[PR #2827] [MERGED] MFA System

## 📋 Pull Request Information **Original PR:** https://github.com/BookStackApp/BookStack/pull/2827 **Author:** [@ssddanbrown](https://github.com/ssddanbrown) **Created:** 6/29/2021 **Status:** ✅ Merged **Merged:** 8/21/2021 **Merged by:** [@ssddanbrown](https://github.com/ssddanbrown) **Base:** `master` ← **Head:** `mfa` --- ### 📝 Commits (10+) - [`efb6a6b`](https://github.com/BookStackApp/BookStack/commit/efb6a6b457ac8e20bbbb39d8a730921850c2751a) Started barebones work of MFA system - [`d25cd83`](https://github.com/BookStackApp/BookStack/commit/d25cd83d8e2a8741a6476ce2d7ff6efc728ecc6e) Added TOTP generation view and started verification stage - [`916a826`](https://github.com/BookStackApp/BookStack/commit/916a82616f1e2c750a1f01109e65ad2b603a79ce) Complete base flow for TOTP setup - [`83c8f73`](https://github.com/BookStackApp/BookStack/commit/83c8f731424a317c0f3debcd9eac2cdf2d13cad2) Covered TOTP setup with testing - [`529971c`](https://github.com/BookStackApp/BookStack/commit/529971c53470c687f4e7c65900fc6f1f92c951c3) Added backup code setup flow - [`09c2814`](https://github.com/BookStackApp/BookStack/commit/09c2814dc7b142b475c571b59bd8c902af183ad3) Added role based MFA control - [`bb43ace`](https://github.com/BookStackApp/BookStack/commit/bb43acef21702a4083a5137db0e3bf5ff95df576) Added MFA setup link on user edit view - [`cfc0c59`](https://github.com/BookStackApp/BookStack/commit/cfc0c593dba2c0b4ce31b98e13d90779f8c50453) Added MFA indicator to user list - [`7c86c26`](https://github.com/BookStackApp/BookStack/commit/7c86c26cd0585a063ca4905a1302301e3c1d2e19) Added command to reset user MFA - [`f696aa5`](https://github.com/BookStackApp/BookStack/commit/f696aa5eea5a06c7e21130fb9b01a6b60c50c2db) Added the ability to remove an MFA method ### 📊 Changes **69 files changed** (+2292 additions, -274 deletions) <details> <summary>View changed files</summary> 📝 `app/Actions/ActivityType.php` (+3 -0) 📝 `app/Api/ApiTokenGuard.php` (+12 -1) 📝 `app/Auth/Access/EmailConfirmationService.php` (+0 -5) 📝 `app/Auth/Access/Guards/ExternalBaseSessionGuard.php` (+2 -6) ➕ `app/Auth/Access/LoginService.php` (+160 -0) ➕ `app/Auth/Access/Mfa/BackupCodeService.php` (+60 -0) ➕ `app/Auth/Access/Mfa/MfaSession.php` (+61 -0) ➕ `app/Auth/Access/Mfa/MfaValue.php` (+76 -0) ➕ `app/Auth/Access/Mfa/TotpService.php` (+71 -0) ➕ `app/Auth/Access/Mfa/TotpValidationRule.php` (+38 -0) 📝 `app/Auth/Access/RegistrationService.php` (+0 -1) 📝 `app/Auth/Access/Saml2Service.php` (+7 -8) 📝 `app/Auth/Access/SocialAuthService.php` (+8 -9) 📝 `app/Auth/Permissions/PermissionsRepo.php` (+2 -0) 📝 `app/Auth/Role.php` (+1 -0) 📝 `app/Auth/User.php` (+10 -0) 📝 `app/Auth/UserRepo.php` (+2 -0) ➕ `app/Console/Commands/ResetMfa.php` (+74 -0) ➕ `app/Exceptions/StoppedAuthenticationException.php` (+65 -0) 📝 `app/Http/Controllers/Auth/ConfirmEmailController.php` (+12 -11) _...and 49 more files_ </details> ### 📄 Description #### TODO - [x] TOTP Setup System - [x] Backup Codes System - [x] Role based enforcement - [x] MFA setup link/visibility in user edit page - [x] MFA indicator in users list - [x] Admin clear MFA command - Should accept user id/email as option. - [x] Access time MFA check - [x] "Disable Method" button in setup - [ ] ~MFA setup instructions abstracted to own view for easier customization?~ - _Skip this one for now, Better to get feedback as to where needed if there's a use-case._ - [x] Move new view text to translations. - [x] Testing - [x] Lib attribution - [x] Intended Redirect on Login needs updating, Is leading to MFA setup after login when having to setup MFA for first time. #### Notes - Encryption is used, will need to start to enforce consistency of the APP_KEY. - Likely change to email confirmation system, now validated at login event rather than on every request. - Libs - [TOTP](https://github.com/antonioribeiro/google2fa) - [QR Code](https://github.com/Bacon/BaconQrCode) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

