[BUG] New Multi-Factor Authentication Fails on Front-end on Joomla 4.2.2

[J-Wick4]

Hosting variables are set up the same across each instance.

• PHP 8.1.10 FPM Application
• Maria DB 10.23.6
• NGINX
• Cloudflare

I've worked on this bug for hours and narrowed it down to this Rocket Template / Gantry 5.

Joomla 4.2+ has introduced the new Multi-Factor Authentication.

When logging into the front of the website, if the user has MFA turned on, they are redirected to:

domain_com/component/users/captive?Itemid=101 to enter their six-digit auth code, then redirect to the landing page after successfully logging in.

This is verified working on a new install with the default Joomla template.

I then installed the Denali template and tested it again with success.

However, when testing this on an upgraded, fully populated instance, the MFA redirect shoots me to the home page and does not display the MFA box to authenticate, trapping me on the site where nothing else can be done until I clear the cookies.

I've checked and matched all the backend settings, replicated the default template from the vanilla install, and ended with the same result.

Multiple client websites exhibit the same results.

The MFA in Joomla 4.2.2 is https://github.com/akeeba/loginguard/wiki

Bug I filed at Joomla https://issues.joomla.org/tracker/joomla-cms/38678

[J-Wick4]

COMMENT FROM THE DEVELOPER OF JOOMLA'S NEW CORE MULTI-FACTOR AUTHENTICATION

That said, your problem is actually a problem with how Gantry implements their index.php. Their option to hide the component output from the Home page is incompatible with Joomla 4, plain and simple.

This option is a non-standard approach which will not work with any extension, core or third party, on Joomla 4 when they need to display a page without having a menu item set up explicitly for it. As RocketTheme should have known had they actually been responsible software developers and tested Joomla 4 anytime the last 6 years i.e. since its Alpha 2 in November 2017, while Joomla 3 never added an Itemid to direct component URLs which do not use a menu item (e.g. index.php?option=com_example&view=something), Joomla 4 always adds the menu item ID of the Home menu item. Since they only simple-mindedly check the Itemid in the URL (instead of making sure it's also the same component, view and task at the very least) they are hiding the component output of all these URLs, breaking core and third party extensions.

Their non-standard, problematic approach breaks among other things Akeeba Backup's legacy front-end backup and JSON API URLs, Admin Tools' custom error page, Akeeba Ticket System's canned replies, Akeeba Engage's comment box on a new page (behind a confirmation link) and comment edit page, even Joomla's login page if you only publish a login module but not a login menu item on your site — just to name a few legitimate use cases of Joomla's ability to work with direct component URLs which do not require a menu item to be set up in the frontend.

This is something RocketTheme needs to fix. The fix is trivial — about 100 characters. Any developer reading this reply knows what to do.

[trlbldr1]

I use Gantry 5.5.15 on several sites with RT Callisto theme on Joomla 4.2.2. Implementation of MFA in J4.2.2 is darn near impossible - ref gantry/gantry5#3078. When will Gantry publish an update to fix the issue described by Nicholas Dionysopoulos?

[N8Solutions]

@SpyderZ I see that you are using PHP v8.1. Have you tried just using PHP v8.0?

and @trlbldr1 what version of PHP are you using?

There are some bugs being found when using PHP 8.1 so it would be helpful to narrow down what is going on if that is the case.

[N8Solutions]

as an additional note for both of you (@SpyderZ and & @trlbldr1) I had a plain J4 website fully updated with no extensions installed. I turned on Multi Factor Authentication for my account. I then proceeded to install the Gantry 5 framework and the Callisto template and I was able to login just fine, and quickly I might add, using both PHP v8.0 & v8.1 so I was unable to reproduce the issue you are reporting.

Furthermore, @SpyderZ you wrote above:

domain_com/component/users/captive?Itemid=101 to enter their six-digit auth code, then redirect to the landing page after successfully logging in.

A 6 digit code is part of using TFA (Two Factor Authentication) which is no longer possible with Joomla 4.2. Since these are upgraded websites it makes me wonder if you were using TFA with an authenticator on these sites before upgrading to Joomla 4.2?

In the release notes for Joomla 4.2 here it is mentioned that Multi-Factor Authentication (replaces Two-Factor Authentication) > See here

[trlbldr1]

PHP 8.0.23 MySQLi 10.3.26-MariaDB Jooma 4.2.2 RocketTheme template Callisto v1.7.0

[J-Wick4]

as an additional note for both of you (@SpyderZ and & @trlbldr1) I had a plain J4 website fully updated with no extensions installed. I turned on Multi Factor Authentication for my account. I then proceeded to install the Gantry 5 framework and the Callisto template and I was able to login just fine, and quickly I might add, using both PHP v8.0 & v8.1 so I was unable to reproduce the issue you are reporting.

