Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


Adam last won the day on August 29 2019

Adam had the most liked content!

Community Reputation

48 Excellent

About Adam

  • Rank
    Jr. Member
  • Birthday 08/21/1999

Contact Methods

  • Website URL

Profile Information

  • Gender
  • Location

Recent Profile Visitors

3,040 profile views
  1. @bee8bit the TFA class is kinda a secret outside of that API page XD I think I am the only 3rd party dev to use the TFA class also. Annoyingly the is a TFA category on the modules directory. but I cant add my module to said category. so the is a link somewhere in processwire that takes you to http://modules.processwire.com/categories/tfa/ where you only see Ryan's own modules. its a shame that the TFA module has so much potential but it feels kinda like something that was developed then hidden away from devs and users
  2. @bee8bit Surprised to see that the login function dont implement TFA. I am going on a whim and saying Ryan left it open to prevent breaking existing modules that are not built to support TFA. but does seem like a bit of a security issue if you can disable TFA by enabling a custom login form plugin. it should deny the login when it cant do TFA
  3. @bee8bit The are ways to call it from the API https://processwire.com/api/ref/tfa/ I have no idea how your custom login form works but I assume your going to need to do some modifications. it will need to check that TFA is active, build the form and process the TFA request. Or if its something another user has created maybe just pester them a lot to update their module to support the TFA class that has been out for like a year already
  4. @bee8bit Interesting. Any logs at all? if your getting nothing at all then that sounds to me like ProcessWire is not seeing that TFA is enabled. Does it say TFA is enabled under the users profile? What version of ProcessWire are you using too
  5. @netcarver day 2 of existence actually was just a late night idea I decided to go with. The is actually a message that says it was successful and also counts when you do more than 1 key. but I should make it clearer I will look into that. the managing/naming is not going to be possible though as the settings actually vanish once you save the page. This is just how the Tfa class works as far as I can tell. but maybe I am wrong. the is not much documentation on the Tfa class besides the API and the 2x examples from ryan the buttons got added for the initial tests. the Use button does have a purpose. if for some reason it don't automaticity prompt or you accidentally exit the prompt you can use that button to restart the security key process without logging back in again. the submit button is indeed useless though. Originally it was a click the use button then click the submit button but now the JS behind it is more sophisticated and starts the auth process and submits the form on success so I can remove the submit button. but I think the use button could be handy to keep.
  6. @netcarver Glad to here it works for you ๐Ÿ™‚ it is such a hacky module. I don't think the Tfa class was coded with security keys in mind ๐Ÿ˜„ but so far so good. let me know if you discover any bugs/issues using it. I know of at least one bug that you shouldn't come across too often (if you login to an account with Tfa but don't use the key and then try to login with a 2nd account it will fail as it will still have a different challenge set for the session. it self-fixes when you try a 2nd time, I cant think of an easy solution to this problem though as it was done that way on purpose to get around the buildAuthForm function being called twice and resulting in a bad challenge on every attempt)
  7. Right! Multiple Key support is now included. you can put about 19 in before you run out of space (20480 characters, each key uses about 1040) if someone has 19 keys I will be very surprised. I have bumped the version to 1.0.1 as a result. I ain't a big versioning guy but this is a minor change from the users perspective. you can just click the add button more than once now. Just be sure to only click the save button once you have added all yours keys. I have tried it with the 3x keys I have and it works fine. More than 3? not sure cant test that yet. if you click save before you add all your keys then you will only get the ones you added and have to disable/re-enable Tfa to add them all again. This is a limitation of the Tfa class sadly.
  8. @netcarver Edited my last reply. I figured it out. Was me being played by the strange design of forms on ProcessWire. It was being converted into a text field for the POST section and the default maxlength for a text field is 2048. doh Now working on multiple key support. fingers crossed with this
