Two factor authentication plugin problem

Post a reply


This question is a means of preventing automated form submissions by spambots.
Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:
BBCode is ON
[img] is ON
[url] is ON
Smilies are ON
Topic review
   

If you wish to attach one or more files enter the details below.

Maximum filesize per attachment: 1 MiB.

Expand view Topic review: Two factor authentication plugin problem

Re: Two factor authentication plugin problem

by slid3r » Wed May 12, 2021 8:28 pm

Hi there!

Any thoughts about my last reply?

Re: Two factor authentication plugin problem

by slid3r » Tue May 04, 2021 9:51 am

Hi there, it's me again.

This time it's another problem, but it keeps occuring only with those users who have 2fa enabled. It leads to the website hanging displaying "There has been a critical error on this website". Below is the log from WP e-mail notification. There is also an iThemes Security plugin installed and I guess it's combination with 2fa and your plugin induces the problem (particularly login-interstitial part).

Would appreciate any help.

Code: Select all

Error Details
=============
An error of type E_ERROR was caused in line 246 of the file /home/sites/12b/4/4ed27b4da4/public_html/wp-content/plugins/better-wp-security/core/lib/class-itsec-lib-login-interstitial.php. Error message: Uncaught Error: Call to undefined method stdClass::exists() in /home/sites/12b/4/4ed27b4da4/public_html/wp-content/plugins/better-wp-security/core/lib/class-itsec-lib-login-interstitial.php:246
Stack trace:
#0 /home/sites/12b/4/4ed27b4da4/public_html/wp-includes/class-wp-hook.php(292): ITSEC_Lib_Login_Interstitial->wp_login('gianni@ig-fest....', Object(stdClass))
#1 /home/sites/12b/4/4ed27b4da4/public_html/wp-includes/class-wp-hook.php(316): WP_Hook->apply_filters(NULL, Array)
#2 /home/sites/12b/4/4ed27b4da4/public_html/wp-includes/plugin.php(484): WP_Hook->do_action(Array)
#3 /home/sites/12b/4/4ed27b4da4/public_html/wp-content/plugins/wp-w3all-phpbb-integration/class.wp.w3all-phpbb.php(606): do_action('wp_login', 'gianni@ig-fest....', Object(stdClass))
#4 /home/sites/12b/4/4ed27b4da4/public_html/wp-content/plugins/wp-w3all-phpbb-integration/class.wp.w3all-phpbb.php(17): WP_w3all_phpbb::verify_phpbb_credentials()
#5 /home/sites/12b/4/4ed27b4da4/public_html/wp-includes/class-wp-hook.php(292): WP_w3all_phpbb::w

Re: Two factor authentication plugin problem

by DjPorkchop73 » Wed Apr 21, 2021 1:33 am

Sorry to barge in here suddenly but I use this one, https://www.simbahosting.co.uk/s3/produ ... ntication/ (free version not paid) and I do not have such an issue.

I believe 1 time emergency codes is paid version as well as the HOTP (event based) feature. I currently use the TOTP (time based - most common algorithm; used by Google Authenticator) and I have no issues at all.

Ok back out I go now. Have a fantastic evening all!

Re: Two factor authentication plugin problem

by slid3r » Sun Apr 18, 2021 5:11 pm

As I said initial solution suits me, but thank you for your thoughts about this matter. I am sure it would be helpful for other users.
Still though, hope that the first fix (with "validate_2fa" condition) will be added to the next update.

Re: Two factor authentication plugin problem

by axew3 » Sat Apr 17, 2021 7:56 pm

Ok, but sorry, i need to return over, and maybe an option (since two not useful otions will be removed on next 2.4.5 plugin admin) can be added about this.
And thinking on it, but not tested, i assume that:
1) the first edit into open /wp-content/plugins/wp-w3all-phpbb-integration/class.wp.w3all-phpbb.php
should not be required, but only the one into wp_w3all.php file https://www.axew3.com/w3/forums/viewtop ... 5233#p5233
this should cover any used two factor method, because the subsequent login hook is not executed until second check not completed. AT this time the 2factor plugin login the user and fire wp_login hook, so the phpBB session being released.

2) the user will be anyway able to login into phpBB after pass reset, despite double confirmation still not checked. Or you'll need to allow user's logins only in WP side, to have always the correct result with users that could try to login in phpBB instead. Ways are more than one.
To resolve this would be necessary to setup the user as not active or with a rand pass (that the user will not know, updated to the good one only after) into phpBB, until confirmation not executed.

Re: Two factor authentication plugin problem

by slid3r » Sat Apr 17, 2021 6:55 pm

axew3 wrote: Sat Apr 17, 2021 5:50 pm
add this code:

Code: Select all

  if( isset( $_GET['action'] ) && $_GET['action'] == 'validate_2fa' ){
  	return;
  }
this has been tested using for an user, the 2fa by email first option, do not know if activating others available options, the name of the var change, so that you should change action OR/AND validate_2fa.
Thank you so much, it worked like a charm. Didn't expect such an expedited answer, I appreciate that!

axew3 wrote: Sat Apr 17, 2021 5:50 pm p.s .... ahhh ... but maybe the user will be logged in anyway on forum at first authentication.
axew3 wrote: Sat Apr 17, 2021 6:21 pm as above mentioned, read the previous post, and the flow to work fine with this, also require another thing.
axew3 wrote: Sat Apr 17, 2021 6:21 pm into this:
CODE: SELECT ALL

//$phpBB_user_session_set = WP_w3all_phpbb::phpBB_user_session_set_res($wpu);
This thing didn't work quite well— before I enter 2fa the user is not logged in yet into phpbb, so this part is ok. But after I enter 2fa, I am not logged in anywhere.
Anyway, the case where user is logged into phpbb without 2fa entered is not such critical as the previous one. So I am already happy with the initial answer. Thank you!

Top