Comments (15)
I've been working to get this fixed. I suspect the way forms templates work in Craft 4 has changed. Can someone test dev-craft-4
to verify if the latest version does work?
edit: After some more testing i got the problem replicated on my own environment, which allowed me to work towards a fix.
from craft-twofactorauthentication.
Nothing has changed regarding this. Which versions of craft and this plugin are you using? I've had this error myself in the past when i messed up page caching or session storage.
from craft-twofactorauthentication.
So strange I can't find the issue.
Working with:
Craft Craft CMS 4.2.1.1 (Pro)
craft-twofactorauthentication: 3.0.1
The two factor does work with a custom frontend implementation, but not with the default backend part
from craft-twofactorauthentication.
@Coennie this can be caused by multiple Craft config settings and hosting configurations. I'm afraid you really have to debug this on your own environment.
from craft-twofactorauthentication.
I am also experiencing the same problem. It seems like it's posting an invalid or already expired CSRF token to the back-end every single time.
I'm using the latest official Craft CMS nginx docker image (craftcms/nginx:8.1-dev) locally, so it seems to be a common issue?
from craft-twofactorauthentication.
I probably also encountered this problem. This statement seems correct:
'this can be caused by multiple Craft config settings and hosting configurations.'
This issue was in my case caused by following the instructions and creating the
config/two-factor-authentication.php with:
return [ '*' => [ 'verifyBackEnd' => true, 'forceBackEnd' => true, ], ];
The following seemed to fix it in my case:
Create a config/custom.php with the following content:
[ /** * Whether 2FA should be enabled for the back-end/control panel. */ 'forceBackEnd' => true, ], ];(tjanpool edited this and did strike through his solution)
from craft-twofactorauthentication.
That error is not present in my error log at least. I tried your fix as well and it doesn't appear to make any difference unfortunately.
I keep getting a 400 bad request: "Unable to verify your data submission".
This despite the X-CSRF-Token header being sent in the request headers:
This used to work prior to installing Craft 4 and plugin version 3.x.x.
from craft-twofactorauthentication.
Apparently my solution also doesn't work. The fact that I don't have a two-factor-authentication.php makes it possible to submit a form. So my solution also doesn't help to enforce 2 factor authentication.
from craft-twofactorauthentication.
Cool, I did update to the dev-craft-4
, And it seems to have done something, for now I receive the error feedback: 'Unable to verify your data submission.' However indeed, it was not resolved. However glad you have some materials to work towards a solution.
from craft-twofactorauthentication.
@tjanpool Did the post data and post headers contain the csrf token or just one of them?
from craft-twofactorauthentication.
I find it hard to say.
The response seems to have change to the following:
name: "Forbidden", message: "Login Required", code: 0, error: "Login Required", status: 403,…}
code:
0
error:
"Login Required"
exception:
"yii\web\ForbiddenHttpException"
file:
"/var/www/html/vendor/yiisoft/yii2/web/User.php"
line: 460
message:
"Login Required"
name:
"Forbidden"
status
:
403
trace
:
[{file: "/var/www/html/vendor/craftcms/cms/src/web/Controller.php", line: 353,…},…]
:authority: site.craft.loc
:method: POST
:path: /index.php?p=admin%2Factions%2Ftwo-factor-authentication%2Fsettings%2Fturn-on
:scheme: https
accept: application/json, text/javascript, /; q=0.01
accept-encoding: gzip, deflate, br
accept-language: en-GB,en-US;q=0.9,en;q=0.8,nl;q=0.7
cache-control: no-cache
content-length: 22
content-type: application/x-www-form-urlencoded; charset=UTF-8
cookie: __stripe_mid=b06189ff-67f0-47d3-aeca-a70463c70d5d39019f; cookieconsent_status=allow; form_posted_4=1663146848; 1031b8c41dfff97a311a7ac99863bdc5_username=33e15155aa47fec02630c3331fd8b26ac39f198e7034c36b96513ce7da4ef374a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_username%22%3Bi%3A1%3Bs%3A4%3A%22FIZZ%22%3B%7D; CraftSessionId=ea7fadf4b19592aa12ab453d0a834ecc; CRAFT_CSRF_TOKEN=edacb7f578327312660c393437d33c1695308de6f27eff5251d1790f2c3f06b1a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A40%3A%22hZC5cMKHtmy8Z8yCfXKarxIpgyWW-j4XuTI7bQ0F%22%3B%7D
origin: https://site.craft.loc
pragma: no-cache
referer: https://site.craft.loc/index.php?p=admin/actions/two-factor-authentication/settings/force
sec-ch-ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
x-csrf-token: xKqulTJhQ6O182kMm4ukuCc5vzIaawWe3ZrHCn6abo5KG_3pEvtz9qzw7aBRLAjrwZ4QNMGz3ftBYfRTaBNM7rrjkF1T8FrWP0-03nCqQ7A=
