arno0x / twofactorauth Goto Github PK

The first time I login, the form is completely empty, user name and password fields are blank.
When I close the browser (Chrome running Arch Linux) and reopen it and try to login again, it displays the username and password value previously used. Is there a way to avoid showing the previous credentials?
Regards

When the debug.log is activated in /nginx/auth.php by uncommenting the debug code in that file and if php.ini has display_errors turned on, then every sub-request to this file will authenticate regardless if the user is actually authorized and logged in.

The culprit is the line
fwrite ($debugHandle,$key.": ".$value."\n");

This throws an "Array to string conversion" error when it hits the $_SERVER keys 'argv' and 'argc', which are arrays. Once the error is thrown, the script output is started, so you cannot successfully start a session or send the 401 response header.

It is impossible to guarantee that these keys themselves do not contain arrays. If you wish to print them to the log, then you must walk through $value recursively, checking is_array($value) in each new recursion.

I didn't care about printing deep argv/c to my debug log, so placing the following before the line fixed the issue for me:
if (is_array($value))
{
$vs = array();

    foreach ($value AS $k => $v)
    {
        if (is_array($v))
        {
            continue;
        }

        $vs[] = '[' . $k . "] => '" . $v . "'";
    }

    $value = implode(",\n", $vs);
}

For others it might be important and for that you would need to actually make a recursive function.
Although fixing bugs is always better, alternatively you may wish to force PHP's display_errors off at the top of nginx/auth.php so that other unexpected bugs don't bypass authentication either.

Hi,

Thanks for the 2FA app. I have installed the app under my nginx server's folder, configured for php-fpm etc. When I run the https://mysite.com.xyz/TwoFactorAuth for the first time, it takes me directly to the login page, asking for credentials, there is no option to add the first admin user.

The system either assumes I have a user database or is ignoring the initial creation step.

Any thoughts?

I'm trying to configure Nginx with the code in the readme but it doesn't work under my setup. BTW I'm trying to it in a linuxserver/nginx docker image. I've added those package: php7-gd, php7-sqlite3.

Thanks!

I have a setup, where a single vhosted TwoFactorAuth is serving multiple vhost servers. In this case the cookies must be bound to the protected vhost instead of the TwoFactorAuth vhost.

Looks like this line in login.php :

$domain = ($_SERVER['HTTP_HOST'] !== 'localhost') ? $_SERVER['SERVER_NAME'] : false;

is checking for the correct Host request header but then is using the SERVER_NAME instead, which seems wrong. I guess the more correct code would be:

$domain = (isset($_SERVER['HTTP_HOST']) && $_SERVER['HTTP_HOST'] !== 'localhost') ? $_SERVER['HTTP_HOST'] : false;

Is this project dead?

Something I have been thinking about:

Let's say we login using our TFA code on one computer. If the time limit hasn't passed yet, is it possible to login on a second computer using the same TFA code?

If it is, this is a security problem. TFA should be a one-time code. If it is not, a keylogger will be able to capture our information and the attacker can login even though we are already logged in. Keyloggers are one of the things TFA is supposed to block.

To remedy:

• We should store the TFA code that is used for successful login until the timeout.
• When a user logins in, make sure they aren't using any of the TFA codes that are marked as used already.
• After the timeout, clear old TFA codes from the 'used' table.

Perhaps add a config option to turn it off for debugging or if the admin doesn't care.

The current implementation (and many others I see on the web) is also vulnerable to screen readers. Standard practice is to *** the password field, but why don't we do this for the TFA field too?

On line 113
$string .= $seed{intval( mt_rand( 0.0, $max ) )};
must change to
$string .= $seed[intval( mt_rand( 0.0, $max ) )];
due to PHP 8.1 updates.

using nginx and getting this after filling out the install page, maybe i'm missing something?

Warning: SQLite3::exec(): no such table: USERS in /usr/local/www/portal/twofactorauth/install/install.php on line 76

Fatal error: Call to undefined function hash() in /usr/local/www/portal/twofactorauth/lib/dbManager.php on line 32

I was not able to correctly install this on PHP7 without making this modification to dbManager.php.
I was getting errors such as "[ERROR] Cannot open user database file" or "[ERROR] Unknown user".

So consider this scenario:

Someone logins in via TFA
Someone fills in a form that will submit over POST to x.php
Their TFA session expires
They submit the form.
They are redirected to the TFA login.php script.
As it is currently, I think all the form fields get lost. It would be nice to preserve them and submit them to the target script after they login again.

What are your thoughts on the challenges of doing this?

I think we might have to try to rewrite to the login script in nginx rather than redirecting, which might require some changes to the current nginx.conf instructions, and for the login script in this case, have a separate "thank you for logging in" screen that fixes the referrer back to the original and submits the data via Javascript.

For Nginx-Proxy:
What would be an easy solution to get the actual user name, e.g. for http authentication of hosts?

Hi, awesome author.

I have tried to configure TwoFactorAuth on windows many times. Its user authentication and OTP authentication functions are normally available, but after authentication, I jump to the APP website of my Nginx proxy.

Login

Login-Jump-Bugs

Main website: http://localhost:80/
OTP verification website: http://localhost:81/
APP service website: http://localhost:81/

Operating system version: Windows 10 x64
Nginx version: nginx-1.19.1
php version: php-7.4.8-nts-Win32-vc15-x64

My Config:
test-config.zip

C:\nginx-1.19.1\conf\nginx.conf

worker_processes  1;

error_log  logs/error.log  info;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  logs/access.log  main;

    sendfile        on;

    keepalive_timeout  65;

    # Main
    server {
        listen       80;
        server_name     localhost;

        location / {
            root   html;
            index  index.html index.htm;
            auth_request /twofactorauth/nginx/auth.php;
            proxy_pass http://localhost:81;
        }
        location = /twofactorauth/nginx/auth.php {
            auth_request off; 
            proxy_pass http://localhost:81/twofactorauth/nginx/auth.php; # This is the TOTP Server
            proxy_set_header X-Original-URI $request_uri;
        }
        location /twofactorauth/login/ {
            auth_request off; 
            proxy_pass http://localhost:81/twofactorauth/login/;
        }
        location /twofactorauth/db/ {
            deny all;
        } 
        # This ensures that if the TOTP server returns 401 we redirect to login
        error_page 401 = @error401;
        location @error401 {
            auth_request off; 
            return 302 $scheme://localhost/twofactorauth/login/login.php?from=$uri;
        }
    }
    
    # TwoFactorauth & KodExplorer
    server {
        listen       81;
        server_name  localhost;
        location / {
            root   html;
            index  index.php index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
        location ~ \.php$ {
            root           html;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }
    }
}

目前我已成功使用了另一个OTP验证程序，它比较简陋，还是期待能使用上您的作品。
simpleotp
https://github.com/yu2n/simpleotp

感谢您的阅读。