search

humanmade / altis-security

Security Module for Altis
https://www.altis-dxp.com/resources/docs/security/
9 stars 2 forks source link

Asset URLs not registered properly in subdomain sites #219

Open kadamwhite opened 1 year ago

kadamwhite commented 1 year ago

Steps to reproduce:

  1. For a multisite network e.g. something.altis.cloud, define a subsite at something.altis.cloud/some/path
  2. Force 2FA on that environment
  3. Observe that no scripts or styles load on the "choose your 2FA provider" form when trying to log in

I expected a functional 2FA form. Instead, we see 404s for all the two-factor plugin scripts and styles, because they get registered as,

https://subdomain.site.altis.cloud/sub/directory/vendor/humanmade/two-factor/assets/js/force-2fa.js

instead of

https://subdomain.site.altis.cloud/vendor/humanmade/two-factor/assets/js/force-2fa.js

The two-factor plugin (both our fork and the upstream copy) use plugins_url( '...blah.js', __FILE__ ) to deduce the URL for the asset. That resolves to full/site/path/vendor... instead of /vendor... when used in an Altis site where the plugin is installed to vendor/humanmade/two-factor.

Acceptance criteria:

kadamwhite commented 1 year ago

Filed upstream in 2FA plugin at https://github.com/WordPress/two-factor/issues/489