Furthermore, @SpyderZ you wrote above:

domain_com/component/users/captive?Itemid=101 to enter their six-digit auth code, then redirect to the landing page after successfully logging in.

A 6 digit code is part of using TFA (Two Factor Authentication) which is no longer possible with Joomla 4.2. Since these are upgraded websites it makes me wonder if you were using TFA with an authenticator on these sites before upgrading to Joomla 4.2?

In the release notes for Joomla 4.2 here it is mentioned that Multi-Factor Authentication (replaces Two-Factor Authentication) > See here

I've tested both 7.4, 8.0, & 8.1 with the same results.

Two-Factor exists in MFA in Joomla 4.2 as "Multi-factor Authentication - Verification Code"

As per the developer of MFA in Joomla 4.2 https://github.com/gantry/gantry5/issues/3078#issuecomment-1249064780

The problem exists in Gantry 5 not updating its ability to handle component IDs.

Their option to hide the component output from the Home page is incompatible with Joomla 4, plain and simple.

Gantry 5 needs to update its code to be fully compatible with Joomla 4, and apparently, it's very simple.

[mahagr]

There's no code change needed, just drag and drop component content into the home layout and save. Or change it to something else. Or perhaps select the layout you want to use in the MFA configuration?

[J-Wick4]

There's no code change needed, just drag and drop component content into the home layout and save. Or change it to something else. Or perhaps select the layout you want to use in the MFA configuration?

Well, then we have a conflict/argument with @nikosdion https://github.com/akeeba/loginguard/issues/134#issuecomment-1249006224

I've been using RocketThemes for years; I have no idea how you'd drag & drop component content into the home layout. Can you explain this?

I created a specific template and assigned it to a hidden menu item, set in the MFA settings, and it didn't work.

I appended it to the Cassiopeia template, but it didn't work unless the template was assigned to the home page, which is not an option, obviously.

I shouldn't have to do any of these steps, it should just work like how it works with the Cassiopeia template that doesn't hide component output automatically, as per the explanation by @nikosdion.

[trlbldr1]

There's no code change needed, just drag and drop component content into the home layout and save. Or change it to something else. Or perhaps select the layout you want to use in the MFA configuration?

Sheesh. J-Wick4 is, in my vernacular, "right-on". There's no means available to "drag-and-drop" the MFA content (from a J4 plugin) into a Gantry template form, especially in the Home-Particles form. There's no Gantry particle for MFA.

Someone in the Gantry project needs to update the software to fix the damn issue.

[N8Solutions]

@mahagr My assessment of the issue was incorrect. I have gone through and retested and have been able to verify the issue they are discussing. My previous attempt at reproducing it was incorrect as I was using the new Joomla! W3C Web Authentication (WebAuthn) Login which works fine instead of the Multi-factor Authentication which does not work.

The Multi-factor Authentication plugins do need to be enabled in order to work as they are not enabled by default especially now that W3C Web Authentication (WebAuthn) Login is available. However, on upgraded websites that are using 2FA, this will present a major issue and all of my websites are using 2FA, which will translate to this issue once my clients sites are updated to Joomla 4.

Also, your suggestions:

There's no code change needed, just drag and drop component content into the home layout and save. Or change it to something else. Or perhaps select the layout you want to use in the MFA configuration?

are not applicable because this is a Joomla core plugin and not a Particle that can be added to a layout. The MFA configuration does not have an option to select a layout as it is not a module that can be added to a page or layout.

After attempting to login, I am brought back to the homepage as @J-Wick4 said, and it looks like you are logged in because you can see menu items that are only suppose to be visible to registered users like a link to view your "User Profile". However, if you click on anything else that should normally be visible to the public, you are redirected, constantly, to the homepage.

I found that if I clicked on the Menu item for the profile I was prompted to enter the MFA code and was then properly logged into the website.

There is indeed an issue with the Gantry templates and the use of Multi-factor Authentication. This will be very problematic.

If you would like any clarification on the issue please let me know and I can walk you through properly reproducing it.

[mahagr]

It took me long time to be able reproduce the issue; I had a hidden login menu item which made MFA to work just fine. So the easiest way to get this feature to work, is as simple as creating a login menu item. That makes Joomla to route the MFA verification to use the correct itemid, which has the proper layout set.

I also double checked adding the component content into the layout of Home Outline and it works perfectly, except that MFA verification box gets lost as there's too much content (modules and particles) in the home page. It is there, though, and it works just fine. For reference: Go to Gantry component, select Home Outline, drag the green "Page Content" into the layout and save.

What does not work is the override in System > Global Configuration > Users > Multi-factor Auhtentication > Frontend template style, not sure why.

