[DigitalPoint] Security & Passkeys

[DigitalPoint] Security & Passkeys 1.1.8

No permission to download
Overview Updates (15) Reviews (6) History Discussion
digitalpoint

digitalpoint

Well-known member
digitalpoint submitted a new resource:

[DigitalPoint] Security - Addon to help users keep their account secure.

Features
  • Support for WebAuthn / FIDO2 security keys as two-step authentication (hardware devices such as YubiKeys are what large tech companies such as Google require their employees to use to keep their accounts secure).
    • Support for multiple keys per user
  • Option for Days to trust two-step verification. Now you can set it to whatever is appropriate for your site, vs it being hardcoded to 30 days in XenForo.
  • Users can...
Click to expand...

Read more about this resource...
 
This is an outstanding addon that we have been using for a while without issue. Highly recommended - the ability to use facial recognition as a two step verification method is on its own worth its weight in gold.
 
I've got an error adding a yubi.

Code: 
ErrorException: Fatal Error: During inheritance of JsonSerializable: Uncaught ErrorException: [E_DEPRECATED] Return type of lbuchs\WebAuthn\Binary\ByteBuffer::jsonSerialize() should either be compatible with JsonSerializable::jsonSerialize(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php:216 Stack trace: #0 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php(13): XF::handlePhpError(8192, '...', '...', 216) #1 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\WebAuthn.php(6): require_once('...') #2 C:\root\Forums\mysite\src\vendor\composer\ClassLoader.php(480): include('...') #3 C:\root\Forums\mysite\src\vendor\composer\ClassLoader.php(346): Composer\Autoload\includeFile('...') #4 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Repository\WebAuthn.php(164): Composer\Autoload\ClassLoader->loadClass('...') #5 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Repository\WebAuthn.php(11): DigitalPoint\Security\Repository\WebAuthn->getWebAuthnClass() #6 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Tfa\SecurityKey.php(87): DigitalPoint\Security\Repository\WebAuthn->verifyCreate('...', '...', '...') #7 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\XF\Pub\Controller\Account.php(132): DigitalPoint\Security\Tfa\SecurityKey->verify('...', Object(SV\SignupAbuseBlocking\XF\Entity\User), Array, Object(XF\Http\Request)) #8 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(352): DigitalPoint\Security\XF\Pub\Controller\Account->actionTwoStepAdd(Object(XF\Mvc\ParameterBag)) #9 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(259): XF\Mvc\Dispatcher->dispatchClass('...', '...', Object(XF\Mvc\RouteMatch), Object(SV\SignupAbuseBlocking\XF\Pub\Controller\Account), NULL) #10 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(115): XF\Mvc\Dispatcher->dispatchFromMatch(Object(XF\Mvc\RouteMatch), Object(SV\SignupAbuseBlocking\XF\Pub\Controller\Account), NULL) #11 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(57): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch)) #12 C:\root\Forums\mysite\src\XF\App.php(2352): XF\Mvc\Dispatcher->run() #13 C:\root\Forums\mysite\src\XF.php(524): XF\App->run() #14 C:\root\Forums\mysite\index.php(20): XF::runApp('...') #15 {main} src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php:13

Code: 
Stack trace
#0 [internal function]: XF::handleFatalError()
#1 {main}
Request state
array(4) {
  ["url"] => string(34) "/account/two-step/security_key/add"
  ["referrer"] => string(62) "https://www.mysite.com/account/two-step/security_key/add"
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(7) {
    ["_xfToken"] => string(8) "********"
    ["name"] => string(4) "Yubi"
    ["payload"] => string(540) "{"clientDataJSON":"REMOVED","attestationObject":"REMOVED"}"
    ["step"] => string(7) "confirm"
    ["_xfRequestUri"] => string(34) "/account/two-step/security_key/add"
    ["_xfWithData"] => string(1) "1"
    ["_xfResponseType"] => string(4) "json"
  }
}

I've taken the payload values out as I didn't know if they gave details of my key.
 
z3r010 said:
I've got an error adding a yubi.

Code: 
ErrorException: Fatal Error: During inheritance of JsonSerializable: Uncaught ErrorException: [E_DEPRECATED] Return type of lbuchs\WebAuthn\Binary\ByteBuffer::jsonSerialize() should either be compatible with JsonSerializable::jsonSerialize(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php:216 Stack trace: #0 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php(13): XF::handlePhpError(8192, '...', '...', 216) #1 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\WebAuthn.php(6): require_once('...') #2 C:\root\Forums\mysite\src\vendor\composer\ClassLoader.php(480): include('...') #3 C:\root\Forums\mysite\src\vendor\composer\ClassLoader.php(346): Composer\Autoload\includeFile('...') #4 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Repository\WebAuthn.php(164): Composer\Autoload\ClassLoader->loadClass('...') #5 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Repository\WebAuthn.php(11): DigitalPoint\Security\Repository\WebAuthn->getWebAuthnClass() #6 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Tfa\SecurityKey.php(87): DigitalPoint\Security\Repository\WebAuthn->verifyCreate('...', '...', '...') #7 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\XF\Pub\Controller\Account.php(132): DigitalPoint\Security\Tfa\SecurityKey->verify('...', Object(SV\SignupAbuseBlocking\XF\Entity\User), Array, Object(XF\Http\Request)) #8 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(352): DigitalPoint\Security\XF\Pub\Controller\Account->actionTwoStepAdd(Object(XF\Mvc\ParameterBag)) #9 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(259): XF\Mvc\Dispatcher->dispatchClass('...', '...', Object(XF\Mvc\RouteMatch), Object(SV\SignupAbuseBlocking\XF\Pub\Controller\Account), NULL) #10 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(115): XF\Mvc\Dispatcher->dispatchFromMatch(Object(XF\Mvc\RouteMatch), Object(SV\SignupAbuseBlocking\XF\Pub\Controller\Account), NULL) #11 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(57): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch)) #12 C:\root\Forums\mysite\src\XF\App.php(2352): XF\Mvc\Dispatcher->run() #13 C:\root\Forums\mysite\src\XF.php(524): XF\App->run() #14 C:\root\Forums\mysite\index.php(20): XF::runApp('...') #15 {main} src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php:13

