Add support for custom user table

[xperseguers]

In my project I am centralizing the management of users into a custom "members" table and I hook into the authentication process (both Backend and Frontend) to check credentials against my custom members table and create/update TYPO3 users dynamically, a bit like when dealing with LDAP authentication.

I would like to add support for 2FA.

Solution

• Extend my own ext_tables.sql to include your 2 database fields
• Override my members TCA with something like:

if (ExtensionManagementUtility::isLoaded('cf_google_authenticator')) {
    \call_user_func(
        function () {
            ExtensionManagementUtility::addTCAcolumns(
                'tx_myext_domain_model_member',
                [
                    'tx_cfgoogleauthenticator_enabled' => [
                        'exclude' => true,
                        'label' => PathUtility::makeLocalLangLinkPath(
                            'be_users.tx_cfgoogleauthenticator_enabled',
                            'locallang_db.xlf'
                        ),
                        'config' => [
                            'type' => 'check'
                        ]
                    ],
                    'tx_cfgoogleauthenticator_secret' => [
                        'exclude' => true,
                        'label' => PathUtility::makeLocalLangLinkPath(
                            'be_users.tx_cfgoogleauthenticator_secret',
                            'locallang_db.xlf'
                        ),
                        'config' => [
                            'type' => 'user',
                            'userFunc' => UserSettings::class . '->createSecretField'
                        ]
                    ]
                ]
            );

            ExtensionManagementUtility::addToAllTCAtypes(
                'tx_myext_domain_model_member',
                'tx_cfgoogleauthenticator_enabled,tx_cfgoogleauthenticator_secret',
                '',
                'after:password' // Add the 2FA after our custom field "password"
            );
        }
    );
}

This effectively shows the 2FA fields. Now, in order to work a bit further and prevent anyone from disabling 2FA for some arbitrary user w/o providing a proper code, we need to extend your method \CodeFareith\CfGoogleAuthenticator\Handler\GoogleAuthenticatorSetupHandler::isUsersTable() so that the custom members table is considered a "users" table as well.

This is something that can easily be done with a hook there.

I already have a working solution so that the "TCA" part of this feature request is ready. However I know that I will need to somehow invoke your authentication code in my own authentication service and thus I suggest that this ticket is really about implementing support from A to Z and I will possibly suggest some (hopefully) minor additional changes to your extension to support this use case.

[codeFareith]

Thank you very much for your input.
I'll let you know when I'm done with implementation :)

[xperseguers]

Quite a lot has changed internally and my hook does not work anymore, with all the changes, the implementation of this feature is now not as simple anymore :/

[codeFareith]

Hey @xperseguers,

please excuse my delayed response. I just came back from London yesterday ^^"

Just to be sure:
what you're trying to achieve - or what you need - is the possibility to tell the cf_google_authenticator extension to not use "fe_users" and "be_users", but to rely on your custom "users" - or "members" - tables instead.

Not only should the extension be able to recognize your tables as valid user tables, but to also use them when reading and persisting a specific user's authenticator settings and during the OTP verification process.

In other words:
The entire business logic of the extension should be decoupled (or at least decouplable) from the TYPO3 core user management.

Did I get that right so far?