search

born05 / craft-twofactorauthentication

Craft plugin for two-factor or two-step login using Time Based OTP.
MIT License
36 stars 26 forks source link

CloudFront + force enable 2FA page (login redirect loop) #32

Closed tonymilne closed 5 years ago

tonymilne commented 5 years ago

Unsure why, but when our website is behind AWS CloudFront it causes a redirect loop back to the /admin/login page rather than going to the force enable 2FA page when we have forceBackEnd=true.

When we test locally or direct to the ElasticBeanstalk instance, it all works.

Do you have any insight or advice on what might be causing this or how we might approach debugging it?

roelvanhintum commented 5 years ago

Hi @tonymilne unfortunately i don't have any experience with CloudFront. I know it's a CDN. Does it cache responses or interfere with sessions?

Can you disable forceBackEnd and login with 2FA enabled for your user? I want to know for sure it's the extra screen that causes the CloudFront redirect loop.

tonymilne commented 5 years ago

Yeah, we created an environment variable to control the forceBackEnd config and have turned it off until we can work out why it's causing us an issue.

Might not be the screen (template) itself, but it might be something that is around the logic of getting to that point - my absolutely wild guess is maybe it is being tripped up here (and being logged out?): https://github.com/born05/craft-twofactorauthentication/blob/fc566b4ae0437cf1c3ded68e738bfd1fbf02f74b/src/services/Request.php#L28

Any thoughts?

tonymilne commented 5 years ago

I also wonder if it has anything to do with the index.php?p= approach, where as our other urls are not using that url/querystring approach.

roelvanhintum commented 5 years ago

@tonymilne can you login using 2FA when forceBackEnd is off? Or do you use the login without 2FA?

The urls the plugin uses should be generated. For our own projects we have omitScriptNameInUrls set for prettier urls, i'm guessing this is similar to your setup.

The logic you referred to does trigger the logout, but that is intended to prevent users to pass without 2FA (without that piece of logic the plugin would be useless).

The snippet came from an older version of the plugin, are you sure you are using the latest release? At this moment the plugin is at 2.1.1 which is build for craft 3.1.

roelvanhintum commented 5 years ago

@tonymilne do you still run into this?

roelvanhintum commented 5 years ago

Fixed in 2.2.0