Description

Implements #19014

• Decouples the 2FA and QR Code libraries in order to permanently add a 2FA ("Google Authenticator") dependency, so that baseline security is guaranteed - no matter how PMA was installed (i.e. How to Active Two-Factor Auth on phpmyadmin #16779, No QR code appearing in settings #17567, among others).
• Introduces a backup-code functionality, so that users who have lost their authenticator can regain access. (WIP)
• The QR Code dependency becomes optional and can even be moved to the frontend Javascript and be used for other purposes, as it has only very little use in the backend (no requirements for image generating PHP extensions anymore).
• Removes an outdated, possibly abandoned dependency in the process.

Open questions

Authenticator

• Extract into an interface to ease switching 3rd party libraries? (With that said, I'd extract all 3rd party functionality in the subclasses of PhpMyAdmin\Plugins\TwoFactorPlugin into interfaces, so that they remain untouched in case a library changes)
• Offer global options for secret length and number of allowed adjacent codes (grace period), and maybe time offset?
• Backup code functionality (currently WIP without function aside of being displayed in the setup screen):
  • I'm not exactly sure what whould be the best course of action in case a backup code was used. Just redirect to the setup screen, so that the user can scan/enter the secret once again? Provide a new secret? Unknown third thing??
  • I'm unsure how to faciliate a redirect in that case, and I might a little help/pointing into the right direction here.
  • Does PMA have functionality to rate limit certain endpoints (to avoid the 2FA endpoint being brute forced), or do we just use a good ol' internal counter (via settings)?

Suggested library: chillerlan/php-authenticator

QR Code

• Leave in backend?
  • if kept:
    • Extract into an interface to ease switching 3rd party libraries and allow enhanced configuration and/or user defined classes?
      • Add an option for a user-defined class, provide one by default, with an optional composer dependency.
    • Maybe move the "missing qrcode library" message to the setup page, so that a user knows why no QR Code is shown.
  • if not:
    • Figure out possible issues frontend QR Codes could cause (e.g. mobile compatibility: SVG, HTML Canvas, performance, package size).
    • Explore other possible uses, e.g. display of queries and field values (up to ~3kb).

Suggestes libraries: chillerlan/php-qrcode, chillerlan/js-qrcode

I'm going to submit this as a draft for now as there are several open questions that need to be discussed.

Before submitting the pull request, please review the following checklist:

• Make sure you have read our CONTRIBUTING.md document.
• Make sure you are making a pull request against the correct branch. For example, for bug fixes in a released version use the corresponding QA branch and for new features use the master branch. If you have a doubt, you can ask as a comment in the bug report or on the mailing list.
• Every commit has proper Signed-off-by line as described in our DCO. This ensures that the work you're submitting is your own creation. (see Clearing up the 2FA confusion #19014 (comment))
• Every commit has a descriptive commit message.
• Every commit is needed on its own, if you have just minor fixes to previous commits, you can squash them.
• Any new functionality is covered by tests.