[4.x] Issue on frontend login with MFA enabled

[dautrich]

Steps to reproduce the issue

1. Create a user with MFA via TOTP enabled
2. Login to the frontend with username and password
3. Watch the next screen, where you have to enter your verification code

Expected result

You will not see an alert message "You have been logged in" at this point. This message should appear after you successfully entered your verification code, on the next screen.

Actual result

You see an alert message "You have been logged in", although the login process is not finished yet.

System information (as much as possible)

systeminfo-2023-04-19T21 08 46+02 00.txt

Additional comments

I didn't test with other MFA methods (i.e. WebAuthn), but I suspect that the bug shows up as well.

[richard67]

For the same reason, the „Log Out“ button on the page to enter the verification code is confusing, too.

[dautrich]

@richard67 The button might better be labeled "Cancel", in case you decide not to log in.

In fact, you seem to be logged in already at this moment. On a real site, I can see the following:

In the menu at the top of the page, all menu items (apart from "Startseite") have access level "Registered". The alert message has been dropped by a language override.

[richard67]

Well we also could use „f…ck, I can‘t find my smartphone with the authenticator app right now“, but that is a bit long, so „Cancel“ is fine :-)

[dautrich]

In my opinion, one should not see any content with an access level of "Registered", before the login process (including MFA) is completed. If I am right, the main menu should not appear in the form for 2FA, because the menu alone might disclose confidential information. Even submenus are visible:

[richard67]

@dautrich Silly question: Can this issue also be reproduced with a 4.2.9, or does it really need the 4.3.0?

[brianteeman]

That is why there are settings for which modules are available

[dautrich]

@richard67

question: Can this issue also be reproduced with a 4.2.9, or does it really need the 4.3.0?

Yes, it is the same in 4.2.9.

[sandewt]

Suggestion: most simple (temporary) solution is, or in case MFA is enabled.

[dautrich]

@brianteeman Thank you for your hint regarding the configuration option "Allowed frontend module positions"! I didn't know this option up to now. I just purchased Luca Marzo's book "Joomla!4 Masterclass" to get myself informed about the new Joomla features, but I haven't finished reading yet.

In case of my website, your hint doesn't really help. I use template SKYLAR from Joomla51 aka. Ciaran Walsh. The top menu doesn't sit in a module position by default, but is handled by the template, obviously using Bootstrap class 'hornav'. I'll wait what happens with this bug report. Hopefully a solution will solve the issue with SKYLAR as well. If not, I will open an issue in Ciaran's forum.

[sandewt]

@dautrich If you find the message (logon / logout) annoying, you can always make a language override.

[dautrich]

@sandewt

@dautrich If you find the message (logon / logout) annoying, you can always make a language override.

Thank you for the hint! I know about that. And I've already done it for one of my sites.

[brianteeman]

I'll wait what happens with this bug report. Hopefully a solution will solve the issue with SKYLAR as well. If not, I will open an issue in Ciaran's forum.

It will not be possible to change the code in the core to resolve your specific issue as it is with the template and not within any of the core code..

This should be closed as there is nothing in the core to be changed.

[dautrich]

@brianteeman I don't think that the issue should be closed. When you have a look at the original bug report, you see Cassiopeia, And the bug report is about the logged-in message being issued before the second part of the login, the 2FA, has been successfully done. The issue in connection with Ciaran's template may have the same reason: The logged-in event is triggered too early.

[sandewt]

For example, it is possible to show a menu. Then it is useful to know that you are logged in.

[brianteeman]

@brianteeman I don't think that the issue should be closed. When you have a look at the original bug report, you see Cassiopeia, And the bug report is about the logged-in message being issued before the second part of the login, the 2FA, has been successfully done.

Sorry I was responding to the subsequent posts about the hornav and not the original one about the message.

For me the problem is that this "logged in message" should never have been merged as it is not compatible with second factor authentication

[J-Wick4]

I agree with @brianteeman. Until you pass the MFA and are indeed logged into the system, posting a message you are logged in is misleading and confusing. Also, do we need to be told we are logged in? The only message I see as helpful is in the case of a wrong password or failed MFA attempt by giving a guidance message to try again, reset the password, etc.

[richard67]

Well the message is the symptom but not the problem. The problem is indeed that we are already logged in before we have passed MFA.