Verified Commit 1adbf4b8 authored by Jan Pavlíček's avatar Jan Pavlíček
Browse files

feat: user without sfa with mfa must perform mfa, without either will be redirected to new page 

BREAKING CHANGE: PasswordProtectedTransport and SFA behavior is not same anymore
parent 13ba653b

README.md

+6 −0
Original line number Diff line number Diff line
@@ -239,6 +239,8 @@ In configuration, you just need to add a `custom_attrs` option which contains a 
## Password entropy check



Without check, it is assumed that user password fulfill REFEDS SFA. If the check should be performed, set `check_entropy` to `true`. Also set `sfa_alphabet_attr` and `sfa_len_attr` configuration options, which represent names of attributes in `$state`.

It is assumed that MFA always satisfies REFEDS SFA, that it contains TOTP, WebAuthn, or similar user verification. Therefore, there are two scenarios for a user with weak password. User with configured MFA must perform MFA, and user without configured MFA will be redirected to a page with additional information and with configurable button which leads to a password reset.

Use `change_weak_password_urls` to configure redirect button.



`sfa_alphabet` represents number of characters which can be used in password
@@ -251,6 +253,10 @@ Without check, it is assumed that user password fulfill REFEDS SFA. If the check 
        'check_entropy' => true,

        'sfa_alphabet_attr' => 'sfa_alphabet',

        'sfa_len_attr' => 'sfa_len'

        'change_weak_password_urls' => [

            'en' => 'https://example.org/en/change_password',

            'cs' => 'https://example.org/cs/zmena_hesla',

        ],

        //...

    ]

]

dictionaries/mfa.definition.json

+2 −4
Original line number Diff line number Diff line 
{

  "setup_mfa_text": {

    "en": "To access service, you have to configure multi-factor authentication token.",

    "cs": "K přístupu ke službě nejprve musíte nastavit token pro vícefázové ověření."

    "en": "To access service, you have to configure multi-factor authentication token."

  },

  "manage_tokens_button": {

    "en": "Continue",

    "cs": "Pokračovat"

    "en": "Continue"

  }

}

dictionaries/mfa.translation.json

0 → 100644
+8 −0
Original line number Diff line number Diff line 
{

  "setup_mfa_text": {

    "cs": "K přístupu ke službě nejprve musíte nastavit token pro vícefázové ověření."

  },

  "manage_tokens_button": {

    "cs": "Pokračovat"

  }

}

dictionaries/password.definition.json

0 → 100644
+8 −0
Original line number Diff line number Diff line 
{

  "change_weak_password_text": {

    "en": "Your password is not strong enough and does not fulfill service requirements according to specification <a href=\"https://refeds.org/profile/sfa\">REFEDS SFA</a>."

  },

  "change_weak_password_button": {

    "en": "Change password"

  }

}

dictionaries/password.translation.json

0 → 100644
+8 −0
Original line number Diff line number Diff line 
{

  "change_weak_password_text": {

    "cs": "Vaše heslo není dostatečně silné a nesplňuje požadavky služby podle specifikace <a href=\"https://refeds.org/profile/sfa\">REFEDS SFA</a>."

  },

  "change_weak_password_button": {

    "cs": "Změnit heslo"

  }

}