[DigitalPoint] Security 1.2.0.3

[digitalpoint]

digitalpoint submitted a new resource:

[DigitalPoint] Security - Addon to help users keep their account secure.

Features

• Support for WebAuthn / FIDO2 security keys as two-step authentication (hardware devices such as YubiKeys are what large tech companies such as Google require their employees to use to keep their accounts secure).
  • Support for multiple keys per user
• Option for Days to trust two-step verification. Now you can set it to whatever is appropriate for your site, vs it being hardcoded to 30 days in XenForo.
• Users can...

Read more about this resource...

 

[Lee]

This is an outstanding addon that we have been using for a while without issue. Highly recommended - the ability to use facial recognition as a two step verification method is on its own worth its weight in gold.

 

[z3r010]

I've got an error adding a yubi.

ErrorException: Fatal Error: During inheritance of JsonSerializable: Uncaught ErrorException: [E_DEPRECATED] Return type of lbuchs\WebAuthn\Binary\ByteBuffer::jsonSerialize() should either be compatible with JsonSerializable::jsonSerialize(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php:216 Stack trace: #0 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php(13): XF::handlePhpError(8192, '...', '...', 216) #1 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\WebAuthn.php(6): require_once('...') #2 C:\root\Forums\mysite\src\vendor\composer\ClassLoader.php(480): include('...') #3 C:\root\Forums\mysite\src\vendor\composer\ClassLoader.php(346): Composer\Autoload\includeFile('...') #4 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Repository\WebAuthn.php(164): Composer\Autoload\ClassLoader->loadClass('...') #5 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Repository\WebAuthn.php(11): DigitalPoint\Security\Repository\WebAuthn->getWebAuthnClass() #6 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Tfa\SecurityKey.php(87): DigitalPoint\Security\Repository\WebAuthn->verifyCreate('...', '...', '...') #7 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\XF\Pub\Controller\Account.php(132): DigitalPoint\Security\Tfa\SecurityKey->verify('...', Object(SV\SignupAbuseBlocking\XF\Entity\User), Array, Object(XF\Http\Request)) #8 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(352): DigitalPoint\Security\XF\Pub\Controller\Account->actionTwoStepAdd(Object(XF\Mvc\ParameterBag)) #9 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(259): XF\Mvc\Dispatcher->dispatchClass('...', '...', Object(XF\Mvc\RouteMatch), Object(SV\SignupAbuseBlocking\XF\Pub\Controller\Account), NULL) #10 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(115): XF\Mvc\Dispatcher->dispatchFromMatch(Object(XF\Mvc\RouteMatch), Object(SV\SignupAbuseBlocking\XF\Pub\Controller\Account), NULL) #11 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(57): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch)) #12 C:\root\Forums\mysite\src\XF\App.php(2352): XF\Mvc\Dispatcher->run() #13 C:\root\Forums\mysite\src\XF.php(524): XF\App->run() #14 C:\root\Forums\mysite\index.php(20): XF::runApp('...') #15 {main} src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php:13

Stack trace
#0 [internal function]: XF::handleFatalError()
#1 {main}
Request state
array(4) {
  ["url"] => string(34) "/account/two-step/security_key/add"
  ["referrer"] => string(62) "https://www.mysite.com/account/two-step/security_key/add"
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(7) {
    ["_xfToken"] => string(8) "********"
    ["name"] => string(4) "Yubi"
    ["payload"] => string(540) "{"clientDataJSON":"REMOVED","attestationObject":"REMOVED"}"
    ["step"] => string(7) "confirm"
    ["_xfRequestUri"] => string(34) "/account/two-step/security_key/add"
    ["_xfWithData"] => string(1) "1"
    ["_xfResponseType"] => string(4) "json"
  }
}

I've taken the payload values out as I didn't know if they gave details of my key.

 

[digitalpoint]

I've got an error adding a yubi.

ErrorException: Fatal Error: During inheritance of JsonSerializable: Uncaught ErrorException: [E_DEPRECATED] Return type of lbuchs\WebAuthn\Binary\ByteBuffer::jsonSerialize() should either be compatible with JsonSerializable::jsonSerialize(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php:216 Stack trace: #0 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php(13): XF::handlePhpError(8192, '...', '...', 216) #1 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\WebAuthn.php(6): require_once('...') #2 C:\root\Forums\mysite\src\vendor\composer\ClassLoader.php(480): include('...') #3 C:\root\Forums\mysite\src\vendor\composer\ClassLoader.php(346): Composer\Autoload\includeFile('...') #4 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Repository\WebAuthn.php(164): Composer\Autoload\ClassLoader->loadClass('...') #5 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Repository\WebAuthn.php(11): DigitalPoint\Security\Repository\WebAuthn->getWebAuthnClass() #6 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\Tfa\SecurityKey.php(87): DigitalPoint\Security\Repository\WebAuthn->verifyCreate('...', '...', '...') #7 C:\root\Forums\mysite\src\addons\DigitalPoint\Security\XF\Pub\Controller\Account.php(132): DigitalPoint\Security\Tfa\SecurityKey->verify('...', Object(SV\SignupAbuseBlocking\XF\Entity\User), Array, Object(XF\Http\Request)) #8 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(352): DigitalPoint\Security\XF\Pub\Controller\Account->actionTwoStepAdd(Object(XF\Mvc\ParameterBag)) #9 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(259): XF\Mvc\Dispatcher->dispatchClass('...', '...', Object(XF\Mvc\RouteMatch), Object(SV\SignupAbuseBlocking\XF\Pub\Controller\Account), NULL) #10 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(115): XF\Mvc\Dispatcher->dispatchFromMatch(Object(XF\Mvc\RouteMatch), Object(SV\SignupAbuseBlocking\XF\Pub\Controller\Account), NULL) #11 C:\root\Forums\mysite\src\XF\Mvc\Dispatcher.php(57): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch)) #12 C:\root\Forums\mysite\src\XF\App.php(2352): XF\Mvc\Dispatcher->run() #13 C:\root\Forums\mysite\src\XF.php(524): XF\App->run() #14 C:\root\Forums\mysite\index.php(20): XF::runApp('...') #15 {main} src\addons\DigitalPoint\Security\vendor\lbuchs\webauthn\src\Binary\ByteBuffer.php:13

