yrccondor / wp-webauthn

🔒 WP-WebAuthn allows you to safely login to your WordPress site without password.
https://wordpress.org/plugins/wp-webauthn
GNU General Public License v3.0
131 stars 15 forks source link

Upgrade 1.3.4 and failed to login #78

Open linkerlin opened 1 month ago

linkerlin commented 1 month ago

reinstall and delete and register and failed

yrccondor commented 1 month ago

Hi linkerlin could you please provide plugin logs?

linkerlin commented 1 month ago

Hi linkerlin could you please provide plugin logs?

[2024-10-07 17:30:28][a0408f] ajax_auth: Start [2024-10-07 17:30:28][a0408f] ajax_auth: type => "auth", user => "admin" [2024-10-07 17:30:28][a0408f] ajax_auth: allowedCredentials => [{"type":"public-key","id":"nYnm_NbZXouJWwAypngjogI1qxw9aWhWdfJmdGmi5mI"},{"type":"public-key","id":"90oEgnsefhd280iYxVXsRrJ1G_c"},{"type":"public-key","id":"fKq28vSRnS60GVzYlQySouf3atk28yVUuvPPaR3GfNE"}] [2024-10-07 17:30:28][a0408f] ajax_auth: user_verification => "false" [2024-10-07 17:30:28][a0408f] ajax_auth: Challenge sent [2024-10-07 17:30:41][da870c] ajax_auth_response: Client response received [2024-10-07 17:30:41][da870c] ajax_auth_response: (ERROR)Wrong parameters, exit [2024-10-07 17:31:57][371ac1] ajax_auth: Start [2024-10-07 17:31:57][371ac1] ajax_auth: type => "test", user => "admin", usernameless => "false" [2024-10-07 17:31:57][371ac1] ajax_auth: allowedCredentials => [{"type":"public-key","id":"nYnm_NbZXouJWwAypngjogI1qxw9aWhWdfJmdGmi5mI"},{"type":"public-key","id":"90oEgnsefhd280iYxVXsRrJ1G_c"},{"type":"public-key","id":"fKq28vSRnS60GVzYlQySouf3atk28yVUuvPPaR3GfNE"}] [2024-10-07 17:31:57][371ac1] ajax_auth: user_verification => "false" [2024-10-07 17:31:57][371ac1] ajax_auth: Challenge sent [2024-10-07 17:32:12][a9cb91] ajax_auth_response: Client response received [2024-10-07 17:32:12][a9cb91] ajax_auth_response: (ERROR)Wrong parameters, exit [2024-10-07 17:32:21][852cde] ajax_modify_authenticator: Start [2024-10-07 17:32:21][852cde] ajax_modify_authenticator: user => "admin" [2024-10-07 17:32:21][852cde] ajax_modify_authenticator: Remove "iPhone" [2024-10-07 17:32:21][852cde] ajax_modify_authenticator: Done [2024-10-07 17:32:36][721282] ajax_create: Start [2024-10-07 17:32:36][721282] ajax_create: name => "iOS", type => "none", usernameless => "true" [2024-10-07 17:32:37][721282] ajax_create: user => "admin" [2024-10-07 17:32:37][721282] ajax_create: excludeCredentials => [{"type":"public-key","id":"nYnm_NbZXouJWwAypngjogI1qxw9aWhWdfJmdGmi5mI"},{"type":"public-key","id":"fKq28vSRnS60GVzYlQySouf3atk28yVUuvPPaR3GfNE"}] [2024-10-07 17:32:37][721282] ajax_create: user_verification => "false" [2024-10-07 17:32:37][721282] ajax_create: Usernameless set, user_verification => "true" [2024-10-07 17:32:37][721282] ajax_create: Challenge sent [2024-10-07 17:32:46][eb589b] ajax_create_response: Client response received [2024-10-07 17:32:46][eb589b] ajax_create_response: name => "iOS", type => "none", usernameless => "true" [2024-10-07 17:32:46][eb589b] ajax_createresponse: data => {"id":"h4yi-YhKEZEgngobMOBtJKU5UEOd50yjcYzSwKz3Oc","type":"public-key","rawId":"h4yi/+YhKEZEgngobMOBtJKU5UEOd50yjcYzSwKz3Oc=","response":{"clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiaWRYTlBYSDVGVEdzYzRSdWhFYThySXhaX0ItYWplMUlOZmRodFFzbDlSTSIsIm9yaWdpbiI6Imh0dHBzOi8vamlleWlidS5uZXQiLCJjcm9zc09yaWdpbiI6ZmFsc2UsIm90aGVyX2tleXNfY2FuX2JlX2FkZGVkX2hlcmUiOiJkbyBub3QgY29tcGFyZSBjbGllbnREYXRhSlNPTiBhZ2FpbnN0IGEgdGVtcGxhdGUuIFNlZSBodHRwczovL2dvby5nbC95YWJQZXgifQ==","attestationObject":"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVkBZ3O5mbgxSwYXMmj1UPX+fbF2bNilBOF4MdGsjhjPXVGNRQAAAAAAAAAAAAAAAAAAAAAAAAAAACCHjKL/5iEoRkSCeChsw4G0kpTlQQ53nTKNxjNLArPc56QBAwM5AQAgWQEAvxzKPY+TFnqyaUIqf+xB1QoJP99B9urwprOOYGe0N5KgaHOAk8A1649EsVxhIWLhLTFVB66/MORmihZHyXcI2XCbJoAyGFubCPj99/Pzf0mGtNiHHvzoryzBHNNXoux+QuSUMleMCjWqy9+nN5BlFX0ct32nriYUzqdrA+E15DMcSEU4sCykPBcxVjHLs36Mp6D6mKPGf91Y6DpMKZ8SSOUXXC9I7AtnFzVkdz4ohkEGMprcl7oP4n/fAVweZ4nmVVB+Nnh4eMFKeZ0hrdsB0D0y3aAMFpLMP3ERAoiudx1kgHOJ6SD8ERmJ26sGxZdln2BWl+XXtX7rgDVoTRaFEyFDAQAB"}} [2024-10-07 17:32:46][eb589b] ajax_create_response: (ERROR)unserialize(): Argument #1 ($data) must be of type string, array given [2024-10-07 17:32:46][eb589b] Traceback: 1) /var/www/html/wp-admin/admin-ajax.php(192): do_action() 2) /var/www/html/wp-includes/plugin.php(517): WP_Hook->do_action() 3) /var/www/html/wp-includes/class-wp-hook.php(348): WP_Hook->apply_filters() 4) /var/www/html/wp-includes/class-wp-hook.php(324): wwa_ajax_create_response() 5) /var/www/html/wp-content/plugins/wp-webauthn/wwa-ajax.php(423): wwa_get_temp_val() [2024-10-07 17:32:46][eb589b] ajax_create_response: (ERROR)Unknown error, exit [2024-10-07 17:36:57][d929b2] ajax_auth: Start [2024-10-07 17:36:57][d929b2] ajax_auth: type => "auth", user => "admin" [2024-10-07 17:36:57][d929b2] ajax_auth: allowedCredentials => [{"type":"public-key","id":"nYnm_NbZXouJWwAypngjogI1qxw9aWhWdfJmdGmi5mI"},{"type":"public-key","id":"fKq28vSRnS60GVzYlQySouf3atk28yVUuvPPaR3GfNE"}] [2024-10-07 17:36:57][d929b2] ajax_auth: user_verification => "false" [2024-10-07 17:36:57][d929b2] ajax_auth: Challenge sent [2024-10-07 17:37:01][44a96c] ajax_auth_response: Client response received [2024-10-07 17:37:01][44a96c] ajax_auth_response: (ERROR)Wrong parameters, exit [2024-10-07 17:39:21][711c34] ajax_modify_authenticator: Start [2024-10-07 17:39:21][711c34] ajax_modify_authenticator: user => "admin" [2024-10-07 17:39:21][711c34] ajax_modify_authenticator: Remove "HUAWEI" [2024-10-07 17:39:22][711c34] ajax_modify_authenticator: Done [2024-10-07 17:39:29][7a5229] ajax_modify_authenticator: Start [2024-10-07 17:39:29][7a5229] ajax_modify_authenticator: user => "admin" [2024-10-07 17:39:29][7a5229] ajax_modify_authenticator: Remove "OMEN16" [2024-10-07 17:39:29][7a5229] ajax_modify_authenticator: Done [2024-10-07 17:43:06][8f39ce] ajax_create: Start [2024-10-07 17:43:06][8f39ce] ajax_create: name => "HUAWEI", type => "none", usernameless => "true" [2024-10-07 17:43:07][8f39ce] ajax_create: user => "admin" [2024-10-07 17:43:07][8f39ce] ajax_create: excludeCredentials => [] [2024-10-07 17:43:07][8f39ce] ajax_create: user_verification => "false" [2024-10-07 17:43:07][8f39ce] ajax_create: Usernameless set, user_verification => "true" [2024-10-07 17:43:07][8f39ce] ajax_create: Challenge sent [2024-10-07 17:43:13][0f42bd] ajax_create_response: Client response received [2024-10-07 17:43:13][0f42bd] ajax_create_response: name => "HUAWEI", type => "none", usernameless => "true" [2024-10-07 17:43:13][0f42bd] ajax_create_response: data => {"id":"Q7FyB0-eNhqj1AgrYlpTLirVrasS_Wi28HWBBglgWVk","type":"public-key","rawId":"Q7FyB0+eNhqj1AgrYlpTLirVrasS/Wi28HWBBglgWVk=","response":{"clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiMnJTaFQ4dlB2R0JfUkFpUDFCTmZ1dDNldkVkYnpjVlFGY1hVR05PbkdWOCIsIm9yaWdpbiI6Imh0dHBzOi8vamlleWlidS5uZXQiLCJjcm9zc09yaWdpbiI6ZmFsc2V9","attestationObject":"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVkBZ3O5mbgxSwYXMmj1UPX+fbF2bNilBOF4MdGsjhjPXVGNRQAAAAAAAAAAAAAAAAAAAAAAAAAAACBDsXIHT542GqPUCCtiWlMuKtWtqxL9aLbwdYEGCWBZWaQBAwM5AQAgWQEAo/3I1T/Pptb6vwxoB2azW5j/CYNrSLrFTo8eMvVQUTbmu6JnhZLDjQl83jR/N89jbvhbM1CKdrgKDocbavpRWCFzvxu7ttmBZrcPVGtjXhq9IOpZaKcR/Iiks5A5f1+f+SNhQFH5KnxzV0jOFZKmcz+3ybymTeApciVsA5s3cRi/ZGH5mjUx/Mjt9FqjtVsXA99rTSnbTNz2umHQLRIU1uGMbmER8yOmAxrECXPg/fMLuKJqVmcudoAfUnahsnuTuWfHWdFzo7SKuDNu9NFvmWpWNFNwfXWFuHvyC5FdFqhz9QFYOIopP6e87ojQx8OtNvYbUKIHOjnHAgMjNaxg0SFDAQAB"}} [2024-10-07 17:43:13][0f42bd] ajax_create_response: (ERROR)unserialize(): Argument #1 ($data) must be of type string, array given [2024-10-07 17:43:13][0f42bd] Traceback: 1) /var/www/html/wp-admin/admin-ajax.php(192): do_action() 2) /var/www/html/wp-includes/plugin.php(517): WP_Hook->do_action() 3) /var/www/html/wp-includes/class-wp-hook.php(348): WP_Hook->apply_filters() 4) /var/www/html/wp-includes/class-wp-hook.php(324): wwa_ajax_create_response() 5) /var/www/html/wp-content/plugins/wp-webauthn/wwa-ajax.php(423): wwa_get_temp_val() [2024-10-07 17:43:13][0f42bd] ajax_create_response: (ERROR)Unknown error, exit [2024-10-07 17:51:39][6b3b9b] ajax_create: Start [2024-10-07 17:51:39][6b3b9b] ajax_create: name => "iOS", type => "none", usernameless => "true" [2024-10-07 17:51:39][6b3b9b] ajax_create: user => "admin" [2024-10-07 17:51:39][6b3b9b] ajax_create: excludeCredentials => [] [2024-10-07 17:51:39][6b3b9b] ajax_create: user_verification => "false" [2024-10-07 17:51:39][6b3b9b] ajax_create: Usernameless set, user_verification => "true" [2024-10-07 17:51:39][6b3b9b] ajax_create: Challenge sent [2024-10-07 17:52:08][3cf7d0] ajax_create_response: Client response received [2024-10-07 17:52:08][3cf7d0] ajax_create_response: name => "iOS", type => "none", usernameless => "true" [2024-10-07 17:52:08][3cf7d0] ajax_create_response: data => {"id":"OYiuisl8cG9tIgIJwn1HH_4fLjo","type":"public-key","rawId":"OYiuisl8cG9tIgIJwn1HH/4fLjo=","response":{"clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiQnRIWGlFZFlJT0JPYTZXVTR2eEFsUWpycmZUWHdyLW5taHNScmc3NUZWNCIsIm9yaWdpbiI6Imh0dHBzOi8vamlleWlidS5uZXQiLCJjcm9zc09yaWdpbiI6ZmFsc2V9","attestationObject":"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViYc7mZuDFLBhcyaPVQ9f59sXZs2KUE4Xgx0ayOGM9dUY1dAAAAAAAAAAAAAAAAAAAAAAAAAAAAFDmIrorJfHBvbSICCcJ9Rx/+Hy46pQECAyYgASFYIO22KfgVae8161OqVkpNwEhXvjhYmPjM543xYQkEdu9IIlggep5J4hwbyTeGa0iD+enOypUpwV+JEuTXy/MWGOf2OD4="}} [2024-10-07 17:52:08][3cf7d0] ajax_create_response: (ERROR)unserialize(): Argument #1 ($data) must be of type string, array given [2024-10-07 17:52:08][3cf7d0] Traceback: 1) /var/www/html/wp-admin/admin-ajax.php(192): do_action() 2) /var/www/html/wp-includes/plugin.php(517): WP_Hook->do_action() 3) /var/www/html/wp-includes/class-wp-hook.php(348): WP_Hook->apply_filters() 4) /var/www/html/wp-includes/class-wp-hook.php(324): wwa_ajax_create_response() 5) /var/www/html/wp-content/plugins/wp-webauthn/wwa-ajax.php(423): wwa_get_temp_val() [2024-10-07 17:52:08][3cf7d0] ajax_create_response: (ERROR)Unknown error, exit

