[DigitalPoint] Security

[DigitalPoint] Security 1.2.0.3

No permission to download
Everything I read says Edge on Android doesn’t yet support passkeys and 1Password sort of supports it for some things but it’s beta.

Are you able to try a different browser that definitely supports it just as a test (for example Chrome)?

There’s nothing I can do on my end to make a certain browser support passkeys faster. It’s simply a web standard that a browser either supports or it doesn’t (like you can’t make a browser support HTTP/3 magically). There is no browser specific code to make WebAuthn/FIDO2 work or change how an individual browser allows for it.
I could try it temporarily but it won't become my primary browser. Edge uses less RAM on PC than Chrome's added bloat. Chrome may be "the standard" but it seems to use like half a gig or more on average. When I'm doing heavy video encoding or rendering processes, I want less ram taken, of course.
 
Not saying you should switch to it, just a test to see if the issue is your browser or your device somehow.

Again, there’s simply nothing I can do to force a specific browser to support Passkeys. It’s code in the browser, so… 🤷🏻‍♂️
 
Not saying you should switch to it, just a test to see if the issue is your browser or your device somehow.

Again, there’s simply nothing I can do to force a specific browser to support Passkeys. It’s code in the browser, so… 🤷🏻‍♂️
Chrome on android? Doesn't show my PW manager at all. Edge does show it though. hmm.

Well, it isn't your addon, and I guess its up to the browser devs to slowly add support for something that is the future haha.
 
I've used passkeys on Edge (desktop and mobile) plenty of times. I only used it last week to authenticate my login to Twitter/X due to it being a new device my end. As I've got a Fido USB Key - I had to use one of those OTG adapters (USB-A > USB-C) to plug it into my phone - but it worked. I'd imagine if you have an NFC enabled usb-key/security key then that would work just as well.

By the way - I use Bitwarden for my password management, but I think it would work just the same without any third-party password management.
 
For those that use Apple devices, Chrome 118 just added support for utilizing passkeys from your iCloud Keychain. What this means is if you use iCloud passkeys for things on your mobile device (including PWA app), you can share the same passkeys with your macOS machines using Chrome.

At this point, macOS and iOS versions of Chrome have the best "across the board" support for passkeys.

1697041572711.png
 
Nice. Only problem for me is that I don't want to use Chrome.
Got 2 Yubikeys here and now I can really use them (iphone 15). Going to test that soon.
 
Nice. Only problem for me is that I don't want to use Chrome.
Got 2 Yubikeys here and now I can really use them (iphone 15). Going to test that soon.
Ya, I still prefer the hardware Yubikeys myself and they work great as well (NFC works on anything iPhone 6 or higher).

I am however considering registering a cloud-based passkey for things. Haven't 100% decided yet, but it would be more convenient if you are traveling or something or just don't have the physical key handy.
 
Anything I should be concerned about here?

  • XF\Db\DuplicateKeyException: Template public:member_self_security_tabs error: MySQL query error [1062]: Duplicate entry 'user_remember-156447' for key 'PRIMARY'
  • src/XF/Db/AbstractStatement.php:230
  • Generated by: XXXXXX
  • Nov 17, 2023 at 7:53 AM

Stack trace​

INSERT INTO xf_dp_user_extra (user_extra_id, type, user_agent, ip, country) VALUES (?, ?, ?, ?, ?)
------------

