Cant view oath settings view like an custorem

[asd200]

After I logged in like an customer link index.php?m=oath simply doesn't work. Anny suggestions?

For admins configuration works fine

[asd200]

I guess that it can be some problem with index.php - it redirects me automaticly to clientarea.php

I also discovered that in adminarea->client profile->profile I can't check "Two-Factor Authentication" checkbutton

Do you have anny sugestions how to fix this?

[dionysius]

Hi, sorry for the late response. What version of WHMCS are you using? We're still using v6.3.1, so if it's a V7 issue, well then I need to update into that soon.

[asd200]

Hi @dionysius nice to see your response.

I'm also working on WHMCS v6.3.1 and as I said my index.php redirecting me to clientarea.php

[dionysius]

This seems to be pretty difficult to change. While I admit it would be nice not to depend on index.php, because often you have your own primary page.

To do further stuff in clientarea.php, it requires to be already logged in, which this oath module prevents in the first place (ignore the versions mismatch, the workflow is rarely changed significantly):

https://github.com/tje3d/WHMCS-FULL-DECODED-NULLED/blob/master/clientarea.php#L38

Login forced before anything useful can be done with "action" and other params.

https://github.com/tje3d/WHMCS-FULL-DECODED-NULLED/blob/master/includes/classes/class.clientarea.php#L122

whatever way it goes within the login process, it exits hard.

One workaround, without changing this code, is not redirecting the URL /index.php?m=oath, so if you use apache with mod rewrite (no warranty for typos):

RewriteCond %{QUERY_STRING} !^m=oath$
RewriteCond %{REQUEST_URI} ^/index.php$
RewriteRule ^ clientarea.php [R=301, NC, L]

(the idea is to ignore the redirect when m=oath is in the query string)

A real solution would be either

• to find a file we can inject the module without having to be already logged in there is no such option
• make an additional file only for this (just feels not clean. It's a module, it should'nt change outside interactions)
• make a real 2-factor "security" module using the real "proprietary" addon format (https://github.com/tje3d/WHMCS-FULL-DECODED-NULLED/tree/master/modules/security). Problem here: this is not officially meant to be used nor any documentation on their site (They sell their own otp implementation - so I assume it will never be documented)

I would really like the last solution also because its like melted into their existing system. But this requires a complete rewrite and we would directly compete a paid solution of the creators in an unwanted manner...

any way, I'll investigate deeper into the first two second option.

Edit: first option completely falls, no alternative there.

[dionysius]

the other options are not suitable, there's no other solution than whitelisting the rewrite