Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Adam last won the day on August 29 2019

Adam had the most liked content!

About Adam

  • Birthday 08/21/1999

Contact Methods

  • Website URL

Profile Information

  • Gender
  • Location

Recent Profile Visitors

3,506 profile views

Adam's Achievements

Jr. Member

Jr. Member (3/6)



  1. @howdytom You can not revoke a single key I am afraid. The reason is in ProcessWire (at least when I coded this, might of changed since then) TFA modules was a setup then your locked from configuration changes. So under the user settings once you enable the TFA it will only let you remove it instead of edit it. Thats out of my control but might of changed since I made this. Will look into it as I know its not great design how it is. As for gaining access if something goes wrong I am pretty sure the best way to regain access would be through the database. As even if you remove the module ProcessWire will still see the user as having TFA enabled. I have not tested this myself I did some googling and found nothing about regaining access after TFA goes wrong bit strange to have no way to recover yourself. When I get time I will look at adding some sort of confirmation messages that show more clearly that a new key has been added. As for a summary/description that should be doable but behind the scenes all the data for all the keys is being saved in one huge text field which is already imposing a limit of keys to about 10 if I recall correctly? (janky I know but at the time the was zero documentation on making custom TFA modules I was the first developer besides Ryan to make a TFA module)
  2. @netcarver Just published 1.0.3 it has a simple version check which should allow it to work on all versions 3.0.109 and up now πŸ™‚ Have not tested it on a version below 3.0.165 however nor have I tested on a version below 3.0.130 which is when some changes to the getVersion function was made (but should not effect it how I have implemented it) Let me know if that works for you now
  3. @netcarver Thanks for the heads up. will work on an update. need to find out which version of Processwire they redid the Tfa stuff so I can do such a check. Really annoying change for me to be honest. No idea why the devs behind Processwire changed something in the Tfa to give it an init(). I guess older versions lacked an init() function and so my module cant call the parent function if it does not exist 😐 Seemed to work fine without it but I am sure the was a very logical reason behind the changes
  4. @netcarver @androbey Just pushed out 1.0.2 on Github. was a very simple fix actually but took a while for me to figure it out doh might take a while to show the new version on the modules site but will try and update that now too
  5. @androbey Just tested it on a fresh install. it is indeed broken 😞 I assume some update has changed how the admin stuff works? I will try and fix it over the weekend for you guys
  6. @androbey I think @netcarver is right you have to save then add your keys. This module could really do with an overhaul to be honest but it's a proof of concept that works well enough. as for localhost that will never work unless you have self signed SSL setup. U2F/FIDO require SSL to work. If you are still having issues just shoot another reply and I will spin up a new ProcessWire instance and test it. might have been broken with an update to ProcessWire
  7. @bee8bit the TFA class is kinda a secret outside of that API page XD I think I am the only 3rd party dev to use the TFA class also. Annoyingly the is a TFA category on the modules directory. but I cant add my module to said category. so the is a link somewhere in processwire that takes you to http://modules.processwire.com/categories/tfa/ where you only see Ryan's own modules. its a shame that the TFA module has so much potential but it feels kinda like something that was developed then hidden away from devs and users
  8. @bee8bit Surprised to see that the login function dont implement TFA. I am going on a whim and saying Ryan left it open to prevent breaking existing modules that are not built to support TFA. but does seem like a bit of a security issue if you can disable TFA by enabling a custom login form plugin. it should deny the login when it cant do TFA
  9. @bee8bit The are ways to call it from the API https://processwire.com/api/ref/tfa/ I have no idea how your custom login form works but I assume your going to need to do some modifications. it will need to check that TFA is active, build the form and process the TFA request. Or if its something another user has created maybe just pester them a lot to update their module to support the TFA class that has been out for like a year already
  10. @bee8bit Interesting. Any logs at all? if your getting nothing at all then that sounds to me like ProcessWire is not seeing that TFA is enabled. Does it say TFA is enabled under the users profile? What version of ProcessWire are you using too
  11. @netcarver day 2 of existence actually was just a late night idea I decided to go with. The is actually a message that says it was successful and also counts when you do more than 1 key. but I should make it clearer I will look into that. the managing/naming is not going to be possible though as the settings actually vanish once you save the page. This is just how the Tfa class works as far as I can tell. but maybe I am wrong. the is not much documentation on the Tfa class besides the API and the 2x examples from ryan the buttons got added for the initial tests. the Use button does have a purpose. if for some reason it don't automaticity prompt or you accidentally exit the prompt you can use that button to restart the security key process without logging back in again. the submit button is indeed useless though. Originally it was a click the use button then click the submit button but now the JS behind it is more sophisticated and starts the auth process and submits the form on success so I can remove the submit button. but I think the use button could be handy to keep.
  12. @netcarver Glad to here it works for you πŸ™‚ it is such a hacky module. I don't think the Tfa class was coded with security keys in mind πŸ˜„ but so far so good. let me know if you discover any bugs/issues using it. I know of at least one bug that you shouldn't come across too often (if you login to an account with Tfa but don't use the key and then try to login with a 2nd account it will fail as it will still have a different challenge set for the session. it self-fixes when you try a 2nd time, I cant think of an easy solution to this problem though as it was done that way on purpose to get around the buildAuthForm function being called twice and resulting in a bad challenge on every attempt)
  13. Right! Multiple Key support is now included. you can put about 19 in before you run out of space (20480 characters, each key uses about 1040) if someone has 19 keys I will be very surprised. I have bumped the version to 1.0.1 as a result. I ain't a big versioning guy but this is a minor change from the users perspective. you can just click the add button more than once now. Just be sure to only click the save button once you have added all yours keys. I have tried it with the 3x keys I have and it works fine. More than 3? not sure cant test that yet. if you click save before you add all your keys then you will only get the ones you added and have to disable/re-enable Tfa to add them all again. This is a limitation of the Tfa class sadly.
  14. @netcarver Edited my last reply. I figured it out. Was me being played by the strange design of forms on ProcessWire. It was being converted into a text field for the POST section and the default maxlength for a text field is 2048. doh Now working on multiple key support. fingers crossed with this
  15. I have just pushed a commit that cleans up the code a bit. the registered keys are now saved in one field. Again in theory this can support multiple keys... but the bulk of the code is not there as I failed to find a work around to the 2048 truncation. Each key uses like 1040 characters. I could put each key in its own field but that means I have to reconstruct the array and have more complicated JS instead of just concatenating. I am not a huge Processwire module developer so someone with more experience feel free to chime in. I tried adding ->attr('maxlength', 4096) and ->maxlength(4096) and it does increase the maxlength of the field on the HTML side but the processing side is still truncating to 2048 characters even though I cant see where its doing that. the only field that has a hardcoded 2048 limit is the Text field. both hidden/textarea still truncate though even though I cant find the code anywhere that does this. I think it might be a POST request limit?? but surely that would fire a HTTP error instead of getting truncated I feel dumb XD under getUserSettingsInputFields I have to set the maxlength under the if POST section otherwise it will truncate it there. Such a weird design. tripped me up before. but now I can continue trying to do multiple keys πŸ˜„
  • Create New...