Could not find user data

gooseleggs commented 2 years ago

Team

I have a confusing problem. I was running Cake 4.2 with CakeDC/Users 9. I have upgraded to Cake 4.3.5, and CakeDC/Users 11. The problems exists both prior and now. I have enabled 2FA using google authenticator. Some users, when they log in get returned back to the login screen with "Could not find user data". Sometimes it works as expected. What will guarantee to work is the first account added to the users table using bin/cake users addSuperuser. However, other users are random if they work and from where. Sometimes it wont work, then all of a sudden it does.

When I look at the session information, the temporaryUser is in the session before entering the GA code. If I disable the $this->getRequest()->getSession()->delete(AuthenticationService::TWO_FACTOR_VERIFY_SESSION_KEY); line in the login function of LoginTrait.php it works well. So, I think it is redirection related?.

However, I have made modifications to the redirection, and doesn't seem to be any different. If I add another superuser it still exhibits the issue. I am not sure what I can put in here to assist.

src/application.php

$this->addPlugin('CakeDC/Users', ['routes'=>true, 'bootstrap'=>true]);
Configure::write('Users.config', ['users']);

users.php

 AuthenticationComponent' => [  
      'load' => true,  
       'loginRedirect' => '/admin/database-log/logs?type=requests',  
       'requireIdentity' => false  
   ],

routes.php

$routes->connect('/', UsersUrl::actionRouteParams('login'));

Looking at the DB table, there is nothing different between the first user compared to other users apart from the obvious expected details.

When I get the verification page, there is the temporarySession variable in the sessions section of DebugKit. However, when I go an look at what is being stored within the session variable on the disk, it only has the remember_me part. The following is what the cookie looks like when at the verification screen... Config|a:1:{s:4:"time";i:1646807891;}Flash|a:0:{}CookieAuth|a:1:{s:11:"remember_me";s:1:"1";}

If you have any thoughts as to what could be causing the problem, I am interested to understand.

rochamarcelo commented 2 years ago

Hi @gooseleggs,

Have you checked access logs and cakephp debug and error log files?

Also check if the time is correctly setup in your server, google authentication (OTP) will not work if not.

gooseleggs commented 2 years ago

Yes - nothing is being written to the logs that is of any use. The time is correct.

What is interesting, is that it seems to be fine on some browsers/machines and not on others. For instance, using FF on a machine works, but Edge on the same machine does not. I dont know why this could be, considering it is the backend (PHP app) that is writing the cookie. Clearing out all cookies and testing, browsers that do not work only create, and continue to use the same cookie, so it is not like the cookie is changing constantly. Adding debug statements into the code, I can see that session variable is created - DebugKit see's it, but the session file on disk does not - it only writes out the 'remember me' variable. For browsers that do work, when you go to the verification page, the session file on disk contains that temporarySession variable.

Not sure where to go next.

rochamarcelo commented 2 years ago

@gooseleggs You could try to extend the controller to override the login action and add logs like \Cake\Log\Log::debug((string)$this->request->getUri());

rochamarcelo commented 2 years ago

@gooseleggs Have you found a solution for this?

gooseleggs commented 2 years ago

Here are the logs between a 'good' logon and a bad login. If I override the controller, and have this..

public function login()
{
\Cake\Log\Log::debug((string)$this->request->getUri());
}

all browsers log in as expected, however the redirect does not happen, which is OK for testing purposes. If I disable this function (rem it out) then the issue exhibits itself. So, I then captured the logs with it disabled showing the permissions check, and I can see what it looks like doing multiple redirects. The next post details with the login function in use.

The following is in its default configuration. I have put notes as to where in the authentication process I am at

For a successful login

Browse to website 2022-03-19 09:21:36 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:21:36 debug: For {"prefix":null,"plugin":"DebugKit","extension":null,"controller":"Requests","action":"view","role":"user"} --> Rule matched {"role":"","plugin":"DebugKit","controller":"","action":"","bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:21:36 info: Cake Authorization plugin is enabled. If you would like to force DebugKit to ignore it, set DebugKit.ignoreAuthorization Configure option to true. 2022-03-19 09:21:36 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"*","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1

At login page - entering credentials 2022-03-19 09:21:54 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"verify","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:21:54 debug: For {"prefix":null,"plugin":"DebugKit","extension":null,"controller":"Requests","action":"view","role":"user"} --> Rule matched {"role":"","plugin":"DebugKit","controller":"","action":"","bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:21:54 info: Cake Authorization plugin is enabled. If you would like to force DebugKit to ignore it, set DebugKit.ignoreAuthorization Configure option to true.

