No Code Attached Yet
avatar nikosdion
nikosdion
29 Mar 2022

Steps to reproduce the issue

  • Install Joomla 4.1.0

  • Create a secondary user, let's call it joomlalala

  • Log into the site with joomlalala

  • Edit your user profile and set up WebAuthn

  • Log out of the site

  • Log into the backend of the site with your primary Super User account

  • Update to Joomla 4.1.1

  • Go to the frontend of the site

  • Log into the site with joomlalala using Webauthn

  • Log out of the site

  • Try to log back into the site with user joomlalala using a password

Expected result

You are logged into the site

Actual result

You are NOT logged into the site

System information (as much as possible)

Completely irrelevant.

Additional comments

You are blindly setting the user's authProvider field to whatever the login method's type is, without checking if it corresponds to an existing plugin in the authentication group or it's a placeholder, like what's CORRECTLY used by WebAuthn to differentiate passwordless from password logins.

You are then using that to lock the user to that non-existent authentication plugin which means that the user can no longer log in. They can only log in with WebAuthn. If the site operator edits the database and disables the WebAuthn plugin (or simply deletes the plugins/system/webauthn folder in a desperate attempt to figure out what the hell is going on) they are LOCKED. OUT. OF. THEIR. SITE.

The same thing happens if the user is first logged into the site after the upgrade with the Remember Me (cookie authentication) plugin. In this case it's even worse because you are now completely locked out of the site. If you are the sole Super User, congratulations, you are completely dead in the water.

I will open a separate issue for Joomla 3.

avatar nikosdion nikosdion - open - 29 Mar 2022
avatar joomla-cms-bot joomla-cms-bot - change - 29 Mar 2022
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 29 Mar 2022
avatar SniperSister
SniperSister - comment - 29 Mar 2022

Confirmed, see #37415

avatar richard67 richard67 - close - 29 Mar 2022
avatar richard67
richard67 - comment - 29 Mar 2022

Closing as having a pull request. Please test #37415 . Thanks in advance.

avatar richard67 richard67 - change - 29 Mar 2022
Status New Closed
Closed_Date 0000-00-00 00:00:00 2022-03-29 21:07:44
Closed_By richard67
avatar nikosdion
nikosdion - comment - 29 Mar 2022

I disagree that anything is fixed by that PR. You guys have broken Joomla in a fundamental way.

avatar richard67
richard67 - comment - 29 Mar 2022

The PR fixes the issue reported here and does not claim to fix others.

avatar brianteeman
brianteeman - comment - 29 Mar 2022

which is about as useful as a chocolate teapot

Add a Comment

Login with GitHub to post a comment