[mahagr]

Update: You either need to have Login menu item published to everyone or Profile menu item for the users. We are still trying to replicate what happens with @N8Solutions .

[J-Wick4]

It took me long time to be able reproduce the issue; I had a hidden login menu item which made MFA to work just fine. So the easiest way to get this feature to work, is as simple as creating a login menu item. That makes Joomla to route the MFA verification to use the correct itemid, which has the proper layout set.

I also double checked adding the component content into the layout of Home Outline and it works perfectly, except that MFA verification box gets lost as there's too much content (modules and particles) in the home page. It is there, though, and it works just fine. For reference: Go to Gantry component, select Home Outline, drag the green "Page Content" into the layout and save.

What does not work is the override in System > Global Configuration > Users > Multi-factor Auhtentication > Frontend template style, not sure why.

I have tested your suggestions and managed to get MFA working. I put the "Page Content" particle in the Top Container of the home page, so it was buried below the fold.

However, if you have the Login/Out menu item setup with "Guest" user access to properly switch between Login and Logout menu items for proper user experience, it produces an error message. You can still enter the code and log in.

Also, as per Joomla, all modules & component output should be suppressed unless otherwise given expressed permissions in the MFA settings.

[N8Solutions]

@J-Wick4 we were able to narrow down the issue to the Gantry 5 Theme Custom Page and the Joomla Login Redirect. Matias is going to work on it but he is recovering from a bad case of covid right now so his ability to work has been hindered.

From going over things with him, the best solution I've come up with so far where everything works as it should, is the following.

• clone the default outline, name it Login, and remove any particles from the outline that are unnecessary so it is just very basic. Remember you need to keep the "Page Content" particle in the layout.
• open the login menu item, under the "details" tab, set the "template style" to use the new template layout called "login" that you just created
• under the "options" tab, clear the "Menu Item Login Redirect" so it is empty and this way it will default to the user profile page.
• save and close

Doing this should allow the login process to work just fine without any errors for 2fa until Matias is able to look into the issue further and provide a fix.

Let me know if you have any questions.

regards,

Michael

[J-Wick4]

@N8Solutions,

Thank you for the suggestions. I could replicate your results; however, if you assign "Guest" to the log-in menu item, it still produces the error message and allows you to enter the access code to proceed.

I was using Community Builder, with a login module within a custom login template. I had to remove Community Builder to get the Joomla core login back. Community Builder is a widely popular package; it needs to be considered for compatibility.

Other non-Gantry templates don't have any issues because they're not hiding the component output IDs breaking Joomla 4 standards. If this is modified, it should resolve all these problems without going beyond the bounds of regular Joomla administration.

RocketTheme users shouldn't have to do complicated backflips to get this operational.

Hopefully, Matias can sort this out properly once he recovers, which I can relate to and understand what he's going through.

[J-Wick4]

Can we get an update on the progress of this bug? I really need a template that is compatible with the new Joomla MFA for a few clients.

[J-Wick4]

I need this fixed, or I will have to move to non-Gantry-based templates.

[AccessIPD]

Come on Gantry - what's going on with this bug?

[J-Wick4]

Yes, I agree. This is taking way too long. We're talking about CORE Joomla functionality which has been clearly outlined by the code's creator of what Gantry needs to do to correct their templates.

[N8Solutions]

@J-Wick4 & @AccessIPD Have you guys tried the v5.5.16 update for Joomla? https://gantry.org/downloads#joomla

@hexplor has disabled the auto update and it hasn't been turned back on yet for some reason. You can read the discussion concerning v5.5.16 here https://github.com/gantry/gantry5/issues/3138#issuecomment-1495565503 I'll have to try and reproduce this again later when I have time.

[J-Wick4]

I've installed the v5.5.16 update for Joomla on my pre-production site and set up an entirely new staging site from scratch using Joomla 4.3, then installed Gantry and the Orion template; this is what I experienced.

Default Core Template, works no problem.

Orion Template Breaks MFA

Again, had to add the "Content" particle to the Home template even to have the MFA box appear.

I disabled URL rewriting to see if that had an effect, and it did not.

I have yet to try the Multi-Factor enroll function for new users.

As it stands, RocketTheme templates are NOT fully compatible with Joomla 4 providing a terrible frontend login experience with MFA enabled. We cannot present this to clients. Where security is important, RocketTheme is out of the question until this is remediated to produce the same experience as the core Joomla template.

Gantry/Rocket/Joomla need to collaborate and squash this bug ASAP.

