>
-<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
  <default>
  <twofactorauth>
  <general>
  <enable>1</enable>
- <enable_api>1</enable_api>
+ <enable_for_api_token_generation>1</enable_for_api_token_generation>
  </general>
  </twofactorauth>
  </default>

etc/config.xml

@@ -4,6 +4,6 @@
  <plugin name="bypassTwoFactorAuth" type="MarkShust\DisableTwoFactorAuth\Plugin\BypassTwoFactorAuth"/>
  </type>
  <type name="Magento\TwoFactorAuth\Model\AdminAccessTokenService">
- <plugin name="bypassWebApiTwoFactorAuth" type="MarkShust\DisableTwoFactorAuth\Plugin\BypassWebApiTwoFactorAuth"/>
+ <plugin name="bypassTwoFactorAuthForApiTokenGeneration" type="MarkShust\DisableTwoFactorAuth\Plugin\BypassTwoFactorAuthForApiTokenGeneration"/>
  </type>
 </config>