  9. I have just pushed a commit that cleans up the code a bit. the registered keys are now saved in one field. Again in theory this can support multiple keys... but the bulk of the code is not there as I failed to find a work around to the 2048 truncation. Each key uses like 1040 characters. I could put each key in its own field but that means I have to reconstruct the array and have more complicated JS instead of just concatenating. I am not a huge Processwire module developer so someone with more experience feel free to chime in. I tried adding ->attr('maxlength', 4096) and ->maxlength(4096) and it does increase the maxlength of the field on the HTML side but the processing side is still truncating to 2048 characters even though I cant see where its doing that. the only field that has a hardcoded 2048 limit is the Text field. both hidden/textarea still truncate though even though I cant find the code anywhere that does this. I think it might be a POST request limit?? but surely that would fire a HTTP error instead of getting truncated I feel dumb XD under getUserSettingsInputFields I have to set the maxlength under the if POST section otherwise it will truncate it there. Such a weird design. tripped me up before. but now I can continue trying to do multiple keys ๐Ÿ˜„
  10. Right been trying to get multiple keys working. I have figured out how to do I think? but I am hitting the dumb 2048 length limit on the field. if I add the maxlength attribute it still gets truncated to 2048 characters (possible bug?) So the only way I can do this is a very janky method of multiples fields and having to recreate arrays and stuff. What I need is to save one huge JSON array into a field as a string but I have found no info on increasing the max size on any field via the API. well I can but it seems to be truncated somewhere else ๐Ÿ˜ž but looking inside tfa.php I cant see where its being cut down in size. Real downer to be honest. I am going to say that multiple keys is as a result not possible unless someone can enlighten me on how to correctly expand the maxlength on a field without the sanitizer just going hard-headed in and destroying everything. It seems that InputFieldHidden has no sanitizer or maxlength but it still gets truncated so its something deeper. I dont know enough about how ProcessWire handles forms on the admin side to know where to look for where this stupid 2048 limitation is being applied
  11. Yes that would be ideal. I could also just save JSON into a string field to lower the dependencies on other modules. I had not thought about doing this actually Food for thought... I will experiment tomorrow I think. I wanted to get a proof of concept working to start with as I had coded a ton of it then realised the settings get locked out once you enable Tfa and then found out that only the Tfa_code field is sent to the validate function. had to get creative with some session variables to get it working but now it works somewhat I feel like I can improve/expand
  12. I will look at maybe adding support for 2x keys into this module? I might get away with 8x fields being used ๐Ÿ˜„ The only way I can imagine it working though is if you enrolled all your keys one after the other on the initial setup. If you can reuse the same challenge for registration then its worth experimenting. Ideally I would have access to a database table and can add infinite amount of keys without fear of having to essentially just cram all this data into text fields. and it would of made a lot of my debugging work easier as a lot of it was trying to wedge it around the ProcessWire hooks/Tfa module. I felt like using the $sql API was a bit too jank though even for my subpar coding skills (not to mention much less secure as I am sure ProcessWire does a ton of validation behind the scenes) as for a Yubikey specific module that shouldn't be too hard. in fact probably easier. but I have not got a compatible YubiKey. I only have a cheap FIDO key and a Yubikey Security key (FIDO/FIDO2 not OTP/OATH/PIV/etc) I have bought a Yubikey 4 cheaply used just to experiment with the OTP idea (not going to spend ยฃ50 on a USB dongle for the latest 5th gen) but that has not arrived yet
  13. @netcarverNo worries. I will probably look into making a 2nd module which uses the Yubikey specific OTP methods to get around the localhost/FDQN and SSL requirements (though I cant see why anyone would desire a site that has no domain and no SSL) but also means you can create a backup security key. this U2F module can only address a single security key. I am not sure how I would add support for multiple as each key needs 4x fields and not to mention a lot of challenges back and forth. But a single security key is better than TOTP or other forms of TFA
  14. You have to use either localhost or a FQDN. you also need to use SSL. these are just restrictions on the FIDO/U2F protocols that I should of mentioned on the project page. I should also probably put some better error checking in on the admin panel side. the login page side does have error messages but their vague. This exact error occurs when your not using SSL. the U2F-API JavaScript library does notseem to have any error handling for that scenario. I should add on the ProcessWire side so your not in the blind with the cryptic error message This is really just the 1.0.0 version the first version that works essentially. Just need to iron out any bugs and improve the UX
  15. That is not what I intended. Will fix that ASAP. it should be installable via the ProcessWire admin area just with the class name (once approved) @netcarverthe is a Zip file under the releases tab on GitHub that includes the dependencies that was not included due to my noobness with git (did not know much about submodules to be honest, they just appeared like it as I git cloned the dependencies)
  • Create New...