Unable to verify your data (no crsf token posted)

[Coennie]

When trying to use the 2fa for the backend I get a 'could not verify your data' after submitting the 2fa code. When looking in the post data I also do not see the csrf token being posted along with the 'authenticationCode' parameter. Did something change? It worked before.

Regards

[roelvanhintum]

Nothing has changed regarding this. Which versions of craft and this plugin are you using? I've had this error myself in the past when i messed up page caching or session storage.

[Coennie]

So strange I can't find the issue. Working with: Craft Craft CMS 4.2.1.1 (Pro) craft-twofactorauthentication: 3.0.1

The two factor does work with a custom frontend implementation, but not with the default backend part

[roelvanhintum]

@Coennie this can be caused by multiple Craft config settings and hosting configurations. I'm afraid you really have to debug this on your own environment.

[Marcuzz]

I am also experiencing the same problem. It seems like it's posting an invalid or already expired CSRF token to the back-end every single time.

I'm using the latest official Craft CMS nginx docker image (craftcms/nginx:8.1-dev) locally, so it seems to be a common issue?

[tjanpool]

I probably also encountered this problem. This statement seems correct:
'this can be caused by multiple Craft config settings and hosting configurations.'

This issue was in my case caused by following the instructions and creating the config/two-factor-authentication.php with:

return [
    '*' => [
        'verifyBackEnd' => true,
        'forceBackEnd' => true,
    ],
];

I got it working by working with the following error notification in the phperror.log: yii\base\UnknownPropertyException: Invalid general config setting: forceBackEnd. You can set custom config settings from config/custom.php. in /var/www/html/vendor/craftcms/cms/src/config/GeneralConfig.php:3033

The following seemed to fix it in my case: Create a config/custom.php with the following content:

 [
        /**
         * Whether 2FA should be enabled for the back-end/control panel.
         */
        'forceBackEnd' => true,

    ],
];

(tjanpool edited this and did strike through his solution)

[Marcuzz]

That error is not present in my error log at least. I tried your fix as well and it doesn't appear to make any difference unfortunately.

I keep getting a 400 bad request: "Unable to verify your data submission".

This despite the X-CSRF-Token header being sent in the request headers:

This used to work prior to installing Craft 4 and plugin version 3.x.x.

[tjanpool]

Apparently my solution also doesn't work. The fact that I don't have a two-factor-authentication.php makes it possible to submit a form. So my solution also doesn't help to enforce 2 factor authentication.

[roelvanhintum]

I've been working to get this fixed. I suspect the way forms templates work in Craft 4 has changed. Can someone test dev-craft-4 to verify if the latest version does work?

edit: After some more testing i got the problem replicated on my own environment, which allowed me to work towards a fix.

[tjanpool]

Cool, I did update to the dev-craft-4, And it seems to have done something, for now I receive the error feedback: 'Unable to verify your data submission.' However indeed, it was not resolved. However glad you have some materials to work towards a solution.

[roelvanhintum]

@tjanpool Did the post data and post headers contain the csrf token or just one of them?

[tjanpool]

I find it hard to say. The response seems to have change to the following:

name: "Forbidden", message: "Login Required", code: 0, error: "Login Required", status: 403,…} code: 0 error: "Login Required" exception: "yii\web\ForbiddenHttpException" file: "/var/www/html/vendor/yiisoft/yii2/web/User.php" line: 460 message: "Login Required" name: "Forbidden" status : 403 trace : [{file: "/var/www/html/vendor/craftcms/cms/src/web/Controller.php", line: 353,…},…]

