Log in | Register
  1. Forum
  3. Non-Commercial Extensions
  5. SCLogin Enhanced Login
  7. Error for users with 2 way authentication enabled in SC Login module 8.4.6

Topic-icon Error for users with 2 way authentication enabled in SC Login module 8.4.6

Active Subscriptions:

None
2 years 11 months ago - 2 years 11 months ago #67238 by markboos
We use the SC Login module (8.4.6)  to login at the frontend of a Joomla (3.9.26) website. Normal users without Joomla 2 way auth can simply login, but every user with 2 way auth ("Authentication in 2 steps"), can't proceed to the 2 way auth code pop up. The screen simply stays as shown in the attachment; no posibility to enter the 2 way auth code. This occurs since we upgraded to J 3.9.26 in different browsers (tested on Firefox, Chrome and Edge) on all devices (tested on PC, Mobile and Tablet). I don't see errors in the apache log files, in Chrome I see this error:
Request URL:https://www.testsite.nl/modules/mod_sclogin/ajax/otpcheck.php
Status Code: 500 Internal Server Error
Referrer Policy: strict-origin-when-cross-origin

So this looks like some code in otpcheck.php is not conforming to one of our security settings. But we need these settings for the security of the website (protection against cross site scripting), GDPR requirements..

 

If you need more information about this bug please contact me.
 
Attachments:
Last edit: 2 years 11 months ago by markboos.
The topic has been locked.
Support Specialist
2 years 11 months ago #67240 by alzander
The first thing to check is if otpcheck.php is accessible at all. You can test by simply going to:
yoursite.com/modules/mod_sclogin/ajax/otpcheck.php

If that shows the Forbidden Error in your browser, that means that the file is inaccessible and likely being blocked by your webserver. In that case, you'll need to add the following to your .htaccess file to whitelist the otpcheck.php file:
RewriteRule ^modules\/mod_sclogin\/ajax\/otpcheck\.php - [L]

If that doesn't do the trick, then you'll need to figure out what may be blocking the script from running or let us know what error may be happening in the PHP code itself.

Hopefully, that gets you going, but if not, just let us know and we'll gladly help however we can.

Thanks!
Alex
The topic has been locked.
Active Subscriptions:

None
2 years 11 months ago - 2 years 11 months ago #67241 by markboos
Hi Alex, thanks, access to the file is ok, it gives back

{"needsOtp":"false","form":""}

It might have to do with a security measure to prevent xss in our apache webserver. But I am wondering; the only thing that changed is an update from J 3.9.25 to 3.9.26. Before it worked like a charm, after it broke.
Last edit: 2 years 11 months ago by markboos.
The topic has been locked.
Active Subscriptions:

None
2 years 10 months ago #67252 by goodir
Hi,

I've done some debugging on this, and in my case the error is not caused by scripts being blocked, but is caused by the line in otpcheck.php that attempts to get the path to otp.php.  I believe this function has been deprecated, and although it should have been aliased to its replacement, it's not working on my machine.  I just hardwired it, and it works:  require('../tmpl/otp.php');

I also had to remove the whole section "// Check if TFA is enabled. If not, just return false", as this was always returning false.  I checked my database table, and the "folder" field is not populated in the extensions table, and the twofactorauth extenstion is not in there anyway, so it wasn't working.  I came across an updated version in one of the other modules (but can't find it again in a hurry), so it could be copied in from there.
The following user(s) said Thank You: markboos
The topic has been locked.
Active Subscriptions:

None
2 years 10 months ago - 2 years 10 months ago #67253 by markboos
I also continued debugging, but then at another front: I switched off all apache security (like preventing xss, sameorigin, and so on) and the TFA of sclogin still doesn't work. The Joomla TFA works well; both front- and backend.

Combined with information from above post and debugging I think something in Joomla 3.9.26 changed that is needed for the otpcheck.php script.
Last edit: 2 years 10 months ago by markboos.
The topic has been locked.
Support Specialist
2 years 10 months ago #67254 by mel
Thank you for the detailed debugging information. It does sound like something suspect is happening and that info gives us a good basis to investigate to see if our test site behaves the same way yours does after an update.

If that code change is working for you right now, I'd say keep the workaround in place while we look into this.

-Melissa
The topic has been locked.
Active Subscriptions:

None
2 years 10 months ago #67256 by goodir
Hi, yes the code change is working for me. Can I post my whole otpcheck.php script here so that others can use it, or would you prefer to keep it off the forum?
The topic has been locked.
Support Specialist
2 years 10 months ago - 2 years 10 months ago #67258 by mel
Check out the new release of SCLogin that I just published. We think something underlying changed in Joomla that caused how we were calling our otpcheck to break. The release code change is different than what you have done, so please get the latest build. It uses Joomla's com_ajax system for making calls. That should prevent a lot of access restriction issues that can crop up.

This build resolved the issue on my test system. The change was pretty straightforward so Alex and I were comfortable putting it out without extensive testing. That said, please let us know if you have problems with 2 factor auth with this build.

***********
** Note, for any JFBConnect users that might see this thread - the JFBConnect 8.4.6 build does not include this fix. If you are:
1. Using JFBConnect 8.4.6, please just install the separate SCLogin version 8.4.7 as well.
2. Using the JFBConnect 9 beta branch, let us know if you need the module release with this fix. We've checked it in, but are not pushing the change for the module live since we are working on making our JFBConnect 9 beta the official release in the coming weeks.

-Melissa
Last edit: 2 years 10 months ago by mel.
The topic has been locked.
Active Subscriptions:

None
2 years 10 months ago #67259 by markboos
Thanks ! Will test this week at different (Apache) webservers.
The topic has been locked.
Active Subscriptions:

None
2 years 10 months ago - 2 years 10 months ago #67266 by markboos
1 webserver it does work, the other not. The error message has disappeared, I will have to search for where it goes wrong now.
Last edit: 2 years 10 months ago by markboos.
The topic has been locked.
  1. Forum
  3. Non-Commercial Extensions
  5. SCLogin Enhanced Login
  7. Error for users with 2 way authentication enabled in SC Login module 8.4.6
From the Blog
Facebook | Twitter | LinkedIn | Blog RSS