OVERLORD commented

2026-02-05 10:23:55 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/BookStackApp/BookStack/pull/2827
Author: @ssddanbrown
Created: 6/29/2021
Status: ✅ Merged
Merged: 8/21/2021
Merged by: @ssddanbrown

Base: master ← Head: mfa

📝 Commits (10+)

efb6a6b Started barebones work of MFA system
d25cd83 Added TOTP generation view and started verification stage
916a826 Complete base flow for TOTP setup
83c8f73 Covered TOTP setup with testing
529971c Added backup code setup flow
09c2814 Added role based MFA control
bb43ace Added MFA setup link on user edit view
cfc0c59 Added MFA indicator to user list
7c86c26 Added command to reset user MFA
f696aa5 Added the ability to remove an MFA method

📊 Changes

69 files changed (+2292 additions, -274 deletions)

View changed files

📝 app/Actions/ActivityType.php (+3 -0)
📝 app/Api/ApiTokenGuard.php (+12 -1)
📝 app/Auth/Access/EmailConfirmationService.php (+0 -5)
📝 app/Auth/Access/Guards/ExternalBaseSessionGuard.php (+2 -6)
➕ app/Auth/Access/LoginService.php (+160 -0)
➕ app/Auth/Access/Mfa/BackupCodeService.php (+60 -0)
➕ app/Auth/Access/Mfa/MfaSession.php (+61 -0)
➕ app/Auth/Access/Mfa/MfaValue.php (+76 -0)
➕ app/Auth/Access/Mfa/TotpService.php (+71 -0)
➕ app/Auth/Access/Mfa/TotpValidationRule.php (+38 -0)
📝 app/Auth/Access/RegistrationService.php (+0 -1)
📝 app/Auth/Access/Saml2Service.php (+7 -8)
📝 app/Auth/Access/SocialAuthService.php (+8 -9)
📝 app/Auth/Permissions/PermissionsRepo.php (+2 -0)
📝 app/Auth/Role.php (+1 -0)
📝 app/Auth/User.php (+10 -0)
📝 app/Auth/UserRepo.php (+2 -0)
➕ app/Console/Commands/ResetMfa.php (+74 -0)
➕ app/Exceptions/StoppedAuthenticationException.php (+65 -0)
📝 app/Http/Controllers/Auth/ConfirmEmailController.php (+12 -11)

...and 49 more files

📄 Description

TODO

TOTP Setup System
Backup Codes System
Role based enforcement
MFA setup link/visibility in user edit page
MFA indicator in users list
Admin clear MFA command - Should accept user id/email as option.
Access time MFA check
"Disable Method" button in setup
~~MFA setup instructions abstracted to own view for easier customization?~~
- Skip this one for now, Better to get feedback as to where needed if there's a use-case.
Move new view text to translations.
Testing
Lib attribution
Intended Redirect on Login needs updating, Is leading to MFA setup after login when having to setup MFA for first time.

Notes

Encryption is used, will need to start to enforce consistency of the APP_KEY.
Likely change to email confirmation system, now validated at login event rather than on every request.
Libs
- TOTP
- QR Code

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

OVERLORD added the pull-request label 2026-02-05 10:23:55 +03:00

OVERLORD closed this issue

2026-02-05 10:23:57 +03:00

[PR #2827] [MERGED] MFA System #6074