#0 src/XF/Db/Mysqli/Statement.php(198): XF\Db\AbstractStatement->getException('MySQL query err...', 1062, '23000')
#1 src/XF/Db/Mysqli/Statement.php(79): XF\Db\Mysqli\Statement->getException('MySQL query err...', 1062, '23000')
#2 src/XF/Db/AbstractAdapter.php(96): XF\Db\Mysqli\Statement->execute()
#3 src/XF/Db/AbstractAdapter.php(220): XF\Db\AbstractAdapter->query('INSERT INTO `x...', Array)
#4 src/XF/Mvc/Entity/Entity.php(1521): XF\Db\AbstractAdapter->insert('xf_dp_user_extr...', Array, false)
#5 src/XF/Mvc/Entity/Entity.php(1253): XF\Mvc\Entity\Entity->_saveToSource()
#6 src/addons/DigitalPoint/Security/Repository/UserExtra.php(21): XF\Mvc\Entity\Entity->save(false)
#7 src/addons/DigitalPoint/Security/XF/Entity/UserRemember.php(61): DigitalPoint\Security\Repository\UserExtra->logExtra(156447, 'user_remember')
#8 src/addons/DigitalPoint/Security/XF/Entity/UserRemember.php(14): DigitalPoint\Security\XF\Entity\UserRemember->logExtra()
#9 src/XF/Template/Templater.php(1194): DigitalPoint\Security\XF\Entity\UserRemember->hasExtra()
#10 internal_data/code_cache/templates/l1/s1/public/member_self_security_tabs.php(45): XF\Template\Templater->method(Object(DigitalPoint\Security\XF\Entity\UserRemember), 'hasExtra', Array)
#11 src/XF/Template/Templater.php(1654): XF\Template\Templater->{closure}(Object(OzzModz\ShowBanned\XF\Template\Templater), Array, NULL)
#12 src/addons/MaZ/AUN/XF/Template/Templater.php(39): XF\Template\Templater->renderTemplate('member_self_sec...', Array, true, NULL)
#13 src/addons/DigitalPoint/Security/Template/Callback/Account.php(26): MaZ\AUN\XF\Template\Templater->renderTemplate('public:member_s...', Array)
#14 src/XF/Template/Templater.php(1698): DigitalPoint\Security\Template\Callback\Account::getTabs('', Array, Object(OzzModz\ShowBanned\XF\Template\Templater))
#15 internal_data/code_cache/templates/l1/s1/public/account_security.php(133): XF\Template\Templater->callback('DigitalPoint\\Se...', 'getTabs', '', Array)
#16 src/XF/Template/Templater.php(1654): XF\Template\Templater->{closure}(Object(OzzModz\ShowBanned\XF\Template\Templater), Array, NULL)
#17 src/addons/MaZ/AUN/XF/Template/Templater.php(39): XF\Template\Templater->renderTemplate('account_securit...', Array, true, NULL)
#18 src/XF/Template/Template.php(24): MaZ\AUN\XF\Template\Templater->renderTemplate('public:account_...', Array)
#19 src/XF/Mvc/Renderer/Html.php(50): XF\Template\Template->render()
#20 src/XF/Mvc/Dispatcher.php(460): XF\Mvc\Renderer\Html->renderView('XF:Account\\Secu...', 'public:account_...', Array)
#21 src/XF/Mvc/Dispatcher.php(442): XF\Mvc\Dispatcher->renderView(Object(XF\Mvc\Renderer\Html), Object(XF\Mvc\Reply\View))
#22 src/XF/Mvc/Dispatcher.php(402): XF\Mvc\Dispatcher->renderReply(Object(XF\Mvc\Renderer\Html), Object(XF\Mvc\Reply\View))
#23 src/XF/Mvc/Dispatcher.php(60): XF\Mvc\Dispatcher->render(Object(XF\Mvc\Reply\View), 'html')
#24 src/XF/App.php(2487): XF\Mvc\Dispatcher->run()
#25 src/XF.php(524): XF\App->run()
#26 index.php(20): XF::runApp('XF\\Pub\\App')
#27 {main}
 
It can be safely ignored. The only way I can see how that error would pop up would be if the normal entity query in XenForo failed for some reason. Specifically that checks to see if the record exists already, and if it doesn't, it creates it. So somehow XenForo's internal relation query didn't find it, but when it went to add it, it was already there.

My guess is it was a hiccup/blip where one particular SQL query failed for some reason, but the rest didn't. It wouldn't be too difficult to hide that error in that scenario, but I assume it's not happening still, and it probably does make sense to log that error so whatever the underlying issue is with the database is known.
 
digitalpoint updated [DigitalPoint] Security & Passkeys with a new update entry:

Minor update

If you use the Days to auto-extend two-step device trust setting, the addon will always set the tfa_trust cookie when the user_remember record is extended (since we can't see the cookie duration on the server-side). Before we were only setting the cookie if the user_tfa_trusted.trusted_until value changed.

This will make it work as expected even if you had something unrelated (like a different addon) altering the user_tfa_trusted.trusted_until value...

Read the rest of this update entry...
 
Just to wrap around my head around the math with auto-extend...

If I set auto-extend to 7 days, with the 2FA trust to 90, is that essentially saying that each day I use the forum, it resets the 2FA trust to 90 days from the current day? (So in essence if I log out, I would have 90 days from that point forward before I'd need to use 2FA again to log in.) I'm thinking this is how it works, but just want to be sure as I am documenting everything for a forum FAQ and want to get it correct. (As these forums skew older and to less computer/phone-savvy members, I find it helpful to break it down for the members so they can understand it easier.)
 
