Adding 2FA for webtrees attempt #2

[kbwhizz]

Adds ability for user to switch on preference in account which makes a QR code appear. This can be scanned by a Google authenticator app and the secret is saved. At next log in, user must enter the code for the site from the authenticator when they log in. Can be switched off from account too. Incorporated into setup wizard and any add/edit user functions.

[kiwi3685]

Sorry if this is already included, but I couldn't find it.

Just a personal opinion, but I would prefer to have an administrator option to enable (or not) 2FA on my site, before users are offered the option.

[kbwhizz]

Sorry if this is already included, but I couldn't find it.

Just a personal opinion, but I would prefer to have an administrator option to enable (or not) 2FA on my site, before users are offered the option.

It isn't there at present. What screen would that option appear on. Couldn't see anything obvious in control panel.

[kiwi3685]

Perhaps Control panel > Website > Sign-in and registration? Seems the most logical.

[kbwhizz]

Perhaps Control panel > Website > Sign-in and registration? Seems the most logical.

Now added to code and pushed to repo (I hope)

[codecov]

Codecov Report

Attention: Patch coverage is 17.77778% with 37 lines in your changes missing coverage. Please review.

Project coverage is 35.30%. Comparing base (b0f2796) to head (b86a645).
Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
app/User.php	0.00%	23 Missing ⚠️
app/Http/RequestHandlers/LoginAction.php	0.00%	8 Missing ⚠️
...pp/Http/RequestHandlers/SiteRegistrationAction.php	0.00%	2 Missing ⚠️
app/Http/RequestHandlers/RegisterAction.php	0.00%	1 Missing ⚠️
app/Http/RequestHandlers/SetupWizard.php	0.00%	1 Missing ⚠️
app/Schema/Migration0.php	0.00%	1 Missing ⚠️
app/Schema/SeedUserTable.php	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main    #5039      +/-   ##
============================================
- Coverage     35.32%   35.30%   -0.02%     
- Complexity    11405    11414       +9     
============================================
  Files          1179     1179              
  Lines         47859    47902      +43     
============================================
+ Hits          16905    16913       +8     
- Misses        30954    30989      +35     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

---

🚨 Try these New Features:

• Flaky Tests Detection - Detect and resolve failed and flaky tests
• JS Bundle Analysis - Avoid shipping oversized bundles

[kbwhizz]

I'm afraid I'm completely stuck on the errors phpstan gives on app/User.php

126 Binary operation "." between non-falsy-string and mixed results in an
error.
🪪 binaryOp.invalid
295 Parameter #1 $secret of method
PragmaRX\Google2FA\Google2FA::verifyKey() expects string, mixed
given.
🪪 argument.type

For line 126, I tried making saving $_SERVER['SERVER_NAME'] to a variable and concatenating that, but it still doesn't like it.
For line 295, it looks like the Illuminate database returns a mixed pseudo-type ($secret) but Googl2FA verify wants a string. Any idea how I force it to become a string?

Any tips appreciated.

[kbwhizz]

I'm afraid I'm completely stuck on the errors phpstan gives on app/User.php

126 Binary operation "." between non-falsy-string and mixed results in an error. 🪪 binaryOp.invalid 295 Parameter #1 $secret of method PragmaRX\Google2FA\Google2FA::verifyKey() expects string, mixed given. 🪪 argument.type

For line 126, I tried making saving $_SERVER['SERVER_NAME'] to a variable and concatenating that, but it still doesn't like it. For line 295, it looks like the Illuminate database returns a mixed pseudo-type ($secret) but Googl2FA verify wants a string. Any idea how I force it to become a string?

Any tips appreciated.

Used settype to fix this

[fisharebest]

PHPstan is set on the "max" level, and it is not always possible to fix every issue.

Any tips appreciated.

You've closed the PR, so I can't see your code any more.

Did you mean to do that?