When viewing a member, at the bottom of their member screen on the backend it says whether they have MFA setup and when their recovery codes were created. However, for any user that has MFA setup, the recovery codes created date always shows as today.
For the above example, the date in the database was 25th May 2024.
How to reproduce
Setup MFA for a user
Manually change the Created date in the database to some time in the past (MFARegisteredMethod > SilverStripe\MFA\BackupCode\Method > Created)
View that user in the Security area
The created date for the recover codes will still be the current date
Possible Solution
There are two things wrong with this section in the admin.
Firstly, there is a typo which is why the date is always the current date.
Line 61 of src/FormField/RegisteredMFAMethodListField.php
'backupCreationDate' => $this->getBackupMethod()
backupCreationDate should be backupCreatedDate, as that is what the frontend code is expecting. This is causing the date to always show the current date.
Secondly, even when that is fixed, the backup method of the currently logged in user is being shown, not the user you are viewing.
Line 78 of src/FormField/RegisteredMFAMethodListField.php shows Security::getCurrentUser() being used whenever getBackupMethod() is called.
Module version(s) affected
5.2.4
Description
When viewing a member, at the bottom of their member screen on the backend it says whether they have MFA setup and when their recovery codes were created. However, for any user that has MFA setup, the recovery codes created date always shows as today.
For the above example, the date in the database was 25th May 2024.
How to reproduce
Possible Solution
There are two things wrong with this section in the admin.
Firstly, there is a typo which is why the date is always the current date.
Line 61 of
src/FormField/RegisteredMFAMethodListField.php'backupCreationDate' => $this->getBackupMethod()backupCreationDateshould bebackupCreatedDate, as that is what the frontend code is expecting. This is causing the date to always show the current date.Secondly, even when that is fixed, the backup method of the currently logged in user is being shown, not the user you are viewing.
Line 78 of
src/FormField/RegisteredMFAMethodListField.phpshowsSecurity::getCurrentUser()being used whenevergetBackupMethod()is called.I have a working solution here: https://github.com/gavynj/silverstripe-mfa/commit/fbc9369b2ce7756a7dfbaf2474e2f1ecb6c7b54b#diff-84c429bec93f6d0c4a4cdd55997e8d496dc14b3cf61d27e0a7aad8325ed12638R61
Additional Context
No response
Validations
silverstripe/installer(with any code examples you've provided)PRs