Unable to verify your data (no crsf token posted) about craft-twofactorauthentication HOT 15 CLOSED

I've been working to get this fixed. I suspect the way forms templates work in Craft 4 has changed. Can someone test dev-craft-4 to verify if the latest version does work?

edit: After some more testing i got the problem replicated on my own environment, which allowed me to work towards a fix.

from craft-twofactorauthentication.

Nothing has changed regarding this. Which versions of craft and this plugin are you using? I've had this error myself in the past when i messed up page caching or session storage.

from craft-twofactorauthentication.

So strange I can't find the issue.
Working with:
Craft Craft CMS 4.2.1.1 (Pro)
craft-twofactorauthentication: 3.0.1

The two factor does work with a custom frontend implementation, but not with the default backend part

from craft-twofactorauthentication.

@Coennie this can be caused by multiple Craft config settings and hosting configurations. I'm afraid you really have to debug this on your own environment.

from craft-twofactorauthentication.

I am also experiencing the same problem. It seems like it's posting an invalid or already expired CSRF token to the back-end every single time.

I'm using the latest official Craft CMS nginx docker image (craftcms/nginx:8.1-dev) locally, so it seems to be a common issue?

from craft-twofactorauthentication.

I probably also encountered this problem. This statement seems correct:
'this can be caused by multiple Craft config settings and hosting configurations.'

This issue was in my case caused by following the instructions and creating the
config/two-factor-authentication.php with:

return [
    '*' => [
        'verifyBackEnd' => true,
        'forceBackEnd' => true,
    ],
];

 [
        /**
         * Whether 2FA should be enabled for the back-end/control panel.
         */
        'forceBackEnd' => true,

    ],
];

from craft-twofactorauthentication.

That error is not present in my error log at least. I tried your fix as well and it doesn't appear to make any difference unfortunately.

I keep getting a 400 bad request: "Unable to verify your data submission".

This despite the X-CSRF-Token header being sent in the request headers:

This used to work prior to installing Craft 4 and plugin version 3.x.x.

from craft-twofactorauthentication.

Apparently my solution also doesn't work. The fact that I don't have a two-factor-authentication.php makes it possible to submit a form. So my solution also doesn't help to enforce 2 factor authentication.

from craft-twofactorauthentication.

Cool, I did update to the dev-craft-4, And it seems to have done something, for now I receive the error feedback: 'Unable to verify your data submission.' However indeed, it was not resolved. However glad you have some materials to work towards a solution.

from craft-twofactorauthentication.

@tjanpool Did the post data and post headers contain the csrf token or just one of them?

from craft-twofactorauthentication.

I find it hard to say.
The response seems to have change to the following:

name: "Forbidden", message: "Login Required", code: 0, error: "Login Required", status: 403,…}
code:
0
error:
"Login Required"
exception:
"yii\web\ForbiddenHttpException"
file:
"/var/www/html/vendor/yiisoft/yii2/web/User.php"
line: 460
message:
"Login Required"
name:
"Forbidden"
status
:
403
trace
:
[{file: "/var/www/html/vendor/craftcms/cms/src/web/Controller.php", line: 353,…},…]