x-registered-asset-bundles: ,percipiolondon\passwordpolicy\assetbundles\PasswordPolicy\PasswordPolicyAsset,craft\web\assets\cp\CpAsset,craft\web\assets\tailwindreset\TailwindResetAsset,craft\web\assets\axios\AxiosAsset,craft\web\assets\d3\D3Asset,craft\web\assets\elementresizedetector\ElementResizeDetectorAsset,craft\web\assets\focusvisible\FocusVisibleAsset,craft\web\assets\garnish\GarnishAsset,yii\web\JqueryAsset,craft\web\assets\jquerytouchevents\JqueryTouchEventsAsset,craft\web\assets\velocity\VelocityAsset,craft\web\assets\jqueryui\JqueryUiAsset,craft\web\assets\jquerypayment\JqueryPaymentAsset,craft\web\assets\datepickeri18n\DatepickerI18nAsset,craft\web\assets\picturefill\PicturefillAsset,craft\web\assets\selectize\SelectizeAsset,craft\web\assets\fileupload\FileUploadAsset,craft\web\assets\xregexp\XregexpAsset,craft\web\assets\fabric\FabricAsset,craft\web\assets\iframeresizer\IframeResizerAsset,carlcs\redactorcustomstyles\assets\customcp\CustomCpAsset,born05\twofactorauthentication\web\assets\verify\VerifyAsset
x-registered-js-files: ,https://site.craft.loc/cpresources/c7c93400/tailwind_reset.js?v=1663145514,https://site.craft.loc/cpresources/f0a522cc/axios.js?v=1663145514,https://site.craft.loc/cpresources/d6a10a23/d3.js?v=1663145515,https://site.craft.loc/cpresources/178f07c8/element-resize-detector.js?v=1663145515,https://site.craft.loc/cpresources/ce6f9ff1/focus-visible.js?v=1663145515,https://site.craft.loc/cpresources/126f1820/jquery.js?v=1663145515,https://site.craft.loc/cpresources/44926c8a/jquery.mobile-events.js?v=1663145515,https://site.craft.loc/cpresources/4156b15f/velocity.js?v=1663145515,https://site.craft.loc/cpresources/aefeb589/garnish.js?v=1663145515,https://site.craft.loc/cpresources/18888836/jquery-ui.js?v=1663145515,https://site.craft.loc/cpresources/44c1b3e8/jquery.payment.js?v=1663145515,https://site.craft.loc/cpresources/4aca3a2f/datepicker-nl.js?v=1663145515,https://site.craft.loc/cpresources/789a6936/picturefill.js?v=1663145515,https://site.craft.loc/cpresources/c0dc8e22/selectize.js?v=1663145515,https://site.craft.loc/cpresources/6f35e9d/jquery.fileupload.js?v=1663145515,https://site.craft.loc/cpresources/7322d436/xregexp-all.js?v=1663145515,https://site.craft.loc/cpresources/864c829e/fabric.js?v=1663145515,https://site.craft.loc/cpresources/ddc00394/iframeResizer.js?v=1663145515,https://site.craft.loc/cpresources/cc942c6a/cp.js?v=1663145514,https://site.craft.loc/cpresources/c40ecd47/js/zxcvbn.min.js?v=1662627534,https://site.craft.loc/cpresources/c40ecd47/js/PasswordPolicy.js?v=1662627534,https://site.craft.loc/cpresources/2095b271/verify.js?v=1663594484
x-requested-with: XMLHttpRequest
from craft-twofactorauthentication.
Still occurring on dev-craft-4
and ^3.0
, running craft 4.2.7. Valid CSRF token is set a as request header but not in the form request.
Temporary debugging work around mentioned below will resolve it. Doing so will break the plugin as it runs into the ->requireLogin()
validation failing.
// This is just for debugging, don't use this in production.
Event::on(
Controller::class,
Controller::EVENT_BEFORE_ACTION,
function(\yii\base\ActionEvent $event){
if($event->action->uniqueId == 'two-factor-authentication/verify/login-process'){
$request = \Craft::$app->getRequest();
$params = $request->getBodyParams();
$params['CRAFT_CSRF_TOKEN'] = $request->getCsrfToken();
$request->setBodyParams($params);
}
}
);
@roelvanhintum what were your findings so far?
from craft-twofactorauthentication.
@ddnetters , i cannot reproduce this at al. I did have issues before with csrf tokens being handled differently between admin and guest users on the frontend. Does this also occur when you try logging in from an incognito browser window?
from craft-twofactorauthentication.
It does, both across browsers and in a private window. I'll try to get a steps-to-reproduce list when I have more time. Meanwhile the aforementioned validation issue can be continued at #68. In as far as it's useful, I'm experiencing the issue with the control panel login flow.
from craft-twofactorauthentication.
shouldn't the admin login be /admin/actions/two-factor-authentication/verify/login
instead of index.php?p=admin/actions/two-factor-authentication/verify/login
?
from craft-twofactorauthentication.
Related Issues (20)
- GraphQL support? HOT 1
- Two-Factor Authentication success but cannot redirect to dashboard HOT 1
- Issuer must not contain a colon HOT 1
- Invalid auth code / password reset after 2FA login / redirects back to the login screen HOT 7
- Call to a member function getTimestamp() on null HOT 4
- Syntax Error in Migration Script HOT 7
- Incorrect QR Codes when Activating? HOT 6
- 2FA can be disabled without verifying 2FA token HOT 4
- Per user disable authentication not working HOT 5
- Outdated Description in Craft 4 Plugin Store HOT 2
- Plugin keeps redirecting to login screen while authentication code is correct HOT 7
- Front end CSRF failing HOT 4
- Feature Request: Backup Codes HOT 2
- Table 'twofactorauthentication_usertoken' doesn't exist HOT 4
- Disable 2FA per-environment? HOT 1
- Does not allow you to login if "Show the debug toolbar in the control panel" is checked in user preferences HOT 2
- 3.3.6 introduced UnknownMethodException `Request::isCraftSpecialRequests()` HOT 2
- Craft 4.8.6+ broken in cp HOT 1
- Unauthorised when trying to view impersonation URL. HOT 2
- Update for Craft 5 HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from craft-twofactorauthentication.