Force TFA setup - prevents navigating the website. (!89) · Merge requests · project / tfa

jkdev requested to merge issue/tfa-3223327:3223327 into 2.x Sep 10, 2024

Adding event_subscriber which listens to KernelEvents::REQUEST, make some checks, and if needed - redirect the user to TFA overview page - preventing navigating to other pages in the site.

The checks are:

Is TFA is enabled?
Is the current route applicable for redirect? (we should allow logging-out, running-cron, css/js/images assets, and setting up the TFA)
Is user logged in? (anonymous users are irrelevant)
Is TFA setting force user to setup TFA?
Does TFA has at least one validation plugin enabled?

At this point we should set a warning in messenger: "You must setup TFA".

Further checks:

Is this route applicable for a Redirect?
If not, should we block the request altogether?
Are there situations that we would allow bypassing this behavior?

At this point we should Issue the redirect for TFA overview page.

The order of the checks are not final, and should sorted by their complexity and latency impact.

Edited Sep 15, 2024 by jkdev

Force TFA setup - prevents navigating the website.

Merge request reports