:authority: site.craft.loc
:method: POST
:path: /index.php?p=admin%2Factions%2Ftwo-factor-authentication%2Fsettings%2Fturn-on
:scheme: https
accept: application/json, text/javascript, /; q=0.01
accept-encoding: gzip, deflate, br
accept-language: en-GB,en-US;q=0.9,en;q=0.8,nl;q=0.7
cache-control: no-cache
content-length: 22
content-type: application/x-www-form-urlencoded; charset=UTF-8
cookie: __stripe_mid=b06189ff-67f0-47d3-aeca-a70463c70d5d39019f; cookieconsent_status=allow; form_posted_4=1663146848; 1031b8c41dfff97a311a7ac99863bdc5_username=33e15155aa47fec02630c3331fd8b26ac39f198e7034c36b96513ce7da4ef374a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_username%22%3Bi%3A1%3Bs%3A4%3A%22FIZZ%22%3B%7D; CraftSessionId=ea7fadf4b19592aa12ab453d0a834ecc; CRAFT_CSRF_TOKEN=edacb7f578327312660c393437d33c1695308de6f27eff5251d1790f2c3f06b1a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A40%3A%22hZC5cMKHtmy8Z8yCfXKarxIpgyWW-j4XuTI7bQ0F%22%3B%7D
origin: https://site.craft.loc
pragma: no-cache
referer: https://site.craft.loc/index.php?p=admin/actions/two-factor-authentication/settings/force
sec-ch-ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
x-csrf-token: xKqulTJhQ6O182kMm4ukuCc5vzIaawWe3ZrHCn6abo5KG_3pEvtz9qzw7aBRLAjrwZ4QNMGz3ftBYfRTaBNM7rrjkF1T8FrWP0-03nCqQ7A=
x-registered-asset-bundles: ,percipiolondon\passwordpolicy\assetbundles\PasswordPolicy\PasswordPolicyAsset,craft\web\assets\cp\CpAsset,craft\web\assets\tailwindreset\TailwindResetAsset,craft\web\assets\axios\AxiosAsset,craft\web\assets\d3\D3Asset,craft\web\assets\elementresizedetector\ElementResizeDetectorAsset,craft\web\assets\focusvisible\FocusVisibleAsset,craft\web\assets\garnish\GarnishAsset,yii\web\JqueryAsset,craft\web\assets\jquerytouchevents\JqueryTouchEventsAsset,craft\web\assets\velocity\VelocityAsset,craft\web\assets\jqueryui\JqueryUiAsset,craft\web\assets\jquerypayment\JqueryPaymentAsset,craft\web\assets\datepickeri18n\DatepickerI18nAsset,craft\web\assets\picturefill\PicturefillAsset,craft\web\assets\selectize\SelectizeAsset,craft\web\assets\fileupload\FileUploadAsset,craft\web\assets\xregexp\XregexpAsset,craft\web\assets\fabric\FabricAsset,craft\web\assets\iframeresizer\IframeResizerAsset,carlcs\redactorcustomstyles\assets\customcp\CustomCpAsset,born05\twofactorauthentication\web\assets\verify\VerifyAsset
x-registered-js-files: ,https://site.craft.loc/cpresources/c7c93400/tailwind_reset.js?v=1663145514,https://site.craft.loc/cpresources/f0a522cc/axios.js?v=1663145514,https://site.craft.loc/cpresources/d6a10a23/d3.js?v=1663145515,https://site.craft.loc/cpresources/178f07c8/element-resize-detector.js?v=1663145515,https://site.craft.loc/cpresources/ce6f9ff1/focus-visible.js?v=1663145515,https://site.craft.loc/cpresources/126f1820/jquery.js?v=1663145515,https://site.craft.loc/cpresources/44926c8a/jquery.mobile-events.js?v=1663145515,https://site.craft.loc/cpresources/4156b15f/velocity.js?v=1663145515,https://site.craft.loc/cpresources/aefeb589/garnish.js?v=1663145515,https://site.craft.loc/cpresources/18888836/jquery-ui.js?v=1663145515,https://site.craft.loc/cpresources/44c1b3e8/jquery.payment.js?v=1663145515,https://site.craft.loc/cpresources/4aca3a2f/datepicker-nl.js?v=1663145515,https://site.craft.loc/cpresources/789a6936/picturefill.js?v=1663145515,https://site.craft.loc/cpresources/c0dc8e22/selectize.js?v=1663145515,https://site.craft.loc/cpresources/6f35e9d/jquery.fileupload.js?v=1663145515,https://site.craft.loc/cpresources/7322d436/xregexp-all.js?v=1663145515,https://site.craft.loc/cpresources/864c829e/fabric.js?v=1663145515,https://site.craft.loc/cpresources/ddc00394/iframeResizer.js?v=1663145515,https://site.craft.loc/cpresources/cc942c6a/cp.js?v=1663145514,https://site.craft.loc/cpresources/c40ecd47/js/zxcvbn.min.js?v=1662627534,https://site.craft.loc/cpresources/c40ecd47/js/PasswordPolicy.js?v=1662627534,https://site.craft.loc/cpresources/2095b271/verify.js?v=1663594484
x-requested-with: XMLHttpRequest

from craft-twofactorauthentication.

Still occurring on dev-craft-4 and ^3.0, running craft 4.2.7. Valid CSRF token is set a as request header but not in the form request.

Temporary debugging work around mentioned below will resolve it. Doing so will break the plugin as it runs into the ->requireLogin() validation failing.

// This is just for debugging, don't use this in production.
Event::on(
    Controller::class,
    Controller::EVENT_BEFORE_ACTION,
    function(\yii\base\ActionEvent $event){
        if($event->action->uniqueId == 'two-factor-authentication/verify/login-process'){
            $request = \Craft::$app->getRequest();
            $params = $request->getBodyParams();
            $params['CRAFT_CSRF_TOKEN'] = $request->getCsrfToken();
            $request->setBodyParams($params);
        }
    }
);

@roelvanhintum what were your findings so far?

from craft-twofactorauthentication.

@ddnetters , i cannot reproduce this at al. I did have issues before with csrf tokens being handled differently between admin and guest users on the frontend. Does this also occur when you try logging in from an incognito browser window?

from craft-twofactorauthentication.

It does, both across browsers and in a private window. I'll try to get a steps-to-reproduce list when I have more time. Meanwhile the aforementioned validation issue can be continued at #68. In as far as it's useful, I'm experiencing the issue with the control panel login flow.

from craft-twofactorauthentication.

shouldn't the admin login be /admin/actions/two-factor-authentication/verify/login instead of index.php?p=admin/actions/two-factor-authentication/verify/login?

from craft-twofactorauthentication.