psy

@Pavel Radvan more... If that doesn't work, then it points to a Windows Hello config issue. I've made the module as broad as possible, to allow hybrid platform logins. There is no Windows OS for mobile, and while the doco indicates that WebAuthn SHOULD work on Windows Hello, to quote a Reddit article, "Webauthn is not nearly as confusing on other platforms.".

Thanks @Pavel Radvan I think I know what the problem may be. When you get a chance to test, please: Grab the latest version of the module from GitHub - all the files Open your browser dev tools to the console tab on the admin login page Go through the process again The console tab (and under the login form) should display a message about what happened. I suspect it's saying "Sorry, your browser does not support this feature" because of the way Windows Hello handles passkeys. If this is the case, in LoginPassKey.js, comment out the following: // check browser support if (!window.fetch || !navigator.credentials || !navigator.credentials.create) { $data = { fn: 'end', next: 'end', errno: 1 } return await connectPost(data,url).then( (res) => { if (res.end) return res } ) } Please try again and let me know. Appreciate your help 🙂

Hi @Pavel Radvan I'm using the module successfully on a number of sites. Today I launched a new site ported from my dev server. The PassKey was for admin only. After logging in with email, then deleting the old passkey (Access->PassKeys) and changing the Host Name in the LoginPassKey module config, logging out and logging again, I was invited to register a new passkey. It registered and saved to the db. I logged out and successfully logged in with the PassKey. Truly curious to know why it's not working for you. What devices are you using? In my case it's a MacBook Pro and the PassKey is saved in Apple KeyChain, ie the key is saved on my MacBook and because Apple KeyChain federates, I can log in with my Face ID on my iPhone.

That's great! The popup shows you've already passed some tests: Your device supports WebAuthn Your user role is permitted to use WebAuthn There is no matching registration in the database and you're being invited to register Couple of things to check: Where there any errors in the log? I forgot to include, delete the lpk-api template after deleting the page when manually uninstalling (will edit the post). Please check that the template for the lpk-api page is called lpk-api, and not for example lpk-api-1 Are you using SSL? This is requirement for WebAuthn

Hi Yes, please. If you get the error again, it's because the module didn't install correctly last time and so wasn't uninstalled properly. To fix: Delete or rename the folder in site/modules to .LoginPassKey and reload the page to get you back into the admin area Go to Modules and Refresh You should get a warning LoginPassKey and ProcessLoginPassKey exist in the database but the files could not be found For each, click the Edit link and check the box to remove the entries from the modules database table Places to look for leftover bits in the admin area: - /pages/LoginPassKey API - delete this page - /setup/templates - delete the lpk-api template - /admin/access/passkeys - delete this page - empty the trash to ensure they're gone for good You should now have a clean site to reinstall. PS: you can use this process to clean up any modules that failed to uninstall correctly.

Question... When using LoginPassKey on the frontend, eg with LoginRegisterPro, if the passkey isn't recognised, the user is prompted to use their password. I deliberately hid this message for admin logins in keeping with Ryan's choice to not notify what went wrong. Would it be helpful for passkey admin login attempts to be warned "Failed to verify your passkey. Please use your password to log in."? After installing and configuring the module, the admin must logout, then re-login using their password as the passkey isn't yet registered. On logging-in with their password, and if their device supports it, the admin is asked to register their passkey. Subsequent logins with passkey will work.

I'm looking into it now. By the way, the error '1170 BLOB/TEXT' is puzzling too. The 'credential_id' column is not indexed. The only key in the table is the user_id with a fixed length. Here are the two functions that seem to be the culprits: public function getTableName() : string { return wire('sanitizer')->pageName($this->className()); // could probably be changed to: return $this->className(['lowercase']); } protected function _createTable() { $sql = "DROP TABLE IF EXISTS `" . $this->getTableName() ."`;" . "CREATE TABLE `" . $this->getTableName() . "`(". "id INT(10) NOT NULL AUTO_INCREMENT, " . "user_id INT(10) UNSIGNED NOT NULL, " . "credential_id TEXT NOT NULL UNIQUE, " . "public_key TEXT NOT NULL UNIQUE, " . "created TIMESTAMP NOT NULL default CURRENT_TIMESTAMP, " . "PRIMARY KEY (id), " . "INDEX user_id_index (user_id) " . ") CHARSET=utf8"; $db = $this->getDatabase(); return $db->exec($sql); } One thing to try is to remove 'UNIQUE' from the 'credential_id' and 'public_key' columns. Maybe MYSQL has trouble ensuring BLOB/TEXT fields are unique? Uninstall and reinstall. Please let me know if you spot any obvious mistake. 🙂 Will get back to you asap. The 'UNIQUE' constraint on the 'credential_id' and 'public_key' columns is definitely an issue with later versions of MYSQL. Updated on GitHub.

