[DigitalPoint] Security & Passkeys

[DigitalPoint] Security & Passkeys 1.1.1

No permission to download

digitalpoint

Well-known member
digitalpoint submitted a new resource:

[DigitalPoint] Security - Addon to help users keep their account secure.

Features
  • Support for WebAuthn / FIDO2 security keys as two-step authentication (hardware devices such as YubiKeys are what large tech companies such as Google require their employees to use to keep their accounts secure).
    • Support for multiple keys per user
  • Option for Days to trust two-step verification. Now you can set it to whatever is appropriate for your site, vs it being hardcoded to 30 days in XenForo.
  • Users can...

Read more about this resource...
 

Lee

Well-known member
This is an outstanding addon that we have been using for a while without issue. Highly recommended - the ability to use facial recognition as a two step verification method is on its own worth its weight in gold.
 

z3r010

Active member
I've got an error adding a yubi.

Code:
ErrorException: Fatal Error: During inheritance of JsonSerializable: Uncaught ErrorException: [E_DEPRECATED] Return type of lbuchs\WebAuthn\Binary\ByteBuffer::jsonSerialize() should either be compatible with JsonSerializable::jsonSerialize(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php:216 Stack trace: #0 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php(13): XF::handlePhpError(8192, '...', '...', 216) #1 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\WebAuthn.php(6): require_once('...') #2 C:\root\Forums\mysite\src\vendor\composer\ClassLoader.php(480): include('...') #3 C:\root\Forums\mysite\src\vendor\composer\ClassLoader.php(346): Composer\Autoload\includeFile('...') #4 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Repository\WebAuthn.php(164): Composer\Autoload\ClassLoader->loadClass('...') #5 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Repository\WebAuthn.php(11): DigitalPoint\Security\Repository\WebAuthn->getWebAuthnClass() #6 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Tfa\SecurityKey.php(87): DigitalPoint\Security\Repository\WebAuthn->verifyCreate('...', '...', '...') #7 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\XF\Pub\Controller\Account.php(132): DigitalPoint\Security\Tfa\SecurityKey->verify('...', Object(SV\SignupAbuseBlocking\XF\Entity\User), Array, Object(XF\Http\Request)) #8 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(352): DigitalPoint\Security\XF\Pub\Controller\Account->actionTwoStepAdd(Object(XF\Mvc\ParameterBag)) #9 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(259): XF\Mvc\Dispatcher->dispatchClass('...', '...', Object(XF\Mvc\RouteMatch), Object(SV\SignupAbuseBlocking\XF\Pub\Controller\Account), NULL) #10 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(115): XF\Mvc\Dispatcher->dispatchFromMatch(Object(XF\Mvc\RouteMatch), Object(SV\SignupAbuseBlocking\XF\Pub\Controller\Account), NULL) #11 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(57): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch)) #12 C:\root\Forums\mysite\src\XF\App.php(2352): XF\Mvc\Dispatcher->run() #13 C:\root\Forums\mysite\src\XF.php(524): XF\App->run() #14 C:\root\Forums\mysite\index.php(20): XF::runApp('...') #15 {main} src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php:13

Code:
Stack trace
#0 [internal function]: XF::handleFatalError()
#1 {main}
Request state
array(4) {
  ["url"] => string(34) "/account/two-step/security_key/add"
  ["referrer"] => string(62) "https://www.mysite.com/account/two-step/security_key/add"
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(7) {
    ["_xfToken"] => string(8) "********"
    ["name"] => string(4) "Yubi"
    ["payload"] => string(540) "{"clientDataJSON":"REMOVED","attestationObject":"REMOVED"}"
    ["step"] => string(7) "confirm"
    ["_xfRequestUri"] => string(34) "/account/two-step/security_key/add"
    ["_xfWithData"] => string(1) "1"
    ["_xfResponseType"] => string(4) "json"
  }
}

I've taken the payload values out as I didn't know if they gave details of my key.
 

digitalpoint

Well-known member
I've got an error adding a yubi.

