netcarver

Single Site, Developer and Agency Licenses are available via our LemonSqueezy Store >>> Please get in contact after purchasing, citing your license key & forum username, so we can add you to our support area. <<< This is a module pack by Nifty Solutions for Processwire CMF/CMS version 3.0.149 or later (running on PHP 7.2+) that extends the core features for password recovery making them more flexible and easy to use. Features Can send just the verification code in emails (removing the clickable link), and immediately show the reset verification page. This forces the reset to be completed in the same session it was started from. Allow the password reset to be initiated in one session and completed in another. You no longer have to complete the reset from the same browser and tab. There are options to allow you to still require reset completion from the same IP address. Prevention of incorrect data entry in the reset initiation step, users are warned if they enter an email in a username field. Optional customisation of the verification code. Can make manual and/or mouse-based copy-and-paste from the email easier. Optional auto-completion of the verification code field in the password reset step. This makes things easier for users as they don't have to copy-and-paste from their email client. Be warned, however, that this can facilitate automated reset attempts. Control how long reset links are valid for (sometimes an hour is much too long) and update the text of outgoing emails and reset screens to report the new value. Optionally allowing automatic user login following a successful password reset. This is not recommended but is supported. This option is never available to Superusers or users with 2-factor authentication requirements on their accounts. You can additionally limit this to users with specific roles. Allows the reset process to require input of the user's Time-based one-time (TOTP) value - if they have TOTP setup on their account. You can also mandate the entry of a valid TOTP in order to complete a password reset. The TOTP field extends ProcessForgotPassword and operates with or without NiftyPasswordsPlus. Works by extending the core ProcessForgotPassword module so it works on the Admin login page and your custom LoginRegisterPro pages. You'll also get access to NiftyHashedTokens in your template and module files - a HMAC-Hashed key-to-value store, providing tamper-detection of the key and controlling how many times it may be accessed in a given period along with IP address checking. Pre-Requisites This requires PHP7.2 or better and a recent copy of Processwire with the ProcessForgotPassword and InputfieldSelect modules installed. Installation After purchase you will have access to the latest version of the pack as a single zip file.If this is your first Nifty installation: simply unzip the file in a temporary location and transfer the resulting Nifty folder into the site/modules directory of your site. Then refresh the modules in Processwire and install the NiftyPasswordsPlus module.If you already have other Nifty products installed: unzip the file in a temporary location and look in the Nifty folder you unpacked. Copy any new subdirectories from there into your existing site/modules/Nifty directory. Log in to Processwire, refresh your modules and install NiftyPasswordsPlus. You will need to acknowledge the disclaimer, enabling the module in order to proceed. Refunds We offer a no-questions-asked refund policy in the first 14 days from the date and time of your purchase. Settings Step 1: Step 2: Gives options changing how the reset link works. Verification code customisation options: This can lead to much simpler codes in the reset emails... Step 3: If you install FieldtypeUserTOTPValue as well, you also have additional options to require TOTP 2FA for reset. Step 4: Additional settings: FieldtypeUserTOTPValue allows you to add TOTP as a confirm field in ProcessForgotPassword: Which then requires the user doing the reset to enter their TOTP 2FA code (if set on their account) in order to reset their password: If the user does not have TOTP set up on their account, they just leave this blank. If they do have TOTP set up, they need to enter the current value. If you are using this along with NiftyPasswordsPlus, then you can additionally enforce role-based requirements for entry of a correct TOTP value in order for password reset to work. It does this by hooking FieldtypeUserTOTPValue's RequireTfa() method. You can do the same from your site/ready.php file to add any additional checks you'd like for your particular site. We currently only support TOTP 2FA as it is simple, avoids sending another email (in case email is compromised) and the bar to user adoption is quite low. Finally, we have NiftyHashedTokens: Single Site, Developer and Agency Licenses are available via our LemonSqueezy Store >>> Please get in contact after purchasing, citing your license key & forum username, so we can add you to our support area. <<<

Looks great - thank you for putting this together. Looking forward to reading through these.

Thanks for the link @pwired

Folks, Pete and I have a solution for the most commonly encountered password reset/login feature requests encountered across various large-scale membership sites we've worked on, including feedback from a site with ~40k users. We are polishing it up at the moment and will announce more in the next couple of days.

@ryan Now I'm worried that you have some kind of psychic x-men power or something! Seriously though, that's great news and shows I should actually read the code for the new version of the function before I type up a reply here.

@ryan looks like a nice set of improvements, thank you. With regard to the new location() method, I can understand the move away from the second parameter in the existing redirect() call as it is a little confusing. Although this isn't in the spirit of the move to simplify, if I wanted to do a 303 redirect would I have to manually set the location header using sendHeader() and then return a 303 via sendStatusHeader()? I wonder if the existing redirect() call be changed to accept either the existing bool or an int for the second parameter? In the case of an int, maybe one of the 300 (301/302/303/307/308) codes could explicitly be passed and used as the return code. That would certainly make its use more explicit and more intuitive than the existing none/true/false as the second parameter. Regardless, excellent work as usual.

I'm sure this should be pretty easy on PW - but is it possible to delete a user when they logout? Essentially, I have a bunch of ephemeral users I use for testing, once I log out as that user, I want them to disappear from PW. I've tried hooking before/after Session::logoutSuccess, and also just processing the ?logout=1 directly in a template file. Not feeling particularly bright at the moment.

