Testing MAP login is often something that gets missed or isn't carried out fully enough before being released to production. It's difficult for a number of understandable reasons, but should definitely be carried out as part of normal regression testing.
During development we need:
- the ability to be able to log into the MAP (Magento Admin Panel)
During testing we need:
- to test logging in with new Admin accounts, with MFA disabled
- to test logging in with new Admin accounts, with MFA enabled
- to test logging in with existing Admin accounts, with MFA disabled
- to test logging in with existing Admin accounts, with MFA enabled
The Setup
Before we can achieve all the points above we need a number of things available. All these are listed below, if you are using MDOQ managed Magento hosting then most of the actions can be carried out through the web UI. If you aren't we have also detailed the steps required via the CLI.
- We need the markshust/magento2-module-disabletwofactorauth
module installed. This module allows us to disable / enable Magentos MFA in config, which removes the need for code changes between development and production.
If you're on MDOQ this can be installed like so:
If you're not on MDOQ or prefer using cli this can be installed with:composer require markshust/magento2-module-disabletwofactorauth \
&& php bin/magento module:enable MarkShust_DisableTwoFactorAuth \
&& php bin/magento setup:upgrade \
&& php bin/magento deploy:mode:set production \
&& php bin/magento cache:flush
This then need to be released to production. - On your staging or development environment (instance) we need the ability to add a MAP account to use during development (removing the need for developers to have access to accounts on production)
On MDOQ you can do this by adding an Admin user in the post roll up actions
If you're not on MDOQ you can do with this with following command:php bin/magento admin:user:create \
--admin-user=dev \
--admin-password=Password123! \
--admin-email=dev@mdoq.io \
--admin-firstname=Developer \
--admin-lastname=Account - When starting/creating your development environment/instance we need to disable MFA by default.
If you're on MDOQ you can do this with environment changes:
The value is:insert into core_config_data (scope, scope_id, path, value) values ('default', 0, 'twofactorauth/general/enable', 0) on duplicate key update value = 0;
If you're not on MDOQ you can do this with the following command:php bin/magento config:set twofactorauth/general/enable 0 && \
php bin/magento cache:flush - Import a recent sanitized DB Backup from production.
If you're on MDOQ this can be achieved merely by running a sanitized backup
If you're not on MDOQ this would require you to dump the database out and removing customer and order data.
Meeting The Requirements
Now that you have all that set up we can meet the original requirements defined
Ability to be able to log into the MAP
During development we are now able to log into the MAP using the username and password defined above. This is beneficial as it means the developer does not need to have an account on production.
Test logging in with new Admin accounts, with MFA disabled
With the setup from above this can be easily tested just by using the admin user account we added.
Test logging in with new Admin accounts, with MFA enabled
Again, we have already created a new admin account. We just need to enable MFA temporarily to do this we can run:
php bin/magento config:set twofactorauth/general/enable 1 && \
php bin/magento cache:flush
then once we are done testing we can just run:
php bin/magento config:set twofactorauth/general/enable 0 && \
php bin/magento cache:flush
Test logging in with existing Admin accounts, with MFA disabled
This point requires you to have a recent backup imported on the environment, in which case with MFA disabled we should be able to log into the development/testing instance using the same credentials we have on prod.
(This could be a user account for a specific person within the business, with a very limited set of permissions)
An alternative would be to reset an existing users password, which can be done using the admin:user:create cli command. (Specifying identical arguments, except for the password). However this does mean the admin user has been re-saved, which might hide/resolve issues with the account.
Test logging in with existing Admin accounts, with MFA enabled
Again, this requires the same bits from the above, however you just need to enable MFA before logging in
php bin/magento config:set twofactorauth/general/enable 1 && \
php bin/magento cache:flush
and then disable again when you're done
php bin/magento config:set twofactorauth/general/enable 0 && \
php bin/magento cache:flush