search

creode / magic-login

A Magic Link plugin which sits on top of the existing user sign in and registration process.
Other
3 stars 2 forks source link

Unable to verify your data submission. #29

Closed michaeldavidtodd closed 3 months ago

michaeldavidtodd commented 9 months ago

I've tried installing this locally in my existing project, locally in a fresh Craft 4 install, and in production. I'm getting the same results everywhere when testing the registration page. I've made no modifications. Just using out-of-the-box.

`HTTP 400 – Bad Request – yii\web\BadRequestHttpException

Unable to verify your data submission.

  1. in /var/www/html/vendor/yiisoft/yii2/web/Controller.php

}

/**
 * {@inheritdoc}
 */
public function beforeAction($action)
{
    if (parent::beforeAction($action)) {
        if ($this->enableCsrfValidation && Yii::$app->getErrorHandler()->exception === null && !$this->request->validateCsrfToken()) {
            throw new BadRequestHttpException(Yii::t('yii', 'Unable to verify your data submission.'));
        }

        return true;
    }

    return false;
}

/**`
michaeldavidtodd commented 9 months ago

I closed this because I got it working. But just realized the login form works. It's the register form that does not.

Also, something else concerning with the registration error. When I have the form included in another template and get the bad request error, going back to the previous page automatically logs me in. I'm prefilling the email address based on the entry I'm logging in to edit. So essentially, if someone has the URL to someone else's entry, they could exploit this bug to get logged in and access their data. The email also isn't being sent.

creode-dev commented 7 months ago

Hi @michaeldavidtodd ,

Thanks for logging this and flagging the issue. I've just taken a look by spinning up a brand new Craft 4 website. I installed the plugin and ran through the setup process using DDEV as recommended by Craft.

I installed the plugin and set the domain up along with a pro license of Craft and a trial version of the plugin. This plugin uses the default Mail configuration inside the admin panel. Could you check this is setup correctly?

I'm not seeing the same issues as what you described above. The 400 error message is a Yii2/Craft check around a CSRF token and happens for every controller action defined within Craft. Are you overwriting the registration template for magic login but haven't included the CSRF input within your form? {{ csrfInput() }}.

Another thing to note is that if you are logged in to the admin panel, you will be logged in already via magic login. This is because we just use Craft's existing user system to check and handle the login/registration process. The registration controller checks if you are already logged in before sending the email, if you are it redirects you to the default page defined in your configuration for login without taking any further action.

If you can share any code examples which might assist further in our investigation, please let me know.

Thanks

michaeldavidtodd commented 3 months ago

Closed this bc one way or the other, the issue was resolved. Probably something I was doing wrong in my setup. Sorry I left this open for months! Been using Magic Login for a while and really appreciating it!