Merge pull request #13 from drpayyne/auto-2fa

Author: markshust

CHANGELOG.md

@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [2.0.0] - 2021-11-10
+
+This is a potentially breaking release, as it changes the overall functionality when Magento is in `developer` mode. A new "Disable 2FA in Developer Mode" system configuration has been created, which is a Yes/No toggle. By default, it is set to Yes so that 2FA is automatically disabled when a Magento site is in `developer` mode. When this is set to No, the two other 2FA configuration dropdowns set the configuration for 2FA. When not in `developer` mode, this toggle has no effect.
+
+### Added
+- Add ability to automatically disable 2FA when in developer mode ([#13](https://github.com/markshust/magento2-module-disabletwofactorauth/pull/13)).
+
 ## [1.1.4] - 2021-02-22
 
 ### Fixed

Plugin/BypassTwoFactorAuth.php

@@ -4,6 +4,7 @@
 namespace MarkShust\DisableTwoFactorAuth\Plugin;
 
 use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\App\State;
 use Magento\TwoFactorAuth\Model\TfaSession;
 
 /**
@@ -13,26 +14,36 @@
 class BypassTwoFactorAuth
 {
  const XML_PATH_CONFIG_ENABLE = 'twofactorauth/general/enable';
+ const XML_PATH_CONFIG_ENABLE_FOR_API_TOKEN_GENERATION = 'twofactorauth/general/enable_for_api_token_generation';
+ const XML_PATH_CONFIG_DISABLE_IN_DEVELOPER_MODE = 'twofactorauth/general/disable_in_developer_mode';
 
  /** @var ScopeConfigInterface */
  private $scopeConfig;
 
+ /** @var State */
+ private $appState;
+
  /**
  * BypassTwoFactorAuth constructor.
  * @param ScopeConfigInterface $scopeConfig
+ * @param State $appState
  */
  public function __construct(
- ScopeConfigInterface $scopeConfig
+ ScopeConfigInterface $scopeConfig,
+ State $appState
  ) {
  $this->scopeConfig = $scopeConfig;
+ $this->appState = $appState;
  }
 
  /**
  * Enables the bypass of 2FA for admin access.
- * This can be useful within development & integration environments.
+ * This can be useful for within development & integration environments.
  *
  * If 2FA is enabled, return the original result.
- * If 2FA is disabled, always return true so all requests bypass 2FA.
+ * If developer mode is enabled, 2FA is disabled unless "Disable 2FA in developer mode" is set to No.
+ *
+ * Returning true in this function bypasses 2FA.
  *
  * NOTE: Always keep 2FA enabled within production environments for security purposes.
  *
@@ -44,7 +55,15 @@ public function afterIsGranted(
  TfaSession $subject,
  $result
  ): bool {
- return $this->scopeConfig->isSetFlag(self::XML_PATH_CONFIG_ENABLE)
+ $is2faEnabled = $this->scopeConfig->isSetFlag(self::XML_PATH_CONFIG_ENABLE);
+ $isDeveloperMode = $this->appState->getMode() == State::MODE_DEVELOPER;
+ $alwaysDisableInDeveloperMode = $this->scopeConfig->isSetFlag(self::XML_PATH_CONFIG_DISABLE_IN_DEVELOPER_MODE);
+
+ if ($isDeveloperMode && $alwaysDisableInDeveloperMode) {
+ $is2faEnabled = false;
+ }
+
+ return $is2faEnabled
  ? $result
  : true;
  }

Plugin/BypassTwoFactorAuthForApiTokenGeneration.php

@@ -5,6 +5,7 @@
 
 use Closure;
 use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\App\State;
 use Magento\Framework\Exception\AuthenticationException;
 use Magento\Framework\Exception\InputException;
 use Magento\Framework\Exception\LocalizedException;
@@ -17,30 +18,39 @@
  */
 class BypassTwoFactorAuthForApiTokenGeneration
 {
- const XML_PATH_CONFIG_ENABLE_FOR_API_TOKEN_GENERATION = 'twofactorauth/general/enable_for_api_token_generation';
+ /** @var AdminTokenServiceInterface */
+ private $adminTokenService;
 
