search

WordPress / two-factor

Two-Factor Authentication for WordPress.
https://wordpress.org/plugins/two-factor/
GNU General Public License v2.0
724 stars 151 forks source link

two-factor not logging-in with custom login redir url #531

Closed pgnd closed 1 year ago

pgnd commented 1 year ago

i'm running WP 6.1.1

wp-cli core version
    6.1.1

with

wp-cli plugin list | egrep "registration|two"
    custom-registration-form-builder-with-submission-manager        active  none    5.1.9.7
    registrationmagic-premium       active  none    5.1.9.7
    two-factor      active  none    0.7.3

i redir login

cat functions.php
    ...
    function custom_login(){
        global $pagenow;
        $redirPage = 'https://example.com/alt-login';
        if(
            'wp-login.php'  == $pagenow  &&
            $_GET['action']!= "logout"   &&
            $_GET['action']!= "lostpassword"
        ) {
            wp_redirect($redirPage);
            exit();
        }
    }
    add_action('init','custom_login');
    ...

login/logout works as expected

i enable two-factor for a user

i nav to login page, enter/pass user/password credentials as usual

i'm redir'd to 2fa dialog

Powered by WordPress
Please enter the code generated by your authenticator app.

Authentication Code: 
[XXXXXX]

on auth code entry+submit, i'm just redir'd to the login page

https://example.com/alt-login

and status remains NOT logged in

in my current logs, i see

egrep -ai "validate|2fa" r*.log
    access.log:2001:DB8::1 - - [26/Feb/2023:09:39:42 -0500] "POST /wp-login.php?action=validate_2fa HTTP/2.0" 302 0 "https://example.com/alt-login/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http args: "action=validate_2fa"
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http2 header: ":path: /wp-login.php?action=validate_2fa"
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http2 request line: "POST /wp-login.php?action=validate_2fa HTTP/2.0"
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http finalize request: -4, "/wp-login.php?action=validate_2fa" a:1, c:2
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http run request: "/wp-login.php?action=validate_2fa"
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http script var: "action=validate_2fa"
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 fastcgi param: "QUERY_STRING: action=validate_2fa"
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http script var: "/wp-login.php?action=validate_2fa"
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 fastcgi param: "REQUEST_URI: /wp-login.php?action=validate_2fa"
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http run request: "/wp-login.php?action=validate_2fa"
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http upstream request: "/wp-login.php?action=validate_2fa"
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http upstream request: "/wp-login.php?action=validate_2fa"
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http upstream request: "/wp-login.php?action=validate_2fa"
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http upstream request: "/wp-login.php?action=validate_2fa"
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http output filter "/wp-login.php?action=validate_2fa"
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http copy filter: "/wp-login.php?action=validate_2fa"
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http postpone filter "/wp-login.php?action=validate_2fa" 00007FFC3748AAC0
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http copy filter: 0 "/wp-login.php?action=validate_2fa"
    error.log:2023/02/26 09:39:42 [debug] 4588#4588: *21 http finalize request: 0, "/wp-login.php?action=validate_2fa" a:1, c:1

iiuc, this

"Display on a custom page instead of wp-login.php #222
https://github.com/WordPress/two-factor/issues/222

touched on the issue, but not clear how to apply fix here ^^

dd32 commented 1 year ago

The problem in this case is your custom custom_login(), as it prevents access to most wp-login.php functionalities. Login only works by pure chance IMHO.

You probably want to change it to this, which won't cover as much as you want, but is the only way you can realistically do this in a way that isn't going to break other plugins.

-if(
-           'wp-login.php'  == $pagenow  &&
-           $_GET['action']!= "logout"   &&
-           $_GET['action']!= "lostpassword"
-       ) {
+ if ( 'wp-login.php'  == $pagenow  && ! isset( $_REQUEST['action'] ) ) {
dd32 commented 1 year ago

@pgnd I'm going to close this issue noting the above.

If you can duplicate the issue without your custom login redirection, or can reproduce it with "login form" plugin that's on WordPress.org that we can look into, then feel free to comment and re-open this issue.