search

magento / security-package

Magento Security Extensions
Open Software License 3.0
73 stars 69 forks source link

2FA picture not displaying #225

Closed onepack closed 4 years ago

onepack commented 4 years ago

Preconditions (*)

  1. M2.3.5-p1
  2. PHP 7.3

Steps to reproduce (*)

  1. Enable 2FA - Google authenticator
  2. Clear caches
  3. Log out and log in again.

Expected result (*)

  1. Expected is a QR code to be scanned
  2. Authenticate

Actual result (*)

  1. Result is a broken image icon where the QR shoudl display.
  2. In the browser console I get a 200 for the image.

Request URL: https://domain.com/admin/msp_twofactorauth/google/qr/key/****************59e3c5c915ff26323b9c200619df137b7124ce10/ Request Method: GET Status Code: 200 Remote Address: 149.210.213.73:443 Referrer Policy: no-referrer-when-downgrade

Still it looks broken:

Magento_Admin_2fa

nathanjosiah commented 4 years ago

Hello @onepack, thank you for your submission. 2fa for 2.4.x+ is at the end of a major rewrite and the remainder of the new code will be merged to this new repo in the next few days. That said, I see your url uses the old msp_twofactorauth module, do you want me to transfer this issue to that repo?

onepack commented 4 years ago

So the module is split up in the original msp module and a new repo? The best thing would than be to uninstall the older repo and start using the whole new repo. Right?

nathanjosiah commented 4 years ago

@onepack The msp module repo will accept PR's and can be un-archived adhoc as needed. Starting with Magento 2.4.0 this repo (security-package) will contain security features (including 2fa) that will ship by default in the magento composer bundled package. You can continue to use the old one until you upgrade to 2.4.

nathanjosiah commented 4 years ago

How did you install your current setup? Via composer?

onepack commented 4 years ago

@nathanjosiah , Thank you for your replies, yes. All is done via composer. I will uninstall the current modules as the google is not working now. Any ideas about the relase period?

nathanjosiah commented 4 years ago

@onepack 2.4 will release later this year. However, I am unable to reproduce this bug. Steps I took:

With MySQL 5.7.29 and PHP 7.3.17 and a new database m235p1In a fresh directory I ran

composer create-project --repository-url=https://repo.magento.com/ magento/project-community-edition=2.3.5-p1 m235p1

followed by 

bin/magento setup:install \
    --admin-firstname=Nathan \
    --admin-lastname=Smith \
    --admin-email=[redacted]\
    --admin-user=admin \
    --admin-password=[redacted] \
    --base-url=[redacted] \
    --db-host=localhost \
    --db-name=m235p1 \
    --db-user=root \
    --currency=USD \
    --timezone=America/Chicago \
    --language=en_US \
    --use-rewrites=1 \
    --backend-frontname='admin'

And after installation finished I enabled 2fa, enabled google, and forced google as the provider. When I saved I was redirected to the configuration screen and the QR code was show. Do your magento log files show any errors?

onepack commented 4 years ago

@nathanjosiah, Thanks again for getting back at me this fast. I will test on a different installation. On a different dev environment! There is an ip restrict in place on these dev environments. Could this block access to Google for serving the image or can it be that an webp module is breaking the image as it tries to recreate it in webp format. Anyway. I will test for this this evening and drop the results here.

nathanjosiah commented 4 years ago

@onepack were you able to get this working?

onepack commented 4 years ago

@nathanjosiah I have got it working on the production environment!. The issue on dev is not related to the module so I'll close this issue. Thanks!