Two factor authentication plugin problem

[slid3r]

Hello!

I am facing a problem with two factor authentication plugin: https://wordpress.org/plugins/two-factor/

When the user has 2 factor enabled, then when he logs into the wp, he is shown 2fa dialogue to enter the code. But at the same time he is already loged into phpbb. This causes a strange loop — when user enters the authenticatin code, it won't let him in, and would show the same field again. And what's worst, the user can't enter any other page on the website, whatever page he visits, there is always a 2fa dialogue asking him to enter a code.

Nothing can't be done, until cookies are deleted or user logs out from the phpbb. But it doesn't solve the issue that the user can't see anything else on the page. Hope you would help me with that.

[slid3r]

I just checked with all the other available 2fa plugins, and it's all the same. Is there any possible sollution?

[axew3]

Ok, just installed the one you say: https://wordpress.org/plugins/two-factor/

open /wp-content/plugins/wp-w3all-phpbb-integration/class.wp.w3all-phpbb.php

just after this code:

Code: Select all

private static function verify_phpbb_credentials(){
  global $w3all_config, $wpdb, $w3cookie_domain, $w3all_anti_brute_force_yn, $w3all_bruteblock_phpbbulist, $w3all_phpbb_lang_switch_yn, $useragent, $wp_w3all_forum_folder_wp, $w3all_profile_sync_bp_yn, $w3all_add_into_wp_u_capability;

add this code:

Code: Select all

  if( isset( $_GET['action'] ) && $_GET['action'] == 'validate_2fa' ){
  	return;
  }

this has been tested using for an user, the 2fa by email first option, do not know if activating others available options, the name of the var change, so that you should change action OR/AND validate_2fa.

In case let know if something still do not work your side-

...and more fixes for several problems i've find out, and new additions, on coming very soon 2.4.5 releasing it next week.

p.s .... ahhh ... but maybe the user will be logged in anyway on forum at first authentication.
So in this case ... let see, a moment

[slid3r]

add this code:

Code: Select all

  if( isset( $_GET['action'] ) && $_GET['action'] == 'validate_2fa' ){
  	return;
  }

this has been tested using for an user, the 2fa by email first option, do not know if activating others available options, the name of the var change, so that you should change action OR/AND validate_2fa.

Thank you so much, it worked like a charm. Didn't expect such an expedited answer, I appreciate that!

p.s .... ahhh ... but maybe the user will be logged in anyway on forum at first authentication.

as above mentioned, read the previous post, and the flow to work fine with this, also require another thing.

into this:
CODE: SELECT ALL

//$phpBB_user_session_set = WP_w3all_phpbb::phpBB_user_session_set_res($wpu);

This thing didn't work quite well— before I enter 2fa the user is not logged in yet into phpbb, so this part is ok. But after I enter 2fa, I am not logged in anywhere.
Anyway, the case where user is logged into phpbb without 2fa entered is not such critical as the previous one. So I am already happy with the initial answer. Thank you!

[axew3]

Ok, but sorry, i need to return over, and maybe an option (since two not useful otions will be removed on next 2.4.5 plugin admin) can be added about this.
And thinking on it, but not tested, i assume that:
1) the first edit into open /wp-content/plugins/wp-w3all-phpbb-integration/class.wp.w3all-phpbb.php
should not be required, but only the one into wp_w3all.php file https://www.axew3.com/w3/forums/viewtop ... 5233#p5233
this should cover any used two factor method, because the subsequent login hook is not executed until second check not completed. AT this time the 2factor plugin login the user and fire wp_login hook, so the phpBB session being released.

2) the user will be anyway able to login into phpBB after pass reset, despite double confirmation still not checked. Or you'll need to allow user's logins only in WP side, to have always the correct result with users that could try to login in phpBB instead. Ways are more than one.
To resolve this would be necessary to setup the user as not active or with a rand pass (that the user will not know, updated to the good one only after) into phpBB, until confirmation not executed.

[slid3r]

As I said initial solution suits me, but thank you for your thoughts about this matter. I am sure it would be helpful for other users.
Still though, hope that the first fix (with "validate_2fa" condition) will be added to the next update.