2FA appearing when logging in but is easily bypassed anyway

[dbfin]

Just updated to Grav 1.4.4 and the Admin Panel 1.8.0, Login 2.7.0.

After that, when reloading the admin panel it showed the dialog to enter 2FA code, which never appeared before, and which I do not remember to set up.

So, I did a fresh install, added the Admin Panel plugin, reloaded the page, and it asked me to enter the new user as usual. I did, and the admin panel showed up. I did a few changes in the first tab of the Configuration, which have nothing to do with 2FA, saved them, it showed that the changes are saved, and then presented a red error Fetching Error or something like that. This is normal, at least this always happened before with previous versions on a new install after changing some parameters in that tab initially. All you usually need to do is to relogin.

However, now, on this fresh install, after the fetching error and reloading the page it showed that same 2FA code dialog. Again, this is a new install without any changes related to 2FA.

Now, the more weird thing is that I simply left all 0's as they are in that dialog, and simply clicked the Login button. It showed me an error that 2FA failed and please reenter the code, but instead of the field with the code to enter it showed regular Login and Password fields. The error about 2FA disappeared in a few seconds, and basically only the regular login screen was present. I entered the login name and password as usual, and the admin panel showed up.

Not sure what this is all about, why 2FA appears on a fresh install, and why it is so easily bypassed.

[dbfin]

Now, I see that the 2FA is turned on by default in a fresh install in the Admin Panel settings. Isn't this something to set up manually first of all? If you want to suggest this as a more secure way to login into the admin panel, you would probably find another way to suggest it, such as presenting a dialog on the initial install suggesting to turn on 2FA and to review 2FA settings. I turned it off for now, especially because I am not sure why it is bypassed so easily anyway. But I am just looking at this from the point of someone who just tries Grav to decide whether it is the right choice for them. This seems confusing even for those who already started using Grav.

[danzinger]

I can confirm this issue. 2FA asked for a code when logging into admin right after 1.8.0 update, even though it was never set up and was actually deactivated in configuration file and in user account file.

my workaround: I just clicked "continue". Then an error occurs ("wrong code" or so), but then the normal login form shows up, where you can login as always. Then I did not see this error anymore.

@dbfin I guess someone who tries Grav for the first time will love it anyway :-) But I also think this issue needs investigation.

[dbfin]

@danzinger Yes, especially if that someone is like me. I was looking for a new CMS to move from GetSimple, as it is not that actively developed anymore (it seems), and it is lacking some flexibility, so I had to do a lot by hacking the PHP code. So, my criteria for a new CMS were: open source, flat-file, light and fast, easy to install and use, multilevel url support (this is one thing I had to hack in GetSimple), easy GitHub integration, preferably markdown support and a ready-to-go set of plugins for things such as LaTeX support, Google Analytics, etc. And guess what... And after I discovered there are also themes such as Learn2, and how easily you can extend them... Man, you say!

[rhukster]

hmm.. I got this same scenario "once" during testing in one my setups, but couldn't replicate it on a fresh install, nor on any of my other installs.

My issue went away, but i'm not 100% sure what causes it or what fixed it.

Are you guys still experiencing it? If so does it go away if you "clear cookies" ?

[danzinger]

It's weired. I am unfortunately unable to reproduce this bug either. It seems to be a "one-time-issue" caused by the recent update. I try to remember what caused the bug:

I had some GRAV installs fully updated (admin at 1.7.4 & respective dependencies). I logged into the backend and saw that updates were avalible. I updated the installation via the backend, not GPM. I remember that the update was not as straigtforward as usual, as there were some "fetch failed" messages. I remember that I wanted to investigate if the update failed or so. I tried via GPM and it said "everything-up-to-date". So I wanted to log into the backend again, and then I experienced this bug.

I think this issue is quite hard to reproduce and the workaround is actually very easy and only needed one time. So I dont think its worth the effort to work long on this bug. Especially if it does not happen on a clean install.

[mahagr]

I made a quick fix which prevents showing up 2FA form, but shows logout button instead. I will still need to figure out how to prevent it altogether.

The issue is that user now has two steps authentication, which needed a new variable "authorized". This isn't set right after the update. This causes admin to display wrong page.

[dbfin]

@danzinger Yes, this is the first thing I tried: I reproduced it on a fresh install.

@ALL This is weird. I decided to list here the steps on a fresh install to reproduce. Just retried all the steps (described below) that caused the behavior on a fresh install before, and cannot reproduce now.

Here are the steps that worked before to reproduce on a fresh install.

1. cd to an empty directory served by a web server (nginx in my case).

2. composer create-project getgrav/grav ./ 
   

3. bin/gpm install admin 
   

4. This is just in case any permission errors might cause it. Usually, this is not a good idea.

   sudo chown -R webserver:webserver ./ 
   

5. Navigate to the webpage. Create a user. You are logged in automatically. Go to Configuration, change Session parameter Name. Save. This is to cause log out with Fetch failed error due to a new webbrowser session. Navigate to `/admin' to log in again.

At this moment before you would be presented with the 2FA error and code field. Now, it seems, the login name and password fields are shown.

[rhukster]

We have some fixes that should sort this for anyone that runs into it, but it seems it's a temporary 'session-based' issue, that once sorted, will not reappear.

[rhukster]

ok, FIX didn't work properly, have a new fix.. should be released in Grav 1.4.5 soon.

[dbfin]

Could you please elaborate a bit more on what you think is the problem, and what did not and should work. I could not reproduce the second time with my steps, so with some explanation it might be easier to double check it works as intended. I am not even sure how it is intended to work. Thanks for addressing the issue.

[mahagr]

It was a compatibility issue with the older version of User class.

[rhukster]

This is now sorted in latest release

[dbfin]

Thanks!