Using TwoFactorX for 2FA on the front end

dejaya · May 29, 2024, 1:22pm

Hi folks,

I’ve installed TwoFactorX [forked from GoogleAuthenticatorX by @jako] on a few sites and it largely works well to help secure the Manager.

There are now docs describing how to deploy this to front end users using the Login extra.

As per the docs, I’ve altered my Login call:

[[!login? &preHooks=`TwoFactorXLogin`]]

and added the following field to the login form tpl:

<input type="text" name="code" />

However, although the code field appears - in all cases I can log in without specifying the auth code - just supplying the user & password. Even supplying an incorrect code gets me logged in.

TwoFactorX is enabled and works as expected on the Manager login page. I’ve tested this on two different sites.

I’d love to get this working - any help much appreciated.

MODX 3.0.5-pl
TwoFactorX 1.0.5-pl
Login 1.9.13-pl

halftrainedharry · May 30, 2024, 6:45am

I couldn’t reproduce any general problem with the “TwoFactorXLogin” pre-hook.

This implies that either the snippet never gets executed or that the user settings are wrong.

Try adding some log messages to the snippet code to ‘debug’ the issue.

For example, add
$this->modx->log(\modX::LOG_LEVEL_ERROR, 'TwoFactorXLogin | $settings = ' . print_r($settings, 1));
before this line in the code, to log the user settings.

github.com

Jako/TwoFactorX/blob/8ad9dc3b6f28fe25e30138e5478d70c5227b99d9/core/components/twofactorx/src/Snippets/LoginHook.php#L50


      
          
          if ($values['service'] != 'login') {
              return true;
          }
          if (empty($username)) {
              return false;
          }
          $this->twofactorx->loadUserByName($username);
          
          $settings = $this->twofactorx->getDecryptedSettings();
          if (!$settings['totp_disabled'] && $settings['inonetime'] == 'yes') {
              if (empty($code)) {
                  $errorMsg = $this->modx->lexicon('twofactorx.enterkey');
                  $this->hook->addError('code', $errorMsg);
              }
          
              if (!$this->twofactorx->userCodeMatch($code)) {
                  $this->hook->addError('user', $this->getProperty('errorMsg'));
              }
          }

Then check the MODX error log.

dejaya · May 30, 2024, 8:18am

Hi @halftrainedharry and thanks …

These errors are generated when the login form is loaded:

[2024-05-30 08:16:58] (ERROR @ /home/xxx/yyy/core/components/twofactorx/src/Snippets/LoginHook.php : 38) PHP warning: Undefined array key "username"
[2024-05-30 08:16:58] (ERROR @ /home/xxx/yyy/core/components/twofactorx/src/Snippets/LoginHook.php : 39) PHP warning: Undefined array key "code"
[2024-05-30 08:16:58] (ERROR @ /home/xxx/yyy/core/components/twofactorx/src/Snippets/LoginHook.php : 41) PHP warning: Undefined array key "service"

dejaya · May 30, 2024, 8:26am

Apologies - I didn’t spot the user output:

[2024-05-30 08:24:18] (ERROR @ /home/xxx/yyy/core/components/twofactorx/src/Snippets/LoginHook.php : 50) TwoFactorXLogin | $settings = Array
(
    [inonetime] => 
    [secret] => 3WIF0PWGQ5ECTM6A
    [uri] => otpauth://totp/username?secret=3WIF0PWGQ5ECTM6A&issuer=MODX+Test+Site
    [iv] => aAgJROH9/2iLF5R3SqQBmA==
    [totp_disabled] => 
)

I’ve changed some of these values for security.

halftrainedharry · May 30, 2024, 8:31am

The snippet only checks the code for this user if the value of “inonetime” is yes
→ $settings['inonetime'] == 'yes'.

github.com

Jako/TwoFactorX/blob/8ad9dc3b6f28fe25e30138e5478d70c5227b99d9/core/components/twofactorx/src/Snippets/LoginHook.php#L50


