![[DigitalPoint] Security & Passkeys](/community/data/resource_icons/8/8738.jpg?1652367732){kind=icon}
[DigitalPoint] Security & Passkeys 1.1.7
- Thread starter digitalpoint
- Start date
digitalpoint
Well-known member
Are you able to replicate the missing passkey if you try again? It is possible (in theory) to register an empty passkey because part of the process is client-side (JavaScript injects the passkey info into a hidden field in the form). The addon does check if data was presented by the browser, however it only checks if data was presented, it doesn't go so far as to make sure the data is properly base64 encoded. So if the browser API that registers a passkey gives incorrect data for some reason (or a browser extension mucks that data when the form is submitted), you could end up with what you are seeing... an invalid passkey record where it gave data, but that data wasn't in the expected format (base64 encoded). I'm going to make a change to validate that the data the browser gives is actually valid. Doesn't solve the problem about why a browser gave invalid data, but at least the user will know right away rather than blindly accept the data as valid base64.
For the missing cog, do they have Font Awesome installed that is different than the one that comes with XenForo? If they are using Font Awesome with a reduced/subset of icons, it could be missing. However, that same cog icon is used in various places in a default XenForo setup. For example under bookmarks. Do you see the icon properly there?
Assuming the icon is available, the logic to display the cog is fairly straightforward (the logic is in the
It's hard to say exactly what's going on here, but my guess is the normal query that gets TFA providers is missing the LEFT JOIN that also grabs the info about config for the TFA provider for the user looking at it. Not sure if you are able to enable debugging, but the query being run should look like this:
From the formatting of the table, it seems like the tfa record for the user isn't there for whatever reason. One way to test if it's the underlying data missing (a XenForo issue) or the formatting of the table (the addon) is to disable the template modification for
For the missing cog, do they have Font Awesome installed that is different than the one that comes with XenForo? If they are using Font Awesome with a reduced/subset of icons, it could be missing. However, that same cog icon is used in various places in a default XenForo setup. For example under bookmarks. Do you see the icon properly there?
Assuming the icon is available, the logic to display the cog is fairly straightforward (the logic is in the
public:account_two_step_providers template).It's hard to say exactly what's going on here, but my guess is the normal query that gets TFA providers is missing the LEFT JOIN that also grabs the info about config for the TFA provider for the user looking at it. Not sure if you are able to enable debugging, but the query being run should look like this:
SQL:
SELECT `xf_tfa_provider`.*, `xf_user_tfa_UserEntries_1`.*
FROM `xf_tfa_provider`
LEFT JOIN `xf_user_tfa` AS `xf_user_tfa_UserEntries_1` ON (`xf_user_tfa_UserEntries_1`.`provider_id` = `xf_tfa_provider`.`provider_id` AND `xf_user_tfa_UserEntries_1`.`user_id` = '{USER_ID}')
WHERE (`xf_tfa_provider`.`active` = 1)
ORDER BY `xf_tfa_provider`.`priority` ASCFrom the formatting of the table, it seems like the tfa record for the user isn't there for whatever reason. One way to test if it's the underlying data missing (a XenForo issue) or the formatting of the table (the addon) is to disable the template modification for
public:account_security - Makes two-step verification line easier to read/understand.. If there isn't a manage button with the default XenForo table, something outside the addon is going on.
MattW
Well-known member
Yeah, I've tried with 2 different YubiKeys, and also tried in Chrome and Safari on my Macbook.
MattW
Well-known member
Just got this error now when deleted the old key, and tried to add another one again:
Code:
Oops! We ran into some problems.
ErrorException: [E_DEPRECATED] Automatic conversion of false to array is deprecated in src/addons/DigitalPoint/Security/Tfa/SecurityKey.php at line 93
XF::handlePhpError() in src/addons/DigitalPoint/Security/Tfa/SecurityKey.php at line 93
DigitalPoint\Security\Tfa\SecurityKey->verify() in src/addons/DigitalPoint/Security/XF/Pub/Controller/Account.php at line 129
DigitalPoint\Security\XF\Pub\Controller\Account->actionTwoStepAdd() in src/XF/Mvc/Dispatcher.php at line 352
XF\Mvc\Dispatcher->dispatchClass() in src/XF/Mvc/Dispatcher.php at line 259
XF\Mvc\Dispatcher->dispatchFromMatch() in src/XF/Mvc/Dispatcher.php at line 115
XF\Mvc\Dispatcher->dispatchLoop() in src/XF/Mvc/Dispatcher.php at line 57
XF\Mvc\Dispatcher->run() in src/XF/App.php at line 2353
XF\App->run() in src/XF.php at line 524
XF::runApp() in index.php at line 20digitalpoint
Well-known member
Ya, that's going to happen if you go to deleted a mucked key... might need to delete it by deleting the record for it in the
xf_user_tfa table (provider_id = 'security_key' AND user_id = '{YOUR USER ID}'.Just as a test, are you able to try from a different device (like a phone)? Curious if it's specific to the computer or not.
