Bug #6666
closed
Two factor authentication with verify current password causes error
Description
If the user has two factor authentication enabled and verify current password is enabled for the password field it causes the verification of the current password to always fail since the secret key is missing, but we need to make sure the password is correct. See if there's a way to skip authentication plugins for this case or maybe wrong API is being used.
Updated by krileon over 7 years ago
Looks like in verifyPassword two step is already being disabled. Maybe this usage was changed in Joomla?
Updated by krileon over 7 years ago
Confirmed using Joomlas Google authentication plugin.
Notice: Undefined index: secretkey in D:\wamp64\www\dev\plugins\authentication\joomla\joomla.php on line 193
Notice: Undefined index: securitycode in D:\wamp64\www\dev\plugins\twofactorauth\totp\totp.php on line 195
Notice: Undefined index: securitycode in D:\wamp64\www\dev\plugins\twofactorauth\totp\totp.php on line 206
Notice: Undefined index: securitycode in D:\wamp64\www\dev\plugins\twofactorauth\totp\totp.php on line 217
All of the above notices are thrown when this happens.
Updated by krileon over 7 years ago
Joomla 3.2+ has a JUserHelper::verifyPassword function to verify password. Replace current authentication call usage with it.
Updated by krileon over 7 years ago
The secretkey notice is fixed by changing to new API. The 3 securitycode notices appear to be a bug in Joomla it self. Joomla profile save also throws them if you interrupt the redirect. It's due to the securitycode input no longer being output since the authenticator has already been saved. We can probably workaround it in CBs saving of authenticator settings by skipping the save process if no secret key is in the postdata.
Updated by krileon over 7 years ago
- Status changed from Assigned to Resolved
- % Done changed from 0 to 100
Fixed in MR !1266
Updated by krileon over 7 years ago
- Target version changed from CB 2.2 to CB 2.1.3