Sudo mode in TYPO3 backend modules
When accessing modules in the Admin Tools via backend user interface, currently logged in backend users have to confirm their user password again in order to get access to the modules in this section.
As an alternative, it is also possible to use the install tool password. This is done in order to mitigate unintended modifications that might occur as result of for example possible cross-site scripting vulnerabilities in the system.
Authentication in for sudo mode in extensions using the auth service
Albeit default local authentication mechanisms are working well, there are
side effects for 3rd party extensions that make use of these auth
service
chains as well - such as multi-factor authentication or single sign-on handling.
As an alternative, it is possible to confirm actions using the Install Tool password, instead of confirming with user's password (which might be handled with separate remote services).
Services that extend authentication with custom additional factors (2FA/MFA)
are advised to intercept only valid login requests instead of all auth
invocations.
<?php
namespace MyVendor\MyExtension\Authentication;
use TYPO3\CMS\Core\Authentication\AbstractAuthenticationService;
class MyAuthenticationService extends AbstractAuthenticationService
{
public function authUser(array $user)
{
// only handle actual login requests
if (($this->login['status'] ?? '') !== 'login') {
// skip this service, hand over to next in chain
return 100;
}
// ...
// usual processing for valid login requests
// ...
return 0;
}
}
Custom backend modules requiring the sudo mode
New in version 12.4
With TYPO3 v12.4 sudo mode has been changed to a generic configuration for backend routes (and implicitly modules).
In general, the configuration for a particular route or module looks like this:
+ 'sudoMode' => [
+ 'group' => 'individual-group-name',
+ 'lifetime' => AccessLifetime::veryShort,
+ ],
group
(optional): if given, grants access to other objects of the samegroup
without having to verify sudo mode again for a the given lifetime. Example: Admin Tool modules Maintainance and Settings are configured with the samesystem
group - having access to one (after sudo mode verification) grants access to the other automatically.Maintainer lifetime
: enum value of\TYPO3\
, defining the lifetime of a sudo mode verification, afterwards users have to go through the process again - cases areCMS\ Backend\ Security\ Sudo Mode\ Access\ Access Lifetime very
(5 minutes),Short short
(10 minutes),medium
(15 minutes),long
(30 minutes),very
(60 minutes)Long
For backend routes declared via Configuration/
, the
relevant configuration would look like this:
<?php
use MyVendor\MyExtension\Handlers\MyHandler;
use TYPO3\CMS\Backend\Security\SudoMode\Access\AccessLifetime;
return [
'my-route' => [
'path' => '/my/route',
'target' => MyHandler::class . '::process',
'sudoMode' => [
'group' => 'mySudoModeGroup',
'lifetime' => AccessLifetime::S,
],
],
];
For backend modules declared via Configuration/
, the
relevant configuration would look like this:
<?php
use TYPO3\CMS\Backend\Security\SudoMode\Access\AccessLifetime;
return [
'tools_ExtensionmanagerExtensionmanager' => [
// ...
'routeOptions' => [
'sudoMode' => [
'group' => 'systemMaintainer',
'lifetime' => AccessLifetime::M,
],
],
],
];
Process in a nutshell
All simplified classnames below are located in the namespace
\TYPO3\
).
The low-level request orchestration happens in the middleware
\TYPO3\
,
markup rendering and payload processing in controller
\TYPO3\
.
- A backend route is processed, that requires sudo mode for route URI
/my/
inroute \TYPO3\
.CMS\ Backend\ Http\ Route Dispatcher - Using
Access
andFactory Access
, theStorage \Route
tries to find a valid and not expiredDispatcher Access
item for the specificGrant Route
aspect in the current backend user session data.Access Subject ('/ my/ route') - In case no
Access
can be determined, a newGrant Access
is created for the specificClaim Route
instance and temporarily persisted in the current user session data - the claim also contains the originally requested route asAccess Subject Server
(a simplified representation of aRequest Instruction \Server
).Request Interface - Next, the user is redirected to the user interface for providing either their own password, or the global install tool password as alternative.
- Given, the password was correct, the
Access
is "converted" to anClaim Access
, which is only valid for the specific subject (URIGrant /my/
) and for a limited lifetime.route