[trlbldr1]

I use RocketTheme templates, Gantry 5.5.16, PHP 8.1, and Joomla
  4.3. MFA works fine:

  On the Gantry Home outline, I found I needed to set the Page
    Content particle at the top of the Main Feature container.
  In System | Plugins, I ensured that the Joomla Authentication
    plugin remained enabled.

  I disabled all Multi-Factor Authentication plugins save for
    Multi-Factor Authentication - Authentication Code by Email.
  I configured the plugin to Force Enable and set the Code
    Generation Period before saving (implementing) this function.
  I disabled the System - WebAuthn Passwordless Login plugin -
    the users on this site don't need it (yet) and disabling it
    helps prevent confusion on the login screen.
  We use Community Builder to add and manage users; there are no
    conflicts between CB and MFA.
  Both the Cassiopeia and RocketTheme templates are enabled, the
    RT template controls the public website display.

Cheers.

On 4/22/2023 7:08 PM, John Wick wrote:

  I've installed the v5.5.16 update for Joomla on my
    pre-production site and set up an entirely new staging site from
    scratch using Joomla 4.3, then installed Gantry and the Orion
    template; this is what I experienced.
  Default Core Template, works no problem.

  Orion Template Breaks MFA

  Again, had to add the "Content" particle to
      the Home template even to have the MFA box appear.

  I disabled URL rewriting to see if that had an
    effect, and it did not.
  I have yet to try the Multi-Factor enroll function
    for new users.
  As it stands, RocketTheme templates are NOT fully
    compatible with Joomla 4 providing a terrible frontend login
    experience with MFA enabled. We cannot present this to clients.
    Where security is important, RocketTheme is out of the question
    until this is remediated to produce the same experience as the
    core Joomla template.
  Gantry/Rocket/Joomla need to collaborate and squash
    this bug ASAP.
  —
    Reply to this email directly, view it on GitHub, or unsubscribe.
    You are receiving this because you were mentioned.Message
      ID: ***@***.***>
  [

{ @.": "http://schema.org", @.": "EmailMessage", "potentialAction": { @.": "ViewAction", "target": "https://github.com/gantry/gantry5/issues/3078#issuecomment-1518893385", "url": "https://github.com/gantry/gantry5/issues/3078#issuecomment-1518893385", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { @.": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

[J-Wick4]

I use RocketTheme templates, Gantry 5.5.16, PHP 8.1, and Joomla 4.3. MFA works fine: On the Gantry Home outline, I found I needed to set the Page Content particle at the top of the Main Feature container. In System | Plugins, I ensured that the Joomla Authentication plugin remained enabled. I disabled all Multi-Factor Authentication plugins save for Multi-Factor Authentication - Authentication Code by Email. I configured the plugin to Force Enable and set the Code Generation Period before saving (implementing) this function. I disabled the System - WebAuthn Passwordless Login plugin - the users on this site don't need it (yet) and disabling it helps prevent confusion on the login screen. We use Community Builder to add and manage users; there are no conflicts between CB and MFA. Both the Cassiopeia and RocketTheme templates are enabled, the RT template controls the public website display. Cheers. On 4/22/2023 7:08 PM, John Wick wrote: I've installed the v5.5.16 update for Joomla on my pre-production site and set up an entirely new staging site from scratch using Joomla 4.3, then installed Gantry and the Orion template; this is what I experienced. Default Core Template, works no problem. Orion Template Breaks MFA Again, had to add the "Content" particle to the Home template even to have the MFA box appear. I disabled URL rewriting to see if that had an effect, and it did not. I have yet to try the Multi-Factor enroll function for new users. As it stands, RocketTheme templates are NOT fully compatible with Joomla 4 providing a terrible frontend login experience with MFA enabled. We cannot present this to clients. Where security is important, RocketTheme is out of the question until this is remediated to produce the same experience as the core Joomla template. Gantry/Rocket/Joomla need to collaborate and squash this bug ASAP. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.> [ { @.": "http://schema.org", @.": "EmailMessage", "potentialAction": { @.": "ViewAction", "target": "#3078 (comment)", "url": "#3078 (comment)", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { @.***": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

What does your Multi-Factor Authentication Page look like?

I have the same settings as you. Instead of all the modules disappearing like in the Cassiopeia template, Rocket shows everything along with the 2-FA box, missing the title and some instructions, as I posted my screenshots. This is not a proper user experience. Also, we should have to jump through hoops to set multi-factor up as opposed to the Cassiopeia template.

[J-Wick4]

Sorry to write this. I'm leaving Gantry 5 and Rocket Templates. This incompetence in supporting native Joomla 4 features is wasting my time. Today, I discovered the password reset function is also experiencing a similar problem on Joomla 4.3.3. This is unacceptable and will undoubtedly frustrate others to move to other template technologies. You are damaging the image and hard work you have built up over the years in making this system.