Thanks again Pavel, appreciate you taking the time to help sort out the issue.

The table name should be 'loginpasskey', not 'pw.loginpasskey'. This may be the clue

Thanks @Pavel Radvan This needs more investigation. The install should have thrown an error if the table wasn't created. Do you have access to PHPMyAdmin (or TracyDebugger's Adminer) to confirm the database table does not exist?

Hi @Pavel Radvan Thanks for bringing this to my attention. This error relates to text strings. The strictness of PHP 8.4.5 may be triggering the issue as it works on PHP versions below this. I've updated the module in GitHub and should now be OK for 8.4.5. It appears the db table failed to create. Again, it may be related to later versions, in this case MYSQL. Please uninstall and replace the LoginPassKey.module file with the latest GitHub version at https://github.com/clipmagic/LoginPassKey/blob/main/LoginPassKey.module, then re-install. Let me know the result.

So annoying when the web host updates the PHP version and you start getting a strange error in the logs. Google search revealed a [solved] answer in the PW forums that YOU posted 3yrs ago 🤦‍♀️ In case anyone else is getting the same error: class='TypeError', code='0', message='count(): Argument #1 ($value) must be of type Countable|array, string given', location='/wire/core/PagesLoader.php', line='972' Here's the solution: The line number may vary according to your PW version.

Thanks Ivan 🙂 Have just released version 0.0.3 which 🤞is good to go. Available at https://github.com/clipmagic/LoginPassKey/tree/main This latest version also adds support for AppApi as well as passkey login for admin and LoginRegisterPro Will definitely add some screenshots/videos. In the meantime... Logging into admin: Logging in with LoginRegisterPro on the frontend: and when a user passkey login fails:

There are several ways to truncate text. In CSS, see https://developer.mozilla.org/en-US/docs/Web/CSS/text-overflow In PHP, https://www.php.net/manual/en/function.substr.php In ProcessWire, https://processwire.com/api/ref/sanitizer/truncate/ Number 3 is my choice

Got completely stuck on some coding issues. As a last resort I started a conversation with ChatGPT (free version). I had 2 problems. Problem #1 took me & ChatGPT a while to solve but we got there in the end. Now working on Problem #2. Not yet solved but ChatGPT has given me some ideas. Here's how we ended up tonight: Not only did ChatGPT give me some great ideas, it was more polite, encouraging and patient than most people I know. 😍😂

Learn more in the README.md on the GitHub page at https://github.com/clipmagic/LoginPassKey Version 0.0.2Beta released on GitHub. This version is more stable delivers tighter security supports LoginRegisterPro Stay tuned 🙂

Hi Bernhard, it's a super feature for most applications but it doesn't work with http requests. The FE TracyDebugger bar script gets tagged onto the end of the request and results in a JSON error. It was Adrian's suggestion to monitor guest dumps in another window that saved me. I tested your hook is /site/ready.php and it worked a treat! I then went back to TracyDebugger to see how Adrian handled it and found the answer. The method wasn't ready. Lifted Adrian's code from TD and adjusted it to suit my needs, ie in TracyDebugger init(): // log requests for Request Logger $this->wire()->addHookAfter('ProcessWire::ready', function($event) { if(!method_exists($event->page, 'render')) { $event->page->addHookAfter('render', $this, 'logRequests'); } }); $this->wire()->addHookAfter('Page::logRequests', $this, 'logRequests'); Learning from the masters all the time 🙂

I think that's the problem. The hook is in the module init() but as the user is a guest, the autoloaded module isn't ready, even with the After ProcessWire::ready hook. The way I read the docs, autoloaded modules should be ready at this point. I'm obviously missing something. I tried a bd() call but the user isn't logged in. Will check again from an incognito window with the Tracy Debugger guest dumps in a window in which I'm logged in. Cheers to @adrian for this tip 🙂