Hi @Markus (Blue Tomato) Don't know, but here are a few things to get started on. Is production running the same version of PW or one prior to that commit? Does production connect to MySQL on localhost or via a second IP address? Ditto for your dev box. If dev box is connecting to MySQL using "localhost" in your config.php file DB settings, try switching it to "127.0.0.1". Any errors/exceptions in the PW log files or web server log files on your dev box?

As an option maybe?

Going to package and release as a Textformatter in the modules directory @bernhard or @JoshoB?

Interesting video from MinutePhysics on Youtube. And here's the website for the log-log graph.

Just to confirm, the folks at Folding@Home are using the cluster to search for drugs that might be of use in preventing SARS-CoV2 from initiating infection. So by donating your CPU compute resources you will immediately be helping in research that could save a lot of lives. You can read more about there current efforts here. If you have GPU power that is idle some of the time, you can also have Folding@Home work packets run on that, though I think the SARS-CoV2 research is currently only running on CPUs. There's still plenty for GPUs to work on though. More about the project on Wikipedia.

Hello All, In the middle of this pandemic, I came across a citizen-science site that I think we should all consider helping out. It's called folding@home and aims to produce the largest distributed medical research computer cluster in the world, in order to solve protein folding problems, that should help develop treatments (or cures) for multiple medical conditions we all face. If you, or your company, have any spare internet connected resources, please consider joining the cluster - it's fairly easy to setup the client and connect. I'm running this on my linux laptop and hope to keep doing so. It's quite CPU intensive so you get to choose the level of resource usage it can have. For example, to control my CPU temperature. I've limited to just a single thread on an i7. Please support if you can.

The best educational videos on covid-19 I have yet seen:

You are right; whilst it is possible to get a vhost/.htaccess-based A+ on security headers while keeping the admin interface fully operational, it is a pain and leaves the apache config files in a bit of a mess. Getting the admin interface sorted in the vhosts file prompted this post over in dev-talk that might also help someone out if they go down that route. What you've posted seems to be a fairly nice approach to the issue - thanks!

Sounds like your test_image field is configured to return an array of results - hence access via the first accessor fixing things for you.

Thanks, try the latest version.

Just a heads up, I hope this might save someone some time in the future. TL:DR> It's taken me hours to work out that Apache version 2.4 <If> statements are broken when trying to do regular expression matches against the %REQUEST_URI variable. Try matching against the variable called %THE_REQUEST instead - but be careful with your regex. Background: I've been trying to add more relaxed CSP headers for the admin portion of one of my PW sites because my default, strict, CSP headers stop some admin features from working properly. After diving in to Apache2 regexs and conditionals, I thought I had the answer with this... <If "%{REQUEST_URI} !~ m#^/admin/?#i"> # CSP headers for external visitors. Header set Content-Security-Policy "<strict policy for public site>" </If> <Else> # CSP headers for admin visitors. Header set Content-Security-Policy "<lax policy for admin>" </Else> ...but I couldn't make it work. After experimenting for several hours I found that the regex shown above does work if you limit it to a single-character match; which is essentially useless for determining if we are in the admin interface. However, you can achieve a useful match with the following... <If "%{THE_REQUEST} !~ m# /admin/?#i"> ... </If> <Else> ... </Else> ...which checks verses the entire HTTP request line made to the server. This block can go in your vhosts file or in the site's .htaccess file. Here's the Apache documentation: https://httpd.apache.org/docs/current/expr.html and it seems I'm not alone in having this issue: https://serverfault.com/questions/940953/apache-if-statement-not-working?noredirect=1&lq=1 although neither of these links had workable solutions for me.

@jajaja With both Digital Ocean and Contabo you get a bare VPS that you have to setup and manage yourself - both of these VPS offerings are capable of running Processwire if you are capable of administering the VPS. Costs are comparable between the two services (I've used both), but Digital Ocean has a much better administration interface, whilst Contabo offer a much better spec of VPS server for the about the same price. Feel free to get in contact via Private Message here on the forums if you want any more details. If you are not used to administering your own VPS, then there are managed solutions that might work better for you - but they will cost more. HTH

Hi @Ilyas I'm kind of curious as to your use case for this request. Could you explain a bit more about the reason for wanting to password-protect the login page. Is this something that could be achieved another way - for example by moving the admin login to a less well known location?

@entschleunigung and/or @Vivian Please create an issue on the processwire-issues repository on Github for this, as it needs to be looked at. @entschleunigung If you don't have a github account, just sign up for a free account, then follow the numbered steps on this page to add the issue to the issues repository. Thank you for your co-operation!

Hmm, this reminds me of something from Jeff Starr over at Perishable Press. His stuff usually works very well. Perhaps you made some other inadvertent edit to the htaccess file? Did you do a graceful reload on Apache when you made the edits? If you do find the error to be somewhere else, and do decide to add the track/trace protection, you might want to make it case insensitive and add some other verbs in there too. Something like this... RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|put|trace|track) [NC] RewriteRule .* - [F] Which is just a snippet from Jeff's 6G Firewall. Or just use his entire script at the top of your htaccess file. There's also the beta version of his 7G Firewall available which I am using on a couple of sites.

Just noticed this post on the issues-repo that might happen to fix the above as it contains a space -> "+" mapping. Untested, might be worth a shot.

@Robin S That looks like a better fit for this scenario.

Try posting the same URL but with the '%20's replaced with a '+'. Have you - or the hoster - added any rules to the htaccess file, or enabled any security modules?