No… it would only start auto-extending on visits after day 83. So a visit between day 83 and 90 would extend it by 7 days from the visit date (giving them another 7 days to visit before they need to reauth).

Up to you, but 7 days seems like a pretty short window between visits to be (mostly) logged out. Also not sure end users care all that much about the internal logic of it… like is anyone going to read it and visit more often because they don’t want to have to re-auth? I haven’t looked, but I’d bet no major site gives that much detail about how their sessions work on the backend. 🤷🏻‍♂️
 
Up to you, but 7 days seems like a pretty short window between visits to be (mostly) logged out.
Mine is set higher--that was just an example off the top of my (empty) head. 😉

Also not sure end users care all that much about the internal logic of it… like is anyone going to read it and visit more often because they don’t want to have to re-auth?
I'm only leaning towards something more generic, like letting them know if they log in once every X number of days, they won't have to worry about 2FA expiring. I do want to explain it to staff a little more, though, just so they are aware of how it works in case issues arise.
 
Appears 8.2 compat is broken with this plugin

Code:
ErrorException: [E_DEPRECATED] Automatic conversion of false to array is deprecated in src/addons/DigitalPoint/Security/Tfa/SecurityKey.php at line 98
XF::handlePhpError() in src/addons/DigitalPoint/Security/Tfa/SecurityKey.php at line 98
DigitalPoint\Security\Tfa\SecurityKey->verify() in src/addons/DigitalPoint/Security/XF/Pub/Controller/Account.php at line 129
DigitalPoint\Security\XF\Pub\Controller\Account->actionTwoStepAdd() in src/XF/Mvc/Dispatcher.php at line 352
XF\Mvc\Dispatcher->dispatchClass() in src/XF/Mvc/Dispatcher.php at line 258
XF\Mvc\Dispatcher->dispatchFromMatch() in src/XF/Mvc/Dispatcher.php at line 115
XF\Mvc\Dispatcher->dispatchLoop() in src/XF/Mvc/Dispatcher.php at line 57
XF\Mvc\Dispatcher->run() in src/XF/App.php at line 2487
XF\App->run() in src/XF.php at line 524
XF::runApp() in index.php at line 20

I will try to fix later, but knowing my luck its probably more than one deprecated bit of code

EDIT: lol... took me 10 minutes at staring at the verifyCreate method to realize its a skill issue on my end (forgot to set proper board url on my dev env)
 
Last edited:
Appears 8.2 compat is broken with this plugin

Code:
ErrorException: [E_DEPRECATED] Automatic conversion of false to array is deprecated in src/addons/DigitalPoint/Security/Tfa/SecurityKey.php at line 98
XF::handlePhpError() in src/addons/DigitalPoint/Security/Tfa/SecurityKey.php at line 98
DigitalPoint\Security\Tfa\SecurityKey->verify() in src/addons/DigitalPoint/Security/XF/Pub/Controller/Account.php at line 129
DigitalPoint\Security\XF\Pub\Controller\Account->actionTwoStepAdd() in src/XF/Mvc/Dispatcher.php at line 352
XF\Mvc\Dispatcher->dispatchClass() in src/XF/Mvc/Dispatcher.php at line 258
XF\Mvc\Dispatcher->dispatchFromMatch() in src/XF/Mvc/Dispatcher.php at line 115
XF\Mvc\Dispatcher->dispatchLoop() in src/XF/Mvc/Dispatcher.php at line 57
XF\Mvc\Dispatcher->run() in src/XF/App.php at line 2487
XF\App->run() in src/XF.php at line 524
XF::runApp() in index.php at line 20

I will try to fix later, but knowing my luck its probably more than one deprecated bit of code

EDIT: lol... took me 10 minutes at staring at the verifyCreate method to realize its a skill issue on my end (forgot to set proper board url on my dev env)
Not sure why, but my line numbers aren't lining up with yours, so hard to really follow what might be the issue.

I take it that somehow it's sorted out for you though after having a board URL (a URL is definitely required given PassKeys/security keys are bound to a specific hostname)?
 
Not sure why, but my line numbers aren't lining up with yours, so hard to really follow what might be the issue.

I take it that somehow it's sorted out for you though after having a board URL (a URL is definitely required given PassKeys/security keys are bound to a specific hostname)?
Yep, after fixing the domain the issue went away completely. Only other thing was my saved sessions also migrated from prod to dev which caused some template error weirdness, but clearing my sessions promptly fixed that.

My guess is the webauthn lib is causing the weirdness in relation to different stack traces. Appreciate this plugin very much though!
 
Back
Top Bottom