TASK: Correctly use the secretKeyLength-parameter

Author: Nicolas Heist

Classes/Service/TwoFactorAuthenticationService.php

@@ -25,6 +25,12 @@ class TwoFactorAuthenticationService
      */
     protected $applicationName;
 
+    /**
+     * @var string
+     * @Flow\InjectConfiguration("secretKeyLength")
+     */
+    protected $secretKeyLength;
+
     public function getPasswordCredentialsSource(Account $account): string
     {
         if ($this->hasTwoFactorAuthenticationCredentials($account)) {
@@ -89,7 +95,7 @@ public function createActivationQrCode(Account $account): string
         $google2fa = new Google2Fa();
 
         $existingCredentials = $this->getTwoFactorAuthenticationCredentials($account);
-        $secret = $existingCredentials->pendingSecret ?: $google2fa->generateSecretKey();
+        $secret = $existingCredentials->pendingSecret ?: $google2fa->generateSecretKey($this->getSecretKeyLength());
 
         $updatedCredentials = new TwoFactorAuthenticationCredentialsSource(
             $existingCredentials->credentialsSource,
@@ -139,4 +145,9 @@ protected function hasTwoFactorAuthenticationCredentials(Account $account): bool
         && is_array(json_decode($credentials, true))
         && (json_last_error() == JSON_ERROR_NONE) ? true : false;
     }
+
+    protected function getSecretKeyLength(): int
+    {
+        return $this->secretKeyLength * 8;
+    }
 }

Configuration/Settings.yaml

@@ -1,7 +1,8 @@
 Yeebase:
   TwoFactorAuthentication:
     # Length of the secret key that is created for the validation of secrets
-    secretKeyLengthInByte: 1
+    # The length given here is multiplied with 8 as the key must be at least 8 chars and be a power of 2
+    secretKeyLength: 2
 
     # The application name that should appear in the authenticator app
     applicationName: 'default'
@@ -10,4 +11,4 @@ Yeebase:
     authenticationEntryPoint:
       package: ~
       controller: ~
-      action: 'insertSecret'
+      action: 'insertSecret'