Several times the code makes calls to the log. However as of PHP greater than v7.3.x this will result in errors.
Solution is to have the debug, warn info and error statements all set as a literal 'debug','warn','info','error'
Provide error log: PHP warning: Use of undefined constant warn - assumed 'warn' (this will throw an Error in a future version of PHP)

If you wish to delete the manage URL from the URI, you have to alter both the PHP class and the snippet GAxUserQRCode

Hi,

The 1-time courtesy login is a bit confusing because of the extra popup stating my session expired and i need to login, again.

My guess is this happens because upon giving the QRcode the user is immediatly logged out. Imho that is not necessary.

Include "authentication key" field in manager log-in popup windows.

When MODX is installed in a subdirectory the URL duplicates the subdirectory part:

otpauth://totp/admin::http://localhost/revo231//revo231/working/?secret=H5BOBZZ2F7PUJ5RI&issuer=Revo+2.3.1+Local...

Note the extra /revo231/ in there. I had my "manager" folder renamed to "working" in this installation.

I encountered some issues on emailtpl on lexicon.

I made a quick fix. I copied everything in the emailtpl to default.

Issue

Several calls to $this->log() in googleauthenticator.class.php use unquoted strings for the first argument.

This causes the following PHP Warning to be thrown in PHP >=7.4 when a log is attempted:
PHP warning: Use of undefined constant debug - assumed 'debug' (this will throw an Error in a future version of PHP)

Line Numbers

Proposed Fix

Replace the first argument in each function call with a quoted string.

This would be consistent with the only other function call in the class (Line 47: $this->log('error', 'Invalid encryption key returned by "getOption", validating global setting...'););

When I scan the code with Google Authenticator on iPhone 6+ I get an error message:

The barcode 'otpauth://totp/admin2::http://abc.com/manager/?secret=GX43RANDOM&issuer=MODx Revolution' is not a valid authentication token barcode.

schema required.

Non sudo users with permission to control users should be able to reset & get users secrets.

• Add System setting for such feature.

Change encryption cypher to a stronger one.

TODO: Re-encrypt data in DB during update.

Users retrieve qr-code processor must validate (InCourtesy || 'gax_profile_enabled')

Store QR-code locally.A
Create QR-codes locally instead of depending on Google API!!

I've been testing this extra on MODX 3.0.3

It seems to install OK and works to a point.

However, as far as I can see the QR code is either not generated or not displayed for the user and there is therefore no way to set up the authenticator app.

I'd love to see this extra working on MODX3.

Add option during installation to email users about the new log-in procedure.

Add a text field system setting to allow admin to override the issuer value.

Log important changes to manager-actions.

Include "Authentication key" in manager log-in page in lexicon.

QR codes generated using the following API are no longer working; apparently Google marked the API as deprecated in 2012 and in Jan 2024 started phasing it out.

https://chart.googleapis.com/chart

Suggest migrating to an alternative such as:
https://qrcode.tec-it.com/

When admin open a user profile and click reset secret, all user's extended fields are wiped.

Attention: If you have other data stored in "Extended Fields" do not reset user secret.

This will be fixed in next release ASAP.

As the underlaying process is the same I tested this extra with the Microsoft Authenticator app on Android.
And it works flawlessly.

Tested on:

• Android Device (Samsung S22)
• MODX 2.8.6-pl

Could be useful, if this Extra mentions this compatibility (or even change its name).

I've been using MODX-GoogleAuthenticatorX for a while now and it has been working very well. However, earlier today I had to upgrade MODx to 2.5.6-pl, so I went into settings and disabled the authentication, ran the upgrade (which went fine), logged in and re-enabled the authentication.

I now cant log in at all. I keep getting the "Invalid authentication key." error.

I signed into the database remotely and changed the gax_disabled setting to 1, in the hope of being able to log in but that didn't work either and the Authentication Key field is still visible on the login form and I have verified that the setting is definitely 1.