Kyrne [deleted] me too, no one was making it so I did it myself. If you have problems create a GitHub issue!
Kyrne I just discovered a major security hole that would allow someone to get a recovery code. Please refrain from using this until I update it later today. I will also be adding SFS support at @thunder's request
Kyrne 1.0.1 Fix a security hole that would allow recovery codes to be viewed publicly This extension is now safe to use. Just update the extension, no data will be affected.
wignu Have what is probably a dumb question. Hosting multiple domains via Apache on the one machine and only want to use this addon for one site, should the lines just be added to the conf file for that domain only, I don't have the rewriteEngine on as I guess that's in the main apache config?
Kyrne wignu correct, those lines should only be added to the site that the ext is being used on. If the /login endpoint is left open, someone with minimal knowledge of how Flarum works could bypass two factor.
Kyrne wignu It should be added to your .htaccess. add it after these lines <IfModule mod_rewrite.c> RewriteEngine on
wignu @Kyrne Ok have done that thanks ?. The loginbox has a slight error where the tickbox label isn't showing correctly, am getting: issyrocks12-twofactor.forum.remember_me_label Would suggest an image hasn't uploaded?? Have doen the usual migrate and cache:clear.
Kyrne wignu At this point, I'd just wait. I am remaking this extension. It will include texted 2fa codes.
tjrgg Kyrne In your rewrite, do you plan to make the SMS method optional? For security reasons, I don't want my users to be able to use that option. Also, it'd be cool to add a permission or something to require two-factor for certain groups (such as admin/mod).
Kyrne tjrgg I'll make a setting to disable SMS 2 factor or TOTP. This could be done sometime, it won't be in the first update.
tjrgg Kyrne Awesome. Any ETA on when you think the rewritten version will be released? If you have a dev version, I'd be happy to test it out.
Kyrne tjrgg No eta right now, there are a few internal ReFlar things to work out before it can be released. Any dev version would prevent your users from logging in ?