  /** @var ScopeConfigInterface */
  private $scopeConfig;
 
- /** @var AdminTokenServiceInterface */
- private $adminTokenService;
+ /** @var State */
+ private $appState;
 
  /**
  * BypassTwoFactorAuthForApiTokenGeneration constructor.
  * @param AdminTokenServiceInterface $adminTokenService
  * @param ScopeConfigInterface $scopeConfig
+ * @param State $appState
  */
  public function __construct(
  AdminTokenServiceInterface $adminTokenService,
- ScopeConfigInterface $scopeConfig
+ ScopeConfigInterface $scopeConfig,
+ State $appState
  ) {
  $this->scopeConfig = $scopeConfig;
  $this->adminTokenService = $adminTokenService;
+ $this->appState = $appState;
  }
 
  /**
  * Enables the bypass of 2FA for API token generation.
- * This can be useful for third-party vendors during module development.
+ * This can be useful for within development & integration environments.
+ *
+ * If 2FA is enabled, return the original result.
+ * If developer mode is enabled, 2FA is disabled unless "Disable 2FA in developer mode" is set to No.
+ *
+ * Calling createAdminAccessToken within this function bypasses 2FA.
  *
  * NOTE: Always keep 2FA enabled within production environments for security purposes.
  *
@@ -59,7 +69,19 @@ public function aroundCreateAdminAccessToken(
  $username,
  $password
  ): string {
- return $this->scopeConfig->isSetFlag(self::XML_PATH_CONFIG_ENABLE_FOR_API_TOKEN_GENERATION)
+ $is2faEnabled = $this->scopeConfig->isSetFlag(
+ BypassTwoFactorAuth::XML_PATH_CONFIG_ENABLE_FOR_API_TOKEN_GENERATION
+ );
+ $isDeveloperMode = $this->appState->getMode() == State::MODE_DEVELOPER;
+ $alwaysDisableInDeveloperMode = $this->scopeConfig->isSetFlag(
+ BypassTwoFactorAuth::XML_PATH_CONFIG_DISABLE_IN_DEVELOPER_MODE
+ );
+
+ if ($isDeveloperMode && $alwaysDisableInDeveloperMode) {
+ $is2faEnabled = false;
+ }
+
+ return $is2faEnabled
  ? $proceed($username, $password)
  : $this->adminTokenService->createAdminAccessToken($username, $password);
  }

README.md

@@ -22,12 +22,14 @@ With the release of Magento 2.4, two-factor authentication (also known as 2FA) b
 ability to disable it in either the admin or console. However, there are situations which may require 2FA to be disabled
 or temporarily turned off, such as within development or testing environments.
 
-This module adds the missing toggle to turn 2FA on or off from the admin. It does this by hooking into the core code in
+This module automatically disables 2FA while in developer mode (since version 2.0.0), and adds the missing toggle to turn 2FA on or off from the admin for other environments. It does this by hooking into the core code in
 a very seamless manner, just as would be done if this toggle existed in the core code. Installing this module should not
-open up any security holes, as it just works off of a simple config toggle which if not present, falls back to default
-functionality. 
+open any security holes, as it just works off of a simple config toggle which, if not present, falls back to the default
+functionality.
+
+You can also toggle 2FA back on while in developer mode, if you need to test your code functionality while 2FA is enabled.
 
-![Demo](https://raw.githubusercontent.com/markshust/magento2-module-disabletwofactorauth/master/docs/demo.png)
+![Demo](https://raw.githubusercontent.com/markshust/magento2-module-disabletwofactorauth/master/docs/demo-2021-11-10.png)
 
 ## Installation
 
@@ -39,28 +41,36 @@ bin/magento setup:upgrade
 
 ## Usage
 
-This module keeps 2FA enabled by default. This is to prevent any unexpected side effects or security loopholes from
+This module automatically disables 2FA in developer mode (since version 2.0.0). In any other deployment mode, 2FA is kept enabled by default. This is to prevent any unexpected side effects or security loopholes from
 being introduced during automated installation processes.
 
