Version 6 pre-stable
This version of Silverstripe CMS has not yet been given a stable release. See the release roadmap for more information. Go to documentation for the most recent stable version.

Data store interfaces

Since the MFA architecture is largely designed to be decoupled, we use a StoreInterface implementation to retain data between requests. The default implementation for this interface is SessionStore which stores data using the Silverstripe CMS Session API provided by silverstripe/framework.

If you need to use a different storage mechanism (e.g. Redis, DynamoDB etc) you can implement and configure your own StoreInterface, and register it with Injector:

SilverStripe\Core\Injector\Injector:
  SilverStripe\MFA\Store\StoreInterface:
    class: App\MFA\RedisStoreInterface

The store should always be treated as a server side implementation. It's not a good idea to implement a client store e.g. cookies.

Adjusting what goes into the store

By default, the entire HTTPRequest object is saved to the store during the multi-factor authentication process. We exclude the Password field from the request by default, but if you need to exclude other fields, you can add an extension, for example:

// app/src/MFA/Extensions/MyLoginHandlerExtension.php
namespace App\MFA\Extensions;

use SilverStripe\Control\HTTPRequest;
use SilverStripe\MFA\Store\StoreInterface;

// Apply extension to SilverStripe\MFA\Authenticator\LoginHandler
class MyLoginHandlerExtension extends Extension
{
    protected function onBeforeSaveRequestToStore(HTTPRequest $request, StoreInterface $store): void
    {
        $request->offsetUnset('MySecretField');
    }
}
Edit on Github