linkerlin commented 1 month ago

PHP 8.1.2

yrccondor commented 1 month ago

I have to say this is super weird. I tested the same operation on both php 7.4 and 8.2 but I could not reproduce this issue. In theory this error should never happen (the argument provided for that unserialize() call should 100% be a string), and code related to the issue was not changed on 1.3.4 update (actually it's been there and not changed since 2021), so I suspect that this issue may not related to our recent updates.

could you please tell me the version of wordpress you are using? while i'm looking into this issue, if it's okay could you please try to disable some other plugins?

linkerlin commented 1 month ago

I have to say this is super weird. I tested the same operation on both php 7.4 and 8.2 but I could not reproduce this issue. In theory this error should never happen (the argument provided for that unserialize() call should 100% be a string), and code related to the issue was not changed on 1.3.4 update (actually it's been there and not changed since 2021), so I suspect that this issue may not related to our recent updates.

could you please tell me the version of wordpress you are using? while i'm looking into this issue, if it's okay could you please try to disable some other plugins?

wordpress Ver. 6.6.2

linkerlin commented 1 month ago

I have test the newest version of wp-webauthn。 When I disable some plugins, it't ok again。 The plugin: Docket Cache is NOT compliant with wp-webauthn。

yrccondor commented 1 month ago

ah that makes sense, i believe this plugin somehow changed the behavior of wordpress cache system APIs thus breaks wp-webauthn. i'll look into this plugin and try to make things work