 ### Disable 2FA
 
-Enables the bypass of 2FA for admin access. This can be useful within development & integration environments.
-
-Visit **Admin > Stores > Settings > Configuration > Security > 2FA** and set *Enable 2FA* to **No**.
+It may still be desirable to disable 2FA in non-production environments, such as within testing or internal staging environments. For these cases, 2FA is not automatically disabled. However, there are toggles to override the default Magento settings to disable 2FA within these environments.
 
-CLI: `bin/magento config:set twofactorauth/general/enable 0`
+You can also bypass 2FA for API token generation. This can be useful for third-party vendors during module development.
 
 *NOTE: Always keep 2FA enabled within production environments for security purposes.*
 
-### Disable 2FA for API Token Generation
+#### 2FA
+
+To disable 2FA, visit **Admin > Stores > Settings > Configuration > Security > 2FA** and set *Enable 2FA* to **No**.
+
+CLI: `bin/magento config:set twofactorauth/general/enable 0`
 
-Enables the bypass of 2FA for API token generation. This can be useful for third-party vendors during module development.
+#### 2FA for API Token Generation
 
-Visit **Admin > Stores > Settings > Configuration > Security > 2FA** and set *Enable 2FA for API Token Generation* to **No**.
+To disable 2FA for API Token Generation, visit **Admin > Stores > Settings > Configuration > Security > 2FA** and set *Enable 2FA for API Token Generation* to **No**.
 
 CLI: `bin/magento config:set twofactorauth/general/enable_for_api_token_generation 0`
 
-*NOTE: Always keep 2FA enabled within production environments for security purposes.*
+### Enable 2FA in developer mode
+
+This module automatically disables 2FA while developer mode is enabled, but there may be situations when you need 2FA enabled during development. Rather than needing to disable this module, you can just disable this configuration setting in the admin.
+
+To enable 2FA while in developer mode, visit **Admin > Stores > Settings > Configuration > Security > 2FA** and set *Disable 2FA in Developer Mode* to **No**.
+
+CLI: `bin/magento config:set twofactorauth/general/disable_in_developer_mode 0`
 
 ## License
 

composer.json

@@ -6,7 +6,7 @@
  "magento/framework": ">=103"
  },
  "type": "magento2-module",
- "version": "1.1.4",
+ "version": "2.0.0",
  "license": [
  "MIT"
  ],

docs/demo-2021-11-10.png

@@ -3,15 +3,20 @@
  <system>
  <section id="twofactorauth">
  <group id="general">
- <field id="enable" translate="label" type="select" sortOrder="100" showInDefault="1" canRestore="1">
+ <field id="enable" translate="label" type="select" sortOrder="900" showInDefault="1" canRestore="1">
  <label>Enable 2FA</label>
  <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
  <comment>Warning: Enabling 2FA will immediately prompt admin user for OTP code.</comment>
  </field>
- <field id="enable_for_api_token_generation" translate="label" type="select" sortOrder="200" showInDefault="1" canRestore="1">
+ <field id="enable_for_api_token_generation" translate="label" type="select" sortOrder="910" showInDefault="1" canRestore="1">
  <label>Enable 2FA for API Token Generation</label>
  <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
  </field>
+ <field id="disable_in_developer_mode" translate="label" type="select" sortOrder="920" showInDefault="1" canRestore="1">
+ <label>Disable 2FA in Developer Mode</label>
+ <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
+ <comment>Set to No to use the above settings, otherwise 2FA is disabled in developer mode.</comment>
+ </field>
  <field id="force_providers">
  <depends>
  <field id="enable">1</field>

docs/demo.png

@@ -5,6 +5,7 @@
  <general>
  <enable>1</enable>
  <enable_for_api_token_generation>1</enable_for_api_token_generation>
+ <disable_in_developer_mode>1</disable_in_developer_mode>
  </general>
  </twofactorauth>
  </default>