Stack trace
#0 [internal function]: XF::handleFatalError()
#1 {main}
Request state
array(4) {
  ["url"] => string(34) "/account/two-step/security_key/add"
  ["referrer"] => string(62) "https://www.mysite.com/account/two-step/security_key/add"
  ["_GET"] => array(0) {
  }
  ["_POST"] => array(7) {
    ["_xfToken"] => string(8) "********"
    ["name"] => string(4) "Yubi"
    ["payload"] => string(540) "{"clientDataJSON":"REMOVED","attestationObject":"REMOVED"}"
    ["step"] => string(7) "confirm"
    ["_xfRequestUri"] => string(34) "/account/two-step/security_key/add"
    ["_xfWithData"] => string(1) "1"
    ["_xfResponseType"] => string(4) "json"
  }
}

I've taken the payload values out as I didn't know if they gave details of my key.

What version of PHP is your server running?

 

[digitalpoint]

It looks like it's a simple fix for PHP 8.1 that the library developer already fixed but have not pushed down to composer yet.

In DigitalPoint/Security/vendor/lbuchs\WebAuthn\Binary\ByteBuffer.php, if you change this line:

public function jsonSerialize() {

to this:

public function jsonSerialize(): string {

It should fix it. If you want to make that change and let me know if anything else pops up beyond that (I don't have a PHP 8.1 setup readily accessible at the moment). Will push out a new version with that fix after you (or someone with 8.1) lets me know if anything else pops up related to 8.1.

 

[z3r010]

What version of PHP is your server running?

It was 8.1.5, I've not got time to test today, so I'll try tomorrow if nobody else does first.

 

[digitalpoint]

digitalpoint updated [DigitalPoint] Security with a new update entry:

Fix for PHP 8.1

• Update for PHP 8.1
• Enforce requirement that server has OpenSSL PHP extension installed

Read the rest of this update entry...

 

[digitalpoint]

Went ahead and manually updated the library instead of waiting for developer to push it to Composer, which has the PHP 8.1 fix.

 

[z3r010]

It's working fine now, thanks.

 

[VersoBit]

Just wanted to flag out to anyone whos installing this addon, that the Security Key page where the button that instructs a user to "Get a YubiKey" uses a referral link: https://go.skimresources.com/?id=56092X1328254&xs=1&url=https%3A%2F%2Fwww.yubico.com%2Fstore%2F&xcust=security_key

Would be nice to be upfront about this on the README of your addon

 

[Allan]

A free add-on, it's great ! (and rare now)

Thank you

 

[digitalpoint]

Would be nice to be upfront about this on the README of your addon

Agreed, it’s been updated. Honestly, I forgot about it because it was developed originally for in-house use only. The other option was to make it paid.

 

[VersoBit]

Agreed, it’s been updated. Honestly, I forgot about it because it was developed originally for in-house use only. The other option was to make it paid.

No worries! Just wanted to bring it up as we comb through every addon before we push it to our prod's - some may have an issue with affiliate links being tossed into their website; Thank you for this massive improvement to security on XF!

 

[digitalpoint]

No worries! Just wanted to bring it up as we comb through every addon before we push it to our prod's

As you should. It amazes me sometimes that people are willing to just blindly push addons (custom code) to their websites without auditing it (not just XenForo... other platforms too like WordPress plugins). Although I suppose if someone has the technical know-how to audit code, they probably would be building the addons themselves in a lot of cases. Kind of the place I'm in... it would be nice if I didn't have to code the stuff I use (let someone else do it), but the time it would take me to audit other people's code (and repeatedly with new updates), I could just write the things myself and as a bonus, make sure it works exactly how I want.

 

[sub_ubi]

I'm shocked this is free. Thank you

 

[digitalpoint]

digitalpoint updated [DigitalPoint] Security with a new update entry:

Phrase update when using custom days to trust TFA

There are no functional changes, just phrasing. If you override the default 30 days to trust a TFA device, the phrase presented to the user when they are choosing to trust their device is fixed to show the right number of days.

Read the rest of this update entry...

 

[digitalpoint]

digitalpoint updated [DigitalPoint] Security with a new update entry:

Removal of Duotone icons

No functional changes, just the removal of Font Awesome Duotone icon usage

Read the rest of this update entry...

 

[CavySpirit]

This is an outstanding addon that we have been using for a while without issue. Highly recommended - the ability to use facial recognition as a two step verification method is on its own worth its weight in gold.

Reading through the overview of this great-sounding add-on. My site isn't live yet and not ready to try it out, but where does the facial-recognition aspect come in?

 

[digitalpoint]

Reading through the overview of this great-sounding add-on. My site isn't live yet and not ready to try it out, but where does the facial-recognition aspect come in?

From your phone normally (if you have a modern phone). Your phone can be your authentication hardware if you want.

 

[CavySpirit]

Right, I wasn't sure what setting in your add-on is triggering that as a second authentication. So, you add the phone as a device, not just the 'verification code.' Probably makes more sense when configuring it directly.