No option to blacklist the homepage from 2FA

born05 / craft-twofactorauthentication

Craft plugin for two-factor or two-step login using Time Based OTP.

MIT License

36 stars 26 forks source link

No option to blacklist the homepage from 2FA #20

Closed dennisadriaans closed 5 years ago

dennisadriaans commented 6 years ago

When you want to disallow access to the homepage e.g: domain.com/ without path, users will get redirected to the verification page but can manually go back to the homepage without verification.

roelvanhintum commented 6 years ago

Does blacklisting an empty path work?

'frontEndPathBlacklist' => [
    '*' => [
        '', // Home path
    ],
],

dennisadriaans commented 6 years ago

No, have tried three options:

// Blacklist paths that do need 2FA.
'frontEndPathBlacklist' => [
    '*' => ['/', ' ', ''],
],

roelvanhintum commented 6 years ago

What does pathInfo return if you dump it? We match the value of Craft::$app->getRequest()->getPathInfo(); to the array values of frontEndPathBlacklist.

https://github.com/born05/craft-twofactorauthentication/blob/master/src/services/Request.php#L143

dennisadriaans commented 6 years ago

$pathInfo dumps: string(0) "". $isBlackListed dumps: bool(true)

dennisadriaans commented 6 years ago

Maybe it is the CraftSpecialRequest path.

https://github.com/born05/craft-twofactorauthentication/blob/master/src/services/Request.php#L164

When i redirect path '/' to '/home' and add home to the blacklist it works like expected.

roelvanhintum commented 6 years ago

Should work from 2.0.0-beta.12

dennisadriaans commented 6 years ago

Confirmed

dennisadriaans commented 5 years ago

Seems to be back.

Case: Login as user in the front-end when FA activated. Don't enter an authentication code from your phone. Instead type the homepage url in the address bar.

The browser will redirect the user without the need to enter an authentication code.

roelvanhintum commented 5 years ago

@dennisadriaans I'm getting logged out as supposed to, when login is required on home.

When login is not required on home, i'm allowed to visit, because 2FA only checks when login is required. Visit a page that does require login and the plugin logs you out because verification is missing.

dennisadriaans commented 5 years ago

How do you require login on home?

{% requireLogin %} in template

'verifyFrontEnd' => false,
'forceFrontEnd' => false,
'forceBackEnd' => false,
'allowFrontEnd' => true,

and...

'frontEndPathBlacklist' => [ '*' => ['', '', ' ', '/'], ], in the config right?

dennisadriaans commented 5 years ago

It was conflcting with a custom Craft module.

roelvanhintum commented 5 years ago

@dennisadriaans allowFrontend was incorrectly in the readme, this should be verifyFrontEnd. Make sure verifyFrontEnd is set to true. allowFrontend is not a thing.

roelvanhintum commented 5 years ago

@dennisadriaans to match home the following should be enough as a blacklist:

'frontEndPathBlacklist' => [
    '*' => [''],
],