search

nexcess / magento-sentry-two-factor-authentication

28 stars 18 forks source link

Google Authenticator QR code - 'Continue' button not working #14

Open aricwatson opened 8 years ago

aricwatson commented 8 years ago

Reported via email.

May be related to https://github.com/nexcess/magento-sentry-two-factor-authentication/issues/10

QR code in Google Authenticator after press the 'Continue' button not work in live server.

Console Error :- Uncaught TypeError: Cannot read property 'submit' of undefinedonclick @ (index):48

My Magento Version 1.7.0.2 My Local server perfect worked.

subscriberumail commented 7 years ago

There is error in browser Console: Refused to execute script from 'https://myservername.com/js/index.php/x.js?f=prototype/prototype.js,pr…s,mage/adminhtml/events.js,mage/adminhtml/form.js,scriptaculous/effects.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. This is because MIME is not correspond to (X-Content-Type-Options: nosniff). I read this: http://stackoverflow.com/questions/24528211/refused-to-execute-script-from-because-its-mime-type-application-json-is

They told (it's seems to me): we need to comment with # one line in .htaccess file of store:

Header set X-Content-Type-Options: nosniff

SOLUTION IS: Remove this header to prevent browser performing the MIME check.

If we do actions: -made the change in .htaccess, -clean the cache of magento, -AND clean cookies in browser - it's important, then prototype JS is not blocked, and button CONTINUE will work and the module will work. Question is: can authors patch your code to enable the header above be enabled in .htaccess file ?

There are logs (but you just make change by yourself to your .htaccess file: Header set X-Content-Type-Options: nosniff and you will see a BUG):

2016-12-20T08:39:14+00:00 EMERG (0): googleAction start 2016-12-20T08:39:15+00:00 EMERG (0): check_twofactor_active - tfa state processing 2016-12-20T08:39:15+00:00 EMERG (0): check_twofactor_active - return controller twofactor or is active 2016-12-20T08:40:53+00:00 EMERG (0): check_twofactor_active - tfa state processing 2016-12-20T08:40:53+00:00 EMERG (0): check_twofactor_active - not active, try again 2016-12-20T08:40:53+00:00 EMERG (0): check_twofactor_active - redirect to https://localhost/index.php/admin/twofactor/google/key/42723b3081872b7735f1216acaf29125/ 2016-12-20T08:40:55+00:00 EMERG (0): googleAction start 2016-12-20T08:40:55+00:00 EMERG (0): check_twofactor_active - tfa state processing 2016-12-20T08:40:55+00:00 EMERG (0): check_twofactor_active - return controller twofactor or is active 2016-12-20T09:00:09+00:00 EMERG (0): check_twofactor_active - tfa state processing 2016-12-20T09:00:09+00:00 EMERG (0): check_twofactor_active - not active, try again 2016-12-20T09:00:09+00:00 EMERG (0): check_twofactor_active - redirect to https://localhost/index.php/admin/twofactor/google/key/42723b3081872b7735f1216acaf29125/ 2016-12-20T09:00:14+00:00 EMERG (0): googleAction start 2016-12-20T09:00:14+00:00 EMERG (0): check_twofactor_active - tfa state processing 2016-12-20T09:00:14+00:00 EMERG (0): check_twofactor_active - return controller twofactor or is active 2016-12-20T09:01:42+00:00 EMERG (0): verifyAction start 2016-12-20T09:01:42+00:00 EMERG (0): TFA Verify attempt for admin account d from IP 127.0.0.1 2016-12-20T09:01:42+00:00 EMERG (0): verifyAction - start Google validate 2016-12-20T09:01:42+00:00 EMERG (0): verifyGoogle - new google secret saved for admin account d from IP 127.0.0.1 2016-12-20T09:01:42+00:00 EMERG (0): check_twofactor_active - tfa state processing 2016-12-20T09:01:42+00:00 EMERG (0): check_twofactor_active - return controller twofactor or is active 2016-12-20T09:01:47+00:00 EMERG (0): googleAction start 2016-12-20T09:01:48+00:00 EMERG (0): check_twofactor_active - tfa state processing 2016-12-20T09:01:48+00:00 EMERG (0): check_twofactor_active - return controller twofactor or is active 2016-12-20T10:40:12+00:00 EMERG (0): check_twofactor_active - tfa state none 2016-12-20T10:40:18+00:00 EMERG (0): check_twofactor_active - tfa state none 2016-12-20T10:40:36+00:00 EMERG (0): authenticate_after - get2faState is not active 2016-12-20T10:40:36+00:00 EMERG (0): authenticate_after - redirect to https://localhost/index.php/admin/twofactor/google/key/1ad82bf0c598ab6ffbf696a9a5b533b7/ 2016-12-20T10:40:45+00:00 EMERG (0): googleAction start 2016-12-20T10:40:46+00:00 EMERG (0): check_twofactor_active - tfa state processing 2016-12-20T10:40:46+00:00 EMERG (0): check_twofactor_active - return controller twofactor or is active

miguelbalparda commented 7 years ago

Why are you pulling your js files with https://myservername.com/js/index.php/x.js?f=prototype/prototype.js ? It seems to be a module, what happens if you disable it and use this module?

subscriberumail commented 7 years ago

this js call was added by exactly your module here at line 58: /app/design/adminhtml/default/default/template/he_twofactor/google/auth.phtml maybe you can change line 48 to remove xhtml1-strict.dtd (to make strict MIME type checking is disabled), or you do some other thing to patch the issue ? I will wait your answer what to do.

miguelbalparda commented 7 years ago

Sorry, too early in the morning :) This is the first time this issue is reported, let me check this and get back to you.

subscriberumail commented 7 years ago

Have you checked the bug ?

miguelbalparda commented 7 years ago

Still working on it. What have you tried so far to fix this? Feel free to submit a PR with your fixes while we work on this.

subscriberumail commented 7 years ago

Now I commented with # one line in .htaccess file of store:

Header set X-Content-Type-Options: nosniff

joshkersey commented 7 years ago

I can confirm the same issue as reported here when using the devel branch. I don't have the nosniff header in my .htaccess to comment it out. I will add that I also see the following two errors:

captcha.js:25 Uncaught ReferenceError: Class is not defined at captcha.js:25

(index):56 Uncaught ReferenceError: varienForm is not defined at (index):56
joshkersey commented 7 years ago

Was able to resolve this by changing js/index.php at line 45 to be true instead of false:

// allow web server set content type automatically
$contentType = false;

After making this update the script is working correctly and I'm able to access the admin using Magento 1.9.3.0 and the devel branch of this project.

EricSeastrand commented 7 years ago

The change in #20 should remedy the issue without having to modify that core file, but it hasn't yet been merged into the devel branch. The index.php file you modified may be overwritten by a future core update.

You may want to try installing the version from #20.