Also, is the site public? If so, if you want to send me the URL and a test account, I could try to register a passkey and see if whatever is going on is client-side or server-side somehow.
digitalpoint
Well-known member
Here's an updated version that should fix the issue where an invalid Passkey gets registered/saved. If something goes wrong with the registration, the user is presented with a generic message saying, "Passkey could not be registered.", and then it logs the more technical reason why in the XenForo server error log.
This doesn't solve the "why it failed", but it should prevent an invalid Passkey from getting saved to the user TFA record and will (hopefully) give some insight as to the "why" if you look in XenForo's server error log.
Skimming through the possible failure reasons, one thing that seems like it might be reasonably possible is if the server's root certificates are out of date. Part of the Passkey verification flow is verifying the presented root certificate is valid. So if the server has out of date OpenSSL certificates installed, it's going to fail based on it being an unknown/invalid certificate being used to sign the request from the hardware.
This doesn't solve the "why it failed", but it should prevent an invalid Passkey from getting saved to the user TFA record and will (hopefully) give some insight as to the "why" if you look in XenForo's server error log.
Skimming through the possible failure reasons, one thing that seems like it might be reasonably possible is if the server's root certificates are out of date. Part of the Passkey verification flow is verifying the presented root certificate is valid. So if the server has out of date OpenSSL certificates installed, it's going to fail based on it being an unknown/invalid certificate being used to sign the request from the hardware.
Last edited:
MattW
Well-known member
Doesn't work on my iPhone either.
digitalpoint
Well-known member
Ya, if something is going on server-side (like an invalid certificate), it's going to fail with any client. Started a conversation with you so we can sort it out and not clog this thread.
digitalpoint
Well-known member
digitalpoint updated [DigitalPoint] Security & Passkeys with a new update entry:
Catch Passkey onboarding exception
Read the rest of this update entry...
Catch Passkey onboarding exception
I think this may have been the cause for a couple cases where an invalid Passkey record was saved to a user account. Previously, if an exception happened, it blindly accepted the null Passkey record as the new Passkey. If things went as expected (most cases) it wouldn't matter, but not everything always goes as expected.
- Added dataList-row--noHover class so background color doesn't change when the mouse moves over the table of two-step options a user has
- If an exception...
Read the rest of this update entry...
digitalpoint
Well-known member
No idea, sorry… this addon doesn’t do anything with Authy or generated codes. This addon is strictly for Passkeys.
cloudpro
Member
My apologies I thought it replaced the whole 2FA in XF. Sorry for the oversight.
digitalpoint
Well-known member
Nope, just adds an extra option (Passkeys).My apologies I thought it replaced the whole 2FA in XF. Sorry for the oversight.
GameNet
Active member
Hi @digitalpoint
Is there a way to completely disable this
Is there a way to completely disable this
- Users can see/manage the trusted devices for their account (under Account -> Password and security -> Two-step verification).
- Users can see the IP addresses used for their account (under Account -> Password and security).
- Users can see/manage remembered sessions for their account (under Account -> Password and security).
- Admins can see/manage remembered sessions for users (under Sessions tab when editing a user).
digitalpoint
Well-known member
No sorry, those options aren’t things you can enable or disable if the addon is installed.
GameNet
Active member
So just to confirm there is no way to add a option to disable the features above if users don’t wanted to use the features?
digitalpoint
Well-known member
If you are asking if it’s literally impossible to add such a feature, no it’s not impossible from a programming standpoint, but it’s not on the to-do list.
GameNet
Active member
Ok thanks anyway I will probably will had to uninstalled this add-from both of my sites.