Code: 
Stack trace
#0 [internal function]: XF::handleFatalError()
#1 {main}
Request state
array(4) {
  ["url"] => string(34) "/account/two-step/security_key/add"
  ["referrer"] => string(62) "https://www.mysite.com/account/two-step/security_key/add"
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(7) {
    ["_xfToken"] => string(8) "********"
    ["name"] => string(4) "Yubi"
    ["payload"] => string(540) "{"clientDataJSON":"REMOVED","attestationObject":"REMOVED"}"
    ["step"] => string(7) "confirm"
    ["_xfRequestUri"] => string(34) "/account/two-step/security_key/add"
    ["_xfWithData"] => string(1) "1"
    ["_xfResponseType"] => string(4) "json"
  }
}

I've taken the payload values out as I didn't know if they gave details of my key.
Click to expand...
What version of PHP is your server running?
 
It looks like it's a simple fix for PHP 8.1 that the library developer already fixed but have not pushed down to composer yet.

In DigitalPoint/Security/vendor/lbuchs\WebAuthn\Binary\ByteBuffer.php, if you change this line:
PHP: 
public function jsonSerialize() {

to this:

PHP: 
public function jsonSerialize(): string {

It should fix it. If you want to make that change and let me know if anything else pops up beyond that (I don't have a PHP 8.1 setup readily accessible at the moment). Will push out a new version with that fix after you (or someone with 8.1) lets me know if anything else pops up related to 8.1.
 
Went ahead and manually updated the library instead of waiting for developer to push it to Composer, which has the PHP 8.1 fix.
 
Just wanted to flag out to anyone whos installing this addon, that the Security Key page where the button that instructs a user to "Get a YubiKey" uses a referral link: https://go.skimresources.com/?id=56092X1328254&xs=1&url=https%3A%2F%2Fwww.yubico.com%2Fstore%2F&xcust=security_key

Would be nice to be upfront about this on the README of your addon :)
 
digitalpoint said:
Agreed, it’s been updated. Honestly, I forgot about it because it was developed originally for in-house use only. The other option was to make it paid.
Click to expand...
No worries! Just wanted to bring it up as we comb through every addon before we push it to our prod's - some may have an issue with affiliate links being tossed into their website; Thank you for this massive improvement to security on XF!
 
VersoBit said:
No worries! Just wanted to bring it up as we comb through every addon before we push it to our prod's
Click to expand...
As you should. It amazes me sometimes that people are willing to just blindly push addons (custom code) to their websites without auditing it (not just XenForo... other platforms too like WordPress plugins). Although I suppose if someone has the technical know-how to audit code, they probably would be building the addons themselves in a lot of cases. Kind of the place I'm in... it would be nice if I didn't have to code the stuff I use (let someone else do it), but the time it would take me to audit other people's code (and repeatedly with new updates), I could just write the things myself and as a bonus, make sure it works exactly how I want. :)
 
Lee said:
This is an outstanding addon that we have been using for a while without issue. Highly recommended - the ability to use facial recognition as a two step verification method is on its own worth its weight in gold.
Click to expand...
Reading through the overview of this great-sounding add-on. My site isn't live yet and not ready to try it out, but where does the facial-recognition aspect come in?
 
CavySpirit said:
Reading through the overview of this great-sounding add-on. My site isn't live yet and not ready to try it out, but where does the facial-recognition aspect come in?
Click to expand...
From your phone normally (if you have a modern phone). Your phone can be your authentication hardware if you want.
 
Right, I wasn't sure what setting in your add-on is triggering that as a second authentication. So, you add the phone as a device, not just the 'verification code.' Probably makes more sense when configuring it directly. :)
 
You must log in or register to reply here.

Similar threads

D
[DigitalPoint] Security & Passkeys - Polish translation
Replies
1
Views
451
dave3
D
N
[DigitalPoint] Security & Passkeys - FRENCH translation
Replies
4
Views
505
Nicolas FR
N
digitalpoint
[DigitalPoint] PWA
6 7 8
Replies
140
Views
9K
digitalpoint
digitalpoint
Ozzy47
[OzzModz] Security Lock Old Accounts
2 3
Replies
58
Views
3K
Ozzy47
Ozzy47
XDinc
[XTR] Manage Two-step Verification Providers
Replies
1
Views
572
alfaNova
alfaNova
Top Bottom