At verify page - entering TOTP 2022-03-19 09:22:07 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"verify","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:22:07 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:22:07 debug: For {"prefix":"Admin","plugin":"DatabaseLog","extension":null,"controller":"Logs","action":"index","role":"user"} --> Rule matched {"role":"user","prefix":"Admin","extension":"","plugin":"DatabaseLog","controller":"","action":"","allowed":true} with result = 1 2022-03-19 09:22:07 debug: For {"prefix":null,"plugin":"DebugKit","extension":null,"controller":"Requests","action":"view","role":"user"} --> Rule matched {"role":"","plugin":"DebugKit","controller":"","action":"","bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:22:07 info: Cake Authorization plugin is enabled. If you would like to force DebugKit to ignore it, set DebugKit.ignoreAuthorization Configure option to true.

We are in (redirected)

Now for the one that fails

Browse to website 2022-03-19 09:19:41 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:19:41 debug: For {"prefix":null,"plugin":"DebugKit","extension":null,"controller":"Requests","action":"view","role":"user"} --> Rule matched {"role":"","plugin":"DebugKit","controller":"","action":"","bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:19:41 info: Cake Authorization plugin is enabled. If you would like to force DebugKit to ignore it, set DebugKit.ignoreAuthorization Configure option to true. 2022-03-19 09:19:41 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:19:42 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 At Login page - entering credentials 2022-03-19 09:19:58 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"verify","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:19:58 debug: For {"prefix":null,"plugin":"DebugKit","extension":null,"controller":"Requests","action":"view","role":"user"} --> Rule matched {"role":"","plugin":"DebugKit","controller":"","action":"","bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:19:58 info: Cake Authorization plugin is enabled. If you would like to force DebugKit to ignore it, set DebugKit.ignoreAuthorization Configure option to true. 2022-03-19 09:19:59 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:19:59 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 At verify page - entering TOTP code 2022-03-19 09:20:16 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"verify","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:20:16 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:20:16 debug: For {"prefix":null,"plugin":"DebugKit","extension":null,"controller":"Requests","action":"view","role":"user"} --> Rule matched {"role":"","plugin":"DebugKit","controller":"","action":"","bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:20:16 info: Cake Authorization plugin is enabled. If you would like to force DebugKit to ignore it, set DebugKit.ignoreAuthorization Configure option to true. 2022-03-19 09:20:16 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:20:16 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"*","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 Back at login page - Could not find user data

So, sometimes it likes to bounce me through the login page to end up where I want to go. The difference between the two logs is only the browser that I am using. Same machine.

gooseleggs commented 2 years ago

Doing the same test with the overridden login function being

 public function login()
{
    \Cake\Log\Log::debug((string)$this->request->getUri());
    //$this->LoginTrait->login();
}

I get this:

Login from browser that faults

Browse to site: 2022-03-19 09:39:54 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:39:54 debug: https://test.example.com/ 2022-03-19 09:39:54 debug: For {"prefix":null,"plugin":"DebugKit","extension":null,"controller":"Requests","action":"view","role":"user"} --> Rule matched {"role":"","plugin":"DebugKit","controller":"","action":"","bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:39:54 info: Cake Authorization plugin is enabled. If you would like to force DebugKit to ignore it, set DebugKit.ignoreAuthorization Configure option to true. 2022-03-19 09:39:58 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:39:58 debug: https://test.example.com/?redirect=https%3A%2F%2Ftest.example.com%2Ffavicon.ico 2022-03-19 09:39:59 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:39:59 debug: https://test.example.com/?redirect=https%3A%2F%2Ftest.example.com%2Ffavicon.ico At login page - entering credentials 2022-03-19 09:40:24 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"verify","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:40:24 debug: For {"prefix":null,"plugin":"DebugKit","extension":null,"controller":"Requests","action":"view","role":"user"} --> Rule matched {"role":"","plugin":"DebugKit","controller":"","action":"","bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:40:24 info: Cake Authorization plugin is enabled. If you would like to force DebugKit to ignore it, set DebugKit.ignoreAuthorization Configure option to true. 2022-03-19 09:40:25 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:40:25 debug: https://test.example.com/?redirect=https%3A%2F%2Ftest.example.com%2Ffavicon.ico 2022-03-19 09:40:25 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:40:25 debug: https://test.example.com/?redirect=https%3A%2F%2Ftest.example.com%2Ffavicon.ico At Verify - entering TOTP 2022-03-19 09:40:47 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"verify","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:40:47 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:40:47 debug: https://test.example.com/ 2022-03-19 09:40:48 debug: For {"prefix":null,"plugin":"DebugKit","extension":null,"controller":"Requests","action":"view","role":"user"} --> Rule matched {"role":"","plugin":"DebugKit","controller":"","action":"","bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:40:48 info: Cake Authorization plugin is enabled. If you would like to force DebugKit to ignore it, set DebugKit.ignoreAuthorization Configure option to true. 2022-03-19 09:40:48 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"Favicon.ico","action":"index","role":"user"} --> Rule matched {"role":"user","prefix":"","extension":"","controller":"","action":"index","allowed":true} with result = 1 At login page - no errors, and I can manually direct to wanted page2022-03-19 09:41:21 debug: For {"prefix":"Admin","plugin":"DatabaseLog","extension":null,"controller":"Logs","action":"index","role":"user"} --> Rule matched {"role":"user","prefix":"Admin","extension":"","plugin":"DatabaseLog","controller":"","action":"","allowed":true} with result = 1 2022-03-19 09:41:22 debug: For {"prefix":null,"plugin":"DebugKit","extension":null,"controller":"Requests","action":"view","role":"user"} --> Rule matched {"role":"","plugin":"DebugKit","controller":"","action":"","bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:41:22 info: Cake Authorization plugin is enabled. If you would like to force DebugKit to ignore it, set DebugKit.ignoreAuthorization Configure option to true.

