SudoModeVerifyEvent

New in version 12.4.32 / 13.4.13

This event was introduced by the fix for security advisory TYPO3-CORE-SA-2025-013 to address challenges with single sign-on (SSO) providers.

The PSR-14 event \TYPO3\CMS\Backend\Backend\Event\SudoModeVerifyEvent is triggered before a password submitted in sudo-mode verification dialog is verified for backend user accounts.

This step-up authentication mechanism, introduced as part of the fix for TYPO3-CORE-SA-2025-013, may pose challenges when using remote single sign-on (SSO) systems because they do not support a dedicated verification step.

This event allows developers to change the verification logic of step-up authentication, by conditionally allowing or denying verification based on custom logic — for example, by identifying users authenticated via an SSO system.

Example: Use an event listener to modify the verification of password in sudo mode

The following demonstrates using the event to statically check the password for an expected hash.

Warning

This example has been simplified for clarity. Always use secure password handling with salted hashing in production. Never hard-code a password hash as shown below.

EXT:my_extension/Configuration/Services.yaml

services:
  _defaults:
    autowire: true
    autoconfigure: true
    public: false

  Vendor\MyExtension\EventListener\SkipSudoModeDialog:
    tags:
      - name: event.listener
        identifier: 'ext-myextension/skip-sudo-mode-dialog'
  Vendor\MyExtension\EventListener\StaticPasswordVerification:
    tags:
      - name: event.listener
        identifier: 'ext-myextension/static-password-verification'

EXT:my_extension/Classes/EventListener/StaticPasswordVerification.php

<?php

declare(strict_types=1);

namespace Example\Demo\EventListener;

use TYPO3\CMS\Backend\Security\SudoMode\Event\SudoModeVerifyEvent;

final class StaticPasswordVerification
{
    public function __invoke(SudoModeVerifyEvent $event): void
    {
        $calculatedHash = hash('sha256', $event->getPassword());
        // static hash of `dontdothis` - just used as proof-of-concept
        // side-note: in production, make use of strong salted password
        $expectedHash = '3382f2e21a5471b52a85bc32ab59ab2c467f6e3cb112aef295323874f423994c';

        if (hash_equals($expectedHash, $calculatedHash)) {
            $event->setVerified(true);
        }
    }
}

API

class SudoModeVerifyEvent

Fully qualified name: \TYPO3\CMS\Backend\Security\SudoMode\Event\SudoModeVerifyEvent

getClaim ( )

Returns: \TYPO3\CMS\Backend\Security\SudoMode\Access\AccessClaim

getPassword ( )

Returns: string

isUseInstallToolPassword ( )

Returns: bool

isVerified ( )

Returns: bool

setVerified ( bool $verified)

param $verified: the verified