So recently had a admin account login 'leaked' and used by a 'hacker' to deface site. It made me realise once you get multiple admin users this sort of thing is inevitable. So I looked into 2FA options, as if an intruder has access to a users email account, 2fa via email is no use. OC 4 has 2 step by email as an option, and it was very simple too convert it to use an authy/google authenticator TOTP app instead.
https://github.com/opencart/opencart/discussions/14182
What exactly are you trying to accomplish? Also, will it work from a desktop device with a web browser like FireFox or Chrome?
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
If an intruder has access to your email account, you're in big trouble anyway.
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
it does happen, or credentials are re-used, this protects your store and is very common.paulfeakins wrote: ↑Thu Oct 17, 2024 9:44 pmIf an intruder has access to your email account, you're in big trouble anyway.
This is good and solid starting point when you used
, i would most likely also use
Code: Select all
pragmarx/google2fa bacon/bacon-qr-codeCode: Select all
defuse/php-encryptionGot an urgent question that’s keeping you up at night? There might just be a magical inbox ready to help: khnaz35@gmail.com
Enjoy nature 
So without an extra mobile device on hand, your approach won't work for desktop users?
Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig
what are you suggesting to encrypt ?khnaz35 wrote: ↑Fri Oct 18, 2024 2:04 pmThis is good and solid starting point when you used, i would most likely also useCode: Select all
pragmarx/google2fa bacon/bacon-qr-codeCode: Select all
defuse/php-encryption
you just use your phone, no need for an extra one, the whole idea is that it takes a second device (a mobile) to login to the admin
That's common practice by many (if not all) banking apps.
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
There are 2FA applications and web browser extensions for desktops. Of course if it's not tied to some sort of security key it won't be as good as using second device.
id actually thought there might be, i think by nature they have to be tied to a secret key, i think its more so long as that secret key cant be accessed, so maybe it would be less secure just by the fact that it would be less likely to have 2 devices compromised at the same time than 1ADD Creative wrote: ↑Fri Oct 18, 2024 7:33 pmThere are 2FA applications and web browser extensions for desktops. Of course if it's not tied to some sort of security key it won't be as good as using second device.
Something like this just an idea
Code: Select all
// Load required libraries
require $_SERVER['DOCUMENT_ROOT'] . '/../totp/vendor/autoload.php';
$google2fa = new \PragmaRX\Google2FA\Google2FA();
// Generate TOTP secret
$secret = $google2fa->generateSecretKey();
// Encrypt the secret before storing it
$encryptedSecret = \Defuse\Crypto\Crypto::encrypt($secret, 'your-encryption-key-here');
$title = explode('.', HTTP_SERVER);
array_shift($title);
$title = implode('.', $title);
$qrCodeData = $google2fa->getQRCodeUrl(
$title,
$this->user->getId(),
$secret
);
// Generate QR code
$renderer = new \BaconQrCode\Renderer\ImageRenderer(
new \BaconQrCode\Renderer\RendererStyle\RendererStyle(300),
new \BaconQrCode\Renderer\Image\ImagickImageBackEnd()
);
$writer = new \BaconQrCode\Writer($renderer);
$data['qr_image'] = base64_encode($writer->writeString($qrCodeData));
$data['qr_secret'] = $encryptedSecret; // Store encrypted secret
...
// Decrypt the stored secret
$secret = \Defuse\Crypto\Crypto::decrypt($login_info['secret'], 'your-encryption-key-here');
// Validate TOTP code
if(!isset($this->request->post['code']) || !$google2fa->verifyKey($secret, $this->request->post['code'])){
$json['error'] = $this->language->get('error_code');
}
Got an urgent question that’s keeping you up at night? There might just be a magical inbox ready to help: khnaz35@gmail.com
Enjoy nature
how about In a .htaccess file (for Apache-based hosting):
Code: Select all
SetEnv TOTP_ENCRYPTION_KEY "super_secure_random_generated_key"
Code: Select all
env TOTP_ENCRYPTION_KEY="super_secure_random_generated_key";
Got an urgent question that’s keeping you up at night? There might just be a magical inbox ready to help: khnaz35@gmail.com
Enjoy nature
So I guess this would only help if the intruder has gotten db access (eg via an injection) but not file/php access, which can happen.
But if they have db access, does it really matter if they can login into the admin or not ? As protecting the admin is just about protecting the DB really, there's not much else that can be wrecked there.
Or am I missing something.
But if they have db access, does it really matter if they can login into the admin or not ? As protecting the admin is just about protecting the DB really, there's not much else that can be wrecked there.
Or am I missing something.
No, TOTP secrets are not designed to directly protect the database. They are intended to protect access to the system, which in turn could allow an attacker to indirectly manipulate the database via the admin interface.
If an attacker already has database access, TOTP secrets (encrypted or not) will not protect the data stored in the database. The value of TOTP at that point is diminished because the attacker can already view or alter data directly without needing admin panel access.
Got an urgent question that’s keeping you up at night? There might just be a magical inbox ready to help: khnaz35@gmail.com
Enjoy nature
If your infrastructure is set up in such a way that attackers can potentially gain access to the database but not to your application environment, encryption might add a layer of defense. However, this isn't the most common scenario, especially in a standard deployment where compromising the database is often part of a broader system compromise.
Got an urgent question that’s keeping you up at night? There might just be a magical inbox ready to help: khnaz35@gmail.com
Enjoy nature
So this is my point, admin is only there to edit the database , and protecting the admin is just protecting the database, and if you have a compromised db by othermeans, someone having admin access on top of that is not really going to be any worse.
Who is online
Users browsing this forum: gunownergear and 6 guests