On the browser where it was successful before

Browse to site

2022-03-19 09:45:48 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:45:48 debug: https://test.example.com/ 2022-03-19 09:45:49 debug: For {"prefix":null,"plugin":"DebugKit","extension":null,"controller":"Requests","action":"view","role":"user"} --> Rule matched {"role":"","plugin":"DebugKit","controller":"","action":"","bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:45:49 info: Cake Authorization plugin is enabled. If you would like to force DebugKit to ignore it, set DebugKit.ignoreAuthorization Configure option to true. 2022-03-19 09:45:49 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:45:49 debug: https://test.example.com/?redirect=https%3A%2F%2Ftest.example.com%2Ffavicon.ico Entering Credentials 2022-03-19 09:45:59 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"verify","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:46:00 debug: For {"prefix":null,"plugin":"DebugKit","extension":null,"controller":"Requests","action":"view","role":"user"} --> Rule matched {"role":"","plugin":"DebugKit","controller":"","action":"","bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:46:00 info: Cake Authorization plugin is enabled. If you would like to force DebugKit to ignore it, set DebugKit.ignoreAuthorization Configure option to true. Entering TOTP code 2022-03-19 09:46:11 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"verify","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:46:11 debug: For {"prefix":null,"plugin":null,"extension":null,"controller":"MyUsers","action":"login","role":"user"} --> Rule matched {"prefix":false,"plugin":"","controller":"MyUsers","action":["socialLogin","login","logout","socialEmail","verify","register","validateEmail","changePassword","resetPassword","requestResetPassword","resendTokenValidation","linkSocial","u2f","u2fRegister","u2fRegisterFinish","u2fAuthenticate","u2fAuthenticateFinish"],"bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:46:11 debug: https://test.example.com/ 2022-03-19 09:46:12 debug: For {"prefix":null,"plugin":"DebugKit","extension":null,"controller":"Requests","action":"view","role":"user"} --> Rule matched {"role":"","plugin":"DebugKit","controller":"","action":"","bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:46:12 info: Cake Authorization plugin is enabled. If you would like to force DebugKit to ignore it, set DebugKit.ignoreAuthorization Configure option to true. Back at login screen - authenticated - browse to where redirect should take us 2022-03-19 09:46:29 debug: For {"prefix":"Admin","plugin":"DatabaseLog","extension":null,"controller":"Logs","action":"index","role":"user"} --> Rule matched {"role":"user","prefix":"Admin","extension":"","plugin":"DatabaseLog","controller":"","action":"","allowed":true} with result = 1 2022-03-19 09:46:32 debug: For {"prefix":null,"plugin":"DebugKit","extension":null,"controller":"Requests","action":"view","role":"user"} --> Rule matched {"role":"","plugin":"DebugKit","controller":"","action":"","bypassAuth":true,"allowed":true} with result = 1 2022-03-19 09:46:32 info: Cake Authorization plugin is enabled. If you would like to force DebugKit to ignore it, set DebugKit.ignoreAuthorization Configure option to true.

rochamarcelo commented 2 years ago

@gooseleggs see this url from your log https://test.example.com/?redirect=https%3A%2F%2Ftest.example.com%2Ffavicon.ico the browser is trying to load the file favicon.ico and since you don't have that file the request is passing to CakePHP resulting in permission redirect to login.

I see two options

create the favicon.ico
create a custom unathorization handler to throw 403 exception for this case (see https://github.com/CakeDC/users/blob/master/config/users.php#L226 and https://github.com/CakeDC/users/blob/master/src/Middleware/UnauthorizedHandler/DefaultRedirectHandler.php)

Let me know if you have questions.

gooseleggs commented 2 years ago

Thanks. This did indeed resolve the issue. I was too far into the weeds looking for this answer. Thanks

CakeDC / users

Could not find user data #988