Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[5.x]: Frontend Login Blocked when using TOTP #14844

Open
ianshea opened this issue Apr 22, 2024 · 3 comments
Open

[5.x]: Frontend Login Blocked when using TOTP #14844

ianshea opened this issue Apr 22, 2024 · 3 comments
Labels
bug

Comments

@ianshea
Copy link

ianshea commented Apr 22, 2024

What happened?

Description

When trying to setup a Public Login form, users with TOTP setup are blocked from logging in due to a missing template error.

Steps to reproduce

  1. Create Craft 5 Pro Site
  2. Create user with TOTP
  3. Create Login form from KB Article
  4. Open new Browser (Incognito) and try and login as user using new form.
  5. Receive Twig Template Error

Expected behavior

Craft allows a way for a user with a TOTP set to login via the Frontend.

Actual behavior

Craft throws an error looking for a CP template that the frontend does not have access to.

Twig Template Loading Error – craft\web\twig\TemplateLoaderException
Unable to find the template “_components/auth/methods/TOTP/form.twig”.

Craft seems to be going through craft\auth\methods\TOTP::getAuthFormHtml if a user has TOTP setup and there is no way to modify this.

Craft CMS version

Craft Pro 5.0.4

PHP version

8.2.15

Operating system and version

Linux 6.6.16-linuxkit

Database type and version

MariaDB 10.4.32

Image driver and version

Imagick 3.7.0 (ImageMagick 6.9.11-60)

Installed plugins and versions

  • Azure Blob Storage
@ianshea ianshea added the bug label Apr 22, 2024
@i-just
Copy link
Contributor

i-just commented Apr 23, 2024

Hi, thanks for reaching out! At the moment MFA is only implemented for the Control Panel requests, so it should only be enabled for the users who have access to the Control Panel.
That being said, we are working on a front-end solution!

@ieuan
Copy link

ieuan commented May 8, 2024

Hi, I've come across this for a site I'm working on.

Adding this Event hook removes the issue with the template load

Event::on(Auth::class, Auth::EVENT_REGISTER_METHODS, function (RegisterComponentTypesEvent $event) {
    if(!Craft::$app->getRequest()->getIsCpRequest()) {
        // remove all types for FE requests
        $event->types = [];
    }
});

However if a user logs in to the front end they can then access the control panel (e.g. by entering the url), without the extra MFA step.

we are working on a front-end solution!

Are you able to share what your approach is going to be or a roadmap for front end MFA?

I don't need front end MFA (yet) but would be good to still have the security on the back end if a user logs in.

Many thanks

@AugustMiller
Copy link
Contributor

🚨 This part is worth stressing, for anyone else coming across the thread!

However if a user logs in to the front end they can then access the control panel (e.g. by entering the url), without the extra MFA step.

Whether or not Craft treats a request as a “site request” is unrelated to the authenticating user’s permissions! A user with access to the control panel could very well sign in via a front-end login form and bypass auth checks.

The “correct” way to avoid MFA for front-end users I believe would be to place these users in groups that don't overlap with those that grant CP access or require MFA—either that, or check the authenticating user’s permissions prior to removing MFA methods.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ianshea @ieuan @AugustMiller @i-just