[#40725] - On 'Add a Multi-factor Authentication Method' error in JSON when adding a Verification code.
- Closed
- 21 Jun 2023
- Urgent
- Build: Joomla! 4.3.2 Stable [ Bora ]
- # 40725
Steps to reproduce the issue
Install latest Joomla 4
Create an edit profile link with default Joomla template or any third party template
Create a test user or use your superuser credentials
Go to frontend and login
Go to the user profile page and click edit
Now add a verification code under Multi-factor Authentication Method
Expected result
To be greeted with the text 'Add a Multi-factor Authentication Method' right under the Cassiopeia header
Actual result
This is the error that is visible for everyone to see, and it is outputting information that should stay on the server.
System information (as much as possible)
Database Type mysql
Database Version 8.0.32
Database Collation utf8mb4_0900_ai_ci
Database Connection Collation utf8mb4_0900_ai_ci
Database Connection Encryption None
Database Server Supports Connection Encryption Yes
PHP Version 8.1.16
Web Server Apache
WebServer to PHP Interface fpm-fcgi
Joomla! Version Joomla! 4.3.2 Stable [ Bora ] 30-May-2023 16:00 GMT
User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Upload Max Filesize 256M
Post Max Size 256M
Memory Limit 256M
Open basedir None
Display Errors On
Short Open Tags On
File Uploads On
Output Buffering Off
Session Save Path MODIFIED/ea-php81
Session Auto Start 0
XML Enabled Yes
Zlib Enabled Yes
Native ZIP Enabled Yes
Disabled Functions exec,passthru,shell_exec,system
Fileinfo Available Yes
Multibyte String (mbstring) Enabled Yes
GD Available Yes
iconv Available Yes
intl Available Yes
Maximum Input Variables 1000
Additional comments
See here some more pictures from the developer tools.
I tried disabling Email Cloaking by disabling the Email Cloaking plugin and still the email is being clocked. I hoped that by disabling this, it would give me some more information.
This could very well be a bug in how the joomla-script-options script container is created and not in the authentication plugin, but that is not my expertise.
When you follow the link that the developer tools is giving, then you come up at the same code as in the previous image (with the email cloaking).
When looking at:
ROOT\plugins\multifactorauth\totp\src\Extension\Totp.php - onUserMultifactorGetSetup line 203
it creates this part ?secret=%s and just before that it breaks. You can see this ?secret= part in the very first image of this post.
Anyone knows why this is happening and even better how to solve it? I marked this as urgent since it is for me an urgent item that needs to get solved.
| Labels |
Removed:
?
|
||
joomla-cms-bot
- | Labels |
Added:
No Code Attached Yet
|
||
@hennysmafter P.S.: The error message in your screenshot shows something with "CONTINUESHOPPING_LABEL":"Continue shopping". That's definitely not Joomla core. Do you have any 3rd party extension installed?
| Labels |
Added:
Information Required
|
||
You are completely right!
Let me start with thanking you for taking the time to test it out, and I am glad that it is not a bug in Joomla, but apparently it is a bug in the Gridbox Pagebuilder from Balbooa.
When disabling their System Gridbox plugin, the error messages are gone and everything works. With it enabled, it no longer works.
We created a ticket and their initial response is that they do not support 'Multi Factor Authentication' which I find strange because they are selling their products for Joomla 4 and I believe that 'Multi Factor Authentication' is standard in Joomla 4. Can this be confirmed please?
Is it possible to disable a specific plugin only on one page? Without making modifications in the code base of the plugin?
We created a ticket and their initial response is that they do not support 'Multi Factor Authentication' which I find strange because they are selling their products for Joomla 4 and I believe that 'Multi Factor Authentication' is standard in Joomla 4. Can this be confirmed please?
Multi Factor Authentication was implemented with Joomla 4.2.0 Before 4.2.0 we had 2 Factor Authentication.
So their claim to support Joomla 4 initially was right for 4.0 and 4.1. Meanwhile we have 4.3, so regarding that particular point the claim fails. But I am sure their support will help and they will fix that.
Is it possibly to disable a specific plugin only on one page? Without making modifications in the code base of the plugin?
As far as I know: no.
Closing as not an issue of the CMS core. Thanks for reporting back.
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2023-06-21 20:30:07 |
| Closed_By | ⇒ | richard67 |
Thank you very much for your help! Have a great day.
@hennysmafter Thanks for reporting the issue. However, I can't reproduce it on a current 4.3-dev, and since the last release 4.3.2 there hasn't been made any relevant change. When I proceed as described, I don't get that invalid json. In the head I don't get a script with class "joomla-script-options new", I get one with class "joomla-script-options loaded", and that has the "user@domain" part not cloaked. The email cloaking content plugin was enabled during my test.
So either the issue depends on particular settings in the environment, or it is caused by some browser extension.
I will try if I can reproduce when the PHP configuration option "Short Open Tags" switched on like in your environment. Currently I have it off, which is the recommended value for using Joomla if I remember right.Update: No difference with "Short Open Tags" switched on. I still can't reproduce it.