The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.2.25 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/showthread.php 28 require_once





× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
2-Factor Authentication (2FA - Done)
#31
So, is the login not suppose to deny access if the auth code is false when a user has 2-factor enabled on their account? +

As it doesn't do it, it'll still allow the user in as long as they have the correct password.
  Reply
#32
Hey Troxin,

Jamie and I were just chatting in Discord about having the variable set to false, and use true to update it (if it is right) that way it will always deny unless verification passes.

Thoughts?

B.
  Reply
#33
I'm not sure what you guys are talking about with allowing users in (It doesn't). The modified login.php makes sure the user can't get in. The API is just for setting 2FA up the first time.
  Reply
#34
Default value in sql for twoEnabled is 0. That means 2FA is disabled for the account. If user logs in and enables 2FA with a correct auth code from their phone, twoEnabled switches to 1 via ajax and api. The next time the user logs in, if he doesn't supply correct code in login form, login.php will set $login to false and not allow login.
  Reply
#35
Hi Troixoin,

My thoughts are that something unexpected could occur, and users may be able to bypass the 2FA check since
Code:
twoPassed
is defaulted to true as you define it as true, and only change it to false if the check fails.

My recommendation is change this to false by default, and update to true only if the check passes.

That way you cover bases of something unexpected and users being able to gain access when they shouldn't.

This is all theoretical, but I think rejecting for all reasons and accepting for one versus the opposite is more secure and safer.

B.
  Reply
#36
I think that library only returns true if it gets a good response but not a bad point.
  Reply
#37
That would look like this: https://hastebin.com/obivodopec.php
  Reply
#38
Yup! You got it! I think that is the safest way tbh! I will give this a shot on my proj here in a little bit.
  Reply
#39
Let me know what you guys come up with. This is really interesting.
  Reply
#40
The code I've posted works. I'm using it in production.
  Reply


Forum Jump:


Users browsing this thread: 16 Guest(s)