cherubimro/drupal-mfa
Composer 安装命令:
composer require cherubimro/drupal-mfa
包简介
FIDO2/WebAuthn and TOTP multi-factor authentication for Drupal
README 文档
README
A Drupal 9 module providing FIDO2/WebAuthn security key and TOTP authenticator app support for two-factor (2FA) and multi-factor (MFA) authentication.
Features
- WebAuthn/FIDO2 — hardware security keys, platform authenticators, passkeys
- TOTP — authenticator apps (Google Authenticator, andOTP, FreeOTP, Aegis, etc.)
- MFA mode — require both methods when both are configured
- 2FA mode — any single method suffices
- Per-user 2FA toggle with admin policy override (optional/required)
- 2FA gate via event subscriber — users are jailed to the verification page until all required factors are verified
- User self-service key management at
/user/{uid}/security-keys - Admin configuration at
/admin/config/people/webauthn - Clone detection for WebAuthn credentials (sign counter anomaly)
- Drupal 10/11 forward-compatible (
once()API)
Requirements
- Drupal 9.2+ (compatible with 10/11)
- PHP 7.4+
- HTTPS (required by WebAuthn browser API)
Installation
cd modules/webauthn
composer install
Enable the module via Drush or the admin UI:
drush en webauthn
Configuration
- Go to
/admin/config/people/webauthn - Set Relying Party ID — your domain (e.g.
example.com). Must match the domain users access the site from. - Set Relying Party Name — displayed in authenticator prompts
- Choose Policy:
optional— users choose whether to enable 2FArequired— all users must set up at least one 2FA method
- Choose Verification Mode:
any— any single configured method clears the gate (2FA)all— every configured method must be verified (MFA)
Architecture
Login flow
- User submits username/password at
/user/login hook_form_user_login_form_alter()replaces the submit handler- Custom handler checks policy and user 2FA configuration
- If 2FA required: authenticates the user, sets
webauthn_2fa_pendingin session, redirects to/user/webauthn-verify WebAuthn2faSubscriber(priority 30) blocks all routes except verify, AJAX endpoints, and logout while the flag is set- Verification page presents configured methods (WebAuthn, TOTP, or both)
- On successful verification, the session flag is cleared and the user is redirected to their original destination
MFA step tracking
In all mode, complete2fa() tracks completed methods in
webauthn_mfa_completed session array. Each verification returns a partial
response until all configured methods are verified. The JS handles step
transitions and progress indicators.
Services
| Service | Class | Purpose |
|---|---|---|
webauthn.manager |
WebAuthnManager |
FIDO2 ceremony logic, credential DB ops |
webauthn.totp_manager |
TotpManager |
TOTP secret management, QR codes, verification |
webauthn.2fa_subscriber |
WebAuthn2faSubscriber |
Request gate during pending 2FA |
Database
webauthn_credentials— stores WebAuthn credential public keys, metadatausers_data(Drupal core) — stores per-user TOTP secrets and 2FA enabled flag
Libraries
| Library | License | Purpose |
|---|---|---|
| lbuchs/webauthn v2.2 | MIT | FIDO2/WebAuthn ceremony logic |
| spomky-labs/otphp v10.x | MIT | TOTP generation and verification |
| chillerlan/php-qrcode v5.x | MIT / Apache-2.0 | QR code rendering (inline SVG) |
File structure
├── composer.json
├── config/
│ ├── install/webauthn.settings.yml
│ └── schema/webauthn.schema.yml
├── css/webauthn.css
├── js/webauthn.js
├── src/
│ ├── Controller/
│ │ ├── WebAuthnController.php # AJAX endpoints
│ │ └── WebAuthnUserSettingsController.php
│ ├── EventSubscriber/
│ │ └── WebAuthn2faSubscriber.php # 2FA gate
│ ├── Form/
│ │ ├── WebAuthnAdminSettingsForm.php
│ │ └── WebAuthnVerifyForm.php
│ └── Service/
│ ├── TotpManager.php
│ └── WebAuthnManager.php
├── templates/
│ ├── webauthn-user-settings.html.twig
│ └── webauthn-verify.html.twig
├── webauthn.info.yml
├── webauthn.install
├── webauthn.libraries.yml
├── webauthn.links.menu.yml
├── webauthn.links.task.yml
├── webauthn.module
├── webauthn.permissions.yml
├── webauthn.routing.yml
└── webauthn.services.yml
Permissions
administer webauthn— access admin settings pagemanage own security keys— register/delete keys, configure TOTP, toggle 2FA
License
GPL-2.0-or-later
cherubimro/drupal-mfa 适用场景与选型建议
cherubimro/drupal-mfa 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 1 次下载、GitHub Stars 达 0, 最近一次更新时间为 2026 年 02 月 23 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「module」 「drupal」 「totp」 「yubikey」 「2fa」 「MFA」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 cherubimro/drupal-mfa 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 cherubimro/drupal-mfa 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 cherubimro/drupal-mfa 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Provides an add-on purchasable entity.
Drupal integration module for the Kalastatic prototyping and styleguide tool
Provides a base set of configuration and module dependencies for starting new Drupal projects.
This module extends Drupal Migrate framework.
Google Authenticator 2-factor authentication
统计信息
- 总下载量: 1
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 35
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: GPL-2.0-or-later
- 更新时间: 2026-02-23