:authority: site.craft.loc :method: POST :path: /index.php?p=admin%2Factions%2Ftwo-factor-authentication%2Fsettings%2Fturn-on :scheme: https accept: application/json, text/javascript, /; q=0.01 accept-encoding: gzip, deflate, br accept-language: en-GB,en-US;q=0.9,en;q=0.8,nl;q=0.7 cache-control: no-cache content-length: 22 content-type: application/x-www-form-urlencoded; charset=UTF-8 cookie: __stripe_mid=b06189ff-67f0-47d3-aeca-a70463c70d5d39019f; cookieconsent_status=allow; form_posted_4=1663146848; 1031b8c41dfff97a311a7ac99863bdc5_username=33e15155aa47fec02630c3331fd8b26ac39f198e7034c36b96513ce7da4ef374a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_username%22%3Bi%3A1%3Bs%3A4%3A%22FIZZ%22%3B%7D; CraftSessionId=ea7fadf4b19592aa12ab453d0a834ecc; CRAFT_CSRF_TOKEN=edacb7f578327312660c393437d33c1695308de6f27eff5251d1790f2c3f06b1a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A40%3A%22hZC5cMKHtmy8Z8yCfXKarxIpgyWW-j4XuTI7bQ0F%22%3B%7D origin: https://site.craft.loc pragma: no-cache referer: https://site.craft.loc/index.php?p=admin/actions/two-factor-authentication/settings/force sec-ch-ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "macOS" sec-fetch-dest: empty sec-fetch-mode: cors sec-fetch-site: same-origin user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 x-csrf-token: xKqulTJhQ6O182kMm4ukuCc5vzIaawWe3ZrHCn6abo5KG_3pEvtz9qzw7aBRLAjrwZ4QNMGz3ftBYfRTaBNM7rrjkF1T8FrWP0-03nCqQ7A= x-registered-asset-bundles: ,percipiolondon\passwordpolicy\assetbundles\PasswordPolicy\PasswordPolicyAsset,craft\web\assets\cp\CpAsset,craft\web\assets\tailwindreset\TailwindResetAsset,craft\web\assets\axios\AxiosAsset,craft\web\assets\d3\D3Asset,craft\web\assets\elementresizedetector\ElementResizeDetectorAsset,craft\web\assets\focusvisible\FocusVisibleAsset,craft\web\assets\garnish\GarnishAsset,yii\web\JqueryAsset,craft\web\assets\jquerytouchevents\JqueryTouchEventsAsset,craft\web\assets\velocity\VelocityAsset,craft\web\assets\jqueryui\JqueryUiAsset,craft\web\assets\jquerypayment\JqueryPaymentAsset,craft\web\assets\datepickeri18n\DatepickerI18nAsset,craft\web\assets\picturefill\PicturefillAsset,craft\web\assets\selectize\SelectizeAsset,craft\web\assets\fileupload\FileUploadAsset,craft\web\assets\xregexp\XregexpAsset,craft\web\assets\fabric\FabricAsset,craft\web\assets\iframeresizer\IframeResizerAsset,carlcs\redactorcustomstyles\assets\customcp\CustomCpAsset,born05\twofactorauthentication\web\assets\verify\VerifyAsset x-registered-js-files: ,https://site.craft.loc/cpresources/c7c93400/tailwind_reset.js?v=1663145514,https://site.craft.loc/cpresources/f0a522cc/axios.js?v=1663145514,https://site.craft.loc/cpresources/d6a10a23/d3.js?v=1663145515,https://site.craft.loc/cpresources/178f07c8/element-resize-detector.js?v=1663145515,https://site.craft.loc/cpresources/ce6f9ff1/focus-visible.js?v=1663145515,https://site.craft.loc/cpresources/126f1820/jquery.js?v=1663145515,https://site.craft.loc/cpresources/44926c8a/jquery.mobile-events.js?v=1663145515,https://site.craft.loc/cpresources/4156b15f/velocity.js?v=1663145515,https://site.craft.loc/cpresources/aefeb589/garnish.js?v=1663145515,https://site.craft.loc/cpresources/18888836/jquery-ui.js?v=1663145515,https://site.craft.loc/cpresources/44c1b3e8/jquery.payment.js?v=1663145515,https://site.craft.loc/cpresources/4aca3a2f/datepicker-nl.js?v=1663145515,https://site.craft.loc/cpresources/789a6936/picturefill.js?v=1663145515,https://site.craft.loc/cpresources/c0dc8e22/selectize.js?v=1663145515,https://site.craft.loc/cpresources/6f35e9d/jquery.fileupload.js?v=1663145515,https://site.craft.loc/cpresources/7322d436/xregexp-all.js?v=1663145515,https://site.craft.loc/cpresources/864c829e/fabric.js?v=1663145515,https://site.craft.loc/cpresources/ddc00394/iframeResizer.js?v=1663145515,https://site.craft.loc/cpresources/cc942c6a/cp.js?v=1663145514,https://site.craft.loc/cpresources/c40ecd47/js/zxcvbn.min.js?v=1662627534,https://site.craft.loc/cpresources/c40ecd47/js/PasswordPolicy.js?v=1662627534,https://site.craft.loc/cpresources/2095b271/verify.js?v=1663594484 x-requested-with: XMLHttpRequest

[ddnetters]

Still occurring on dev-craft-4 and ^3.0, running craft 4.2.7. Valid CSRF token is set a as request header but not in the form request.

Temporary debugging work around mentioned below will resolve it. Doing so will break the plugin as it runs into the ->requireLogin() validation failing.

// This is just for debugging, don't use this in production.
Event::on(
    Controller::class,
    Controller::EVENT_BEFORE_ACTION,
    function(\yii\base\ActionEvent $event){
        if($event->action->uniqueId == 'two-factor-authentication/verify/login-process'){
            $request = \Craft::$app->getRequest();
            $params = $request->getBodyParams();
            $params['CRAFT_CSRF_TOKEN'] = $request->getCsrfToken();
            $request->setBodyParams($params);
        }
    }
);

@roelvanhintum what were your findings so far?

[roelvanhintum]

@ddnetters , i cannot reproduce this at al. I did have issues before with csrf tokens being handled differently between admin and guest users on the frontend. Does this also occur when you try logging in from an incognito browser window?

[ddnetters]

It does, both across browsers and in a private window. I'll try to get a steps-to-reproduce list when I have more time. Meanwhile the aforementioned validation issue can be continued at #68. In as far as it's useful, I'm experiencing the issue with the control panel login flow.

[clarknelson]

shouldn't the admin login be /admin/actions/two-factor-authentication/verify/login instead of index.php?p=admin/actions/two-factor-authentication/verify/login?