Code:
ErrorException: Fatal Error: During inheritance of JsonSerializable: Uncaught ErrorException: [E_DEPRECATED] Return type of lbuchs\WebAuthn\Binary\ByteBuffer::jsonSerialize() should either be compatible with JsonSerializable::jsonSerialize(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php:216 Stack trace: #0 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php(13): XF::handlePhpError(8192, '...', '...', 216) #1 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\WebAuthn.php(6): require_once('...') #2 C:\root\Forums\mysite\src\vendor\composer\ClassLoader.php(480): include('...') #3 C:\root\Forums\mysite\src\vendor\composer\ClassLoader.php(346): Composer\Autoload\includeFile('...') #4 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Repository\WebAuthn.php(164): Composer\Autoload\ClassLoader->loadClass('...') #5 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Repository\WebAuthn.php(11): DigitalPoint\Security\Repository\WebAuthn->getWebAuthnClass() #6 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Tfa\SecurityKey.php(87): DigitalPoint\Security\Repository\WebAuthn->verifyCreate('...', '...', '...') #7 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\XF\Pub\Controller\Account.php(132): DigitalPoint\Security\Tfa\SecurityKey->verify('...', Object(SV\SignupAbuseBlocking\XF\Entity\User), Array, Object(XF\Http\Request)) #8 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(352): DigitalPoint\Security\XF\Pub\Controller\Account->actionTwoStepAdd(Object(XF\Mvc\ParameterBag)) #9 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(259): XF\Mvc\Dispatcher->dispatchClass('...', '...', Object(XF\Mvc\RouteMatch), Object(SV\SignupAbuseBlocking\XF\Pub\Controller\Account), NULL) #10 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(115): XF\Mvc\Dispatcher->dispatchFromMatch(Object(XF\Mvc\RouteMatch), Object(SV\SignupAbuseBlocking\XF\Pub\Controller\Account), NULL) #11 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(57): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch)) #12 C:\root\Forums\mysite\src\XF\App.php(2352): XF\Mvc\Dispatcher->run() #13 C:\root\Forums\mysite\src\XF.php(524): XF\App->run() #14 C:\root\Forums\mysite\index.php(20): XF::runApp('...') #15 {main} src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php:13

Code:
Stack trace
#0 [internal function]: XF::handleFatalError()
#1 {main}
Request state
array(4) {
  ["url"] => string(34) "/account/two-step/security_key/add"
  ["referrer"] => string(62) "https://www.mysite.com/account/two-step/security_key/add"
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(7) {
    ["_xfToken"] => string(8) "********"
    ["name"] => string(4) "Yubi"
    ["payload"] => string(540) "{"clientDataJSON":"REMOVED","attestationObject":"REMOVED"}"
    ["step"] => string(7) "confirm"
    ["_xfRequestUri"] => string(34) "/account/two-step/security_key/add"
    ["_xfWithData"] => string(1) "1"
    ["_xfResponseType"] => string(4) "json"
  }
}

I've taken the payload values out as I didn't know if they gave details of my key.
What version of PHP is your server running?
 

digitalpoint

Well-known member
It looks like it's a simple fix for PHP 8.1 that the library developer already fixed but have not pushed down to composer yet.

In DigitalPoint/Security/vendor/lbuchs\WebAuthn\Binary\ByteBuffer.php, if you change this line:
PHP:
public function jsonSerialize() {

to this:

PHP:
public function jsonSerialize(): string {

It should fix it. If you want to make that change and let me know if anything else pops up beyond that (I don't have a PHP 8.1 setup readily accessible at the moment). Will push out a new version with that fix after you (or someone with 8.1) lets me know if anything else pops up related to 8.1.
 

digitalpoint

Well-known member
Went ahead and manually updated the library instead of waiting for developer to push it to Composer, which has the PHP 8.1 fix.
 

VersoBit

Well-known member
Just wanted to flag out to anyone whos installing this addon, that the Security Key page where the button that instructs a user to "Get a YubiKey" uses a referral link: https://go.skimresources.com/?id=56092X1328254&xs=1&url=https%3A%2F%2Fwww.yubico.com%2Fstore%2F&xcust=security_key

Would be nice to be upfront about this on the README of your addon :)
 

VersoBit

Well-known member
Agreed, it’s been updated. Honestly, I forgot about it because it was developed originally for in-house use only. The other option was to make it paid.
No worries! Just wanted to bring it up as we comb through every addon before we push it to our prod's - some may have an issue with affiliate links being tossed into their website; Thank you for this massive improvement to security on XF!
 

digitalpoint

Well-known member
No worries! Just wanted to bring it up as we comb through every addon before we push it to our prod's
As you should. It amazes me sometimes that people are willing to just blindly push addons (custom code) to their websites without auditing it (not just XenForo... other platforms too like WordPress plugins). Although I suppose if someone has the technical know-how to audit code, they probably would be building the addons themselves in a lot of cases. Kind of the place I'm in... it would be nice if I didn't have to code the stuff I use (let someone else do it), but the time it would take me to audit other people's code (and repeatedly with new updates), I could just write the things myself and as a bonus, make sure it works exactly how I want. :)
 

CavySpirit

Member
This is an outstanding addon that we have been using for a while without issue. Highly recommended - the ability to use facial recognition as a two step verification method is on its own worth its weight in gold.
Reading through the overview of this great-sounding add-on. My site isn't live yet and not ready to try it out, but where does the facial-recognition aspect come in?
 

digitalpoint

Well-known member
Reading through the overview of this great-sounding add-on. My site isn't live yet and not ready to try it out, but where does the facial-recognition aspect come in?
From your phone normally (if you have a modern phone). Your phone can be your authentication hardware if you want.
 

CavySpirit

Member
Right, I wasn't sure what setting in your add-on is triggering that as a second authentication. So, you add the phone as a device, not just the 'verification code.' Probably makes more sense when configuring it directly. :)
 
Top