Bypassing 2FA in front-end

[iapparatus]

I'm probably missing something but it seems like I'm able to get around 'Verify Code' screen after logging in simply by returning to the url that initiated the login.

Example: This URL requires login: /protected After entering credentials I'm redirected to /protected/verify Returning to /protected lets me see the page

My config file:

return [
    'verifyFrontEnd' => true,
    'forceFrontEnd' => true,
    'forceBackEnd' => false,

    'verifyPath' => '/protected/verify',
    'settingsPath' => '/protected/two-factor-settings',
    'frontEndPathWhitelist' => [
        '*' => [],
    ],
    'frontEndPathBlacklist' => [
        '*' => ['/protected'],
    ],

Craft CMS 3.1.34.3 Two-Factor Authentication Plug-In: 2.2.0

[roelvanhintum]

@iapparatus sorry for the delay. I'm looking into this today.

[roelvanhintum]

@iapparatus the slash prefixing the path is causing it not to match. Can you try the following?

    'frontEndPathBlacklist' => [
        '*' => ['protected'],
    ],

Same goes for verifyPath and settingsPath.

[iapparatus]

Thanks, that solved the issue.

[tonyclemmey]

Hello, @roelvanhintum

First time user here, I am having a similar issue on Craft 2 / Plugin v1.20. When on verify code screen, I can hit the back button and the home page will load. Is there a code change in recent versions/craft 3 which could be backported to craft 2 to ensure no page can load until Verify code.

[roelvanhintum]

@tonyclemmey the craft 2 plugin didn't have support for front-end login. For craft 3 the plugin is rewritten for the most part. You could add your own validation to a custom plugin similar to what we're doing here: https://github.com/born05/craft-twofactorauthentication/blob/craft-2/TwoFactorAuthenticationPlugin.php#L55

You can even use the services from the plugin, so customization would be minimal. It is also discussed in #2 and #8 in case i'm missing something here.