Thanks @bernhard I was aiming to load some scripts and add some html programmatically via my module to the admin login screen. I saw your post about injecting module js via $config->scripts but I think it assumes the user is already logged in and all autoload modules are ready. I couldn't get it to fire on the admin login screen, even with an after ProcessWire::ready hook, as a guest user. If I can't achieve it programmatically via the module api, I can add the instructions to manually add the code to admin.php before the require($config->paths->core . "admin.php"); as per your suggestion

I've tried all sorts of hooks, before & after in my module and checked out how other modules do stuff, including TraceDebugger, which inserts scripts very early in the process. Tracy is the only hook I've found that inserts scripts before the user logs in. I've tried "ProcessWire::ready" "Page::render" "AdminTheme::getExtraMarkup" My hooks never fire. I do not want to create a new AdminTheme or have to manually change any admin template files What I'm trying to achieve is that a Guest who lands on the admin login page sees some extra rendered HTML. Any suggestions? Found the answer by studying the code in TracyDebugger on how to load methods that aren't ready in an autoload module and with Bernhard's suggested hook. See below posts for more info.

Hi @adrian thanks again for your guidance and patience. It was a configuration issue. Tracy has so many options it can be difficult to know what works. I mistakenly only had Tracy enabled for the Frontend so your instructions didn't make sense at first. Achieved what I need by: Enabling Tracy for the backend on a browser window in which I was logged in as 'admin' From that browser window, enabling 'Guest dumps' Loading the PW page as a guest in an incognito window and submitting the https request Reverting to the Tracy browser window, refreshing it and viewing the Guest dumps May seem obvious to those who know. 🤦‍♀️

Adam Blunt's https://processwire.com/modules/tfa-web-authn/ is amazing! My hat goes off to him for getting it to work. Sadly, his use of the lubuch library and the fact that he changed some of the core library code to work with PW, caused me to scratch it due to conflicts. Anyhoo, have moved on and getting closer to a front-end user passkey login without the lubuch code and no more corrupted sessions. One thing I'd like to know is how to use Tracy on the front end (guest or superuser) with https requests? Whenever I have TD enabled on the frontend as a guest, the request fails as it includes the Tracy FE javascript. Is this a TD configuration thing?

Oh man, why didn't that show up in all my searches 🤦‍♀️ Will definitely investigate. I'm well down the path with lubuch now - may still have to scratch it - and have solved the issue with sessions simply by bypassing them during the registration process. It may come back to bite me later. Please do let me know if you recall the issue with corrupted sessions. Thanks again 🙂

Hi @adrian and thank you for the prompt reply. I agree, it's not Tracy. Tracy is simply reporting the problem. Yes, I'm trying to integrate the https://github.com/lbuchs/WebAuthn. It obviously needs a lot of custom code to 'ProcessWire' it. The 'challenge' is proving to be the challenge - pun intended! I'd also googled the incomplete object problem and could find nothing specific to ByteBuffer. Touch wood, I've not encountered the admin issue with the session ByteBuffer today. Other issues for sure. There's a lot of conversation between the server and browser that has to be 100% to get the certificate created. The weirdest thing is that the first time the session byte buffer is accessed, it's reported correctly. Subsequent bd()'s show that it's corrupted. The front end page submits to an api (page) that has a switch statement based on the page urlSegment 1 (route). (image deleted) The demo site at https://webauthn.lubu.ch/_test/client.html doesn't have these issues and it's all based on sessions, get variables, html & js being processed by PHP. 🤷‍♀️ and not a question for you unless you have any ideas on what's going on.

Hi @adrian Love TD and can't do without it. Unfortunately I found a conflict with a module I'm developing. The module calls on a library that uses a particular class type for a challenge. My module is frontend only, autload="template!=admin" and the FE works with TD using the native PHP $_SESSION. I had http errors using PW's $session. However, when I go to the admin, PW crashes spectacularly with: Disabling TD (putting a dot before the module name) is the only solution to access the admin area, but creates other problems. TD is still installed but inaccessible. Have tried namespacing the $session var, ie $session->setFor("myspace", "challenge", "my data") but it makes no difference. Turning off $config->debug resulted is a slightly less alarming Error 500. Any ideas on how to fix? Or maybe this is a question for @ryan as it's the admin core that spitting the error?