Prohibit sending forms multiple times

netzbegruenung / keycloak-mfa-plugins

Keycloak plugins for MFA (enforce MFA, SMS authentication step, native app integration)

Apache License 2.0

46 stars 12 forks source link

Prohibit sending forms multiple times #30

Closed svenseeberg closed 1 year ago

svenseeberg commented 2 years ago

It is possible for users to hit the submit button multiple times when entering a code. This results in an error page for users, because usually for the second request the CSRF token has expired.

We should disable the submit action after it has been triggered once.

b90g commented 2 years ago

Please note, this also applies to TOTP.

svenseeberg commented 2 years ago

Okay, in this case we need to investigate if this a bug with Keycloak in general.

svenseeberg commented 1 year ago

Please note, this also applies to TOTP.

I could not reproduce this problem for the TOTP form.

b90g commented 1 year ago

same here, FF/Chromium 104. sorry for the hassle.

melegiul commented 1 year ago

I can not reproduce this for the SMS plugin with firefox 91.13.0esr, too. I see the "invalid page" error with chrome 104.0.5112.101, but only when I try login to wolke and not directly to saml. So does using firefox as work around solve this for you, too?