Closed dennisadriaans closed 5 years ago
Does blacklisting an empty path work?
'frontEndPathBlacklist' => [
'*' => [
'', // Home path
],
],
No, have tried three options:
// Blacklist paths that do need 2FA.
'frontEndPathBlacklist' => [
'*' => ['/', ' ', ''],
],
What does pathInfo return if you dump it? We match the value of Craft::$app->getRequest()->getPathInfo();
to the array values of frontEndPathBlacklist.
https://github.com/born05/craft-twofactorauthentication/blob/master/src/services/Request.php#L143
$pathInfo dumps: string(0) "". $isBlackListed dumps: bool(true)
Maybe it is the CraftSpecialRequest path.
https://github.com/born05/craft-twofactorauthentication/blob/master/src/services/Request.php#L164
When i redirect path '/' to '/home' and add home to the blacklist it works like expected.
Should work from 2.0.0-beta.12
Confirmed
Seems to be back.
Case: Login as user in the front-end when FA activated. Don't enter an authentication code from your phone. Instead type the homepage url in the address bar.
The browser will redirect the user without the need to enter an authentication code.
@dennisadriaans I'm getting logged out as supposed to, when login is required on home.
When login is not required on home, i'm allowed to visit, because 2FA only checks when login is required. Visit a page that does require login and the plugin logs you out because verification is missing.
How do you require login on home?
{% requireLogin %} in template
'verifyFrontEnd' => false,
'forceFrontEnd' => false,
'forceBackEnd' => false,
'allowFrontEnd' => true,
and...
'frontEndPathBlacklist' => [ '*' => ['', '', ' ', '/'], ], in the config right?
It was conflcting with a custom Craft module.
@dennisadriaans allowFrontend was incorrectly in the readme, this should be verifyFrontEnd. Make sure verifyFrontEnd is set to true. allowFrontend is not a thing.
@dennisadriaans to match home the following should be enough as a blacklist:
'frontEndPathBlacklist' => [
'*' => [''],
],
When you want to disallow access to the homepage e.g: domain.com/ without path, users will get redirected to the verification page but can manually go back to the homepage without verification.