      
          
          if ($values['service'] != 'login') {
              return true;
          }
          if (empty($username)) {
              return false;
          }
          $this->twofactorx->loadUserByName($username);
          
          $settings = $this->twofactorx->getDecryptedSettings();
          if (!$settings['totp_disabled'] && $settings['inonetime'] == 'yes') {
              if (empty($code)) {
                  $errorMsg = $this->modx->lexicon('twofactorx.enterkey');
                  $this->hook->addError('code', $errorMsg);
              }
          
              if (!$this->twofactorx->userCodeMatch($code)) {
                  $this->hook->addError('user', $this->getProperty('errorMsg'));
              }
          }

dejaya · May 30, 2024, 8:37am

Hmm …

What does that variable actually relate to in the Manager?

Current settings for TwoFactorX:

halftrainedharry · May 30, 2024, 8:55am

I believe it’s the system setting twofactorx.enable_onetime.

There is also a user setting (“Manage” → “Users” → edit the user (you use for the login) → tab “Extended Fields” → “twofactorx” → “inonetime”). But this value is encrypted.

I don’t completely understand how these two settings interact. I’m not familiar with the code of this extra.

dejaya · May 30, 2024, 9:04am

OK thanks Harry.

Did the front-end login 2FA work out of the box for you?

halftrainedharry · May 30, 2024, 9:12am

In the user management there is also a tab “TwoFactorX”.
Maybe try one of the buttons there (for the user in question), for example “Reset Secret”, to see if that fixes the value for inonetime.

dejaya · May 30, 2024, 9:39am

In each user’s Extended Fields tab, there is no mention of inonetime under twofactorx.

I tried resetting the Secret and disabling / enabling TwoFactorX for a user but there’s still no sign of the inonetime setting.

halftrainedharry · May 30, 2024, 9:49am

Do the other settings (secret, uri, iv) exist? Is it just the inonetime setting that’s missing?

If you delete the whole “twofactorx” container in the “Extended Fields”, and then reset the secret, are the settings recreated without the inonetime setting?

dejaya · May 30, 2024, 10:05am

Yes, they do, but interestingly there’s also one called incourtesy - which I think is the equivalent setting from GoogleAuthenticatorX - I did previously have that installed but it was uninstalled a while ago.

Anyway - let’s assume there’s some conflict going on there - and I’ll switch over to my other test site - which also has TwoFactorX but has never had GAX installed.

It does, however, suffer from the same issue.

Looking at the User’s Extended Fields, I can see that inonetime is present as it should be:

With your error logging addition to the snippet - when we log in:

[2024-05-30 09:53:14] (ERROR @ /home/xxx/yyy/core/components/twofactorx/src/Snippets/LoginHook.php : 50) TwoFactorXLogin | $settings = Array
(
    [inonetime] => no
    [secret] => BBP3FD44MIEJAEEW
    [uri] => otpauth://totp/username?secret=BBP3FD44MIEJAEEW&issuer=MODX+3+Test
    [iv] => RbDR4pLiMw1o4DWhQBiuRg==
    [totp_disabled] => 
)

The thing is - as I understand it - inonetime allows the user to log in once without requiring an auth code. Presumably inonetime would be set to no once the user has logged in once.

So if it was set to yes I’d expect the user to be allowed to log in without 2FA.

In this case, it’s set to no and still we can log in without 2FA

halftrainedharry · May 30, 2024, 10:29am

Yes, I guess there’s a logic error in the snippet code.

dejaya · May 30, 2024, 10:44am

Switching the line:

if (!$settings['totp_disabled'] && $settings['inonetime'] == 'yes') {

to:

if (!$settings['totp_disabled'] && $settings['inonetime'] == 'no') {

… appears to result in the expected behaviour. Hard to tell if it’s the right way to fix it or not.

I’ll update the issue on Github.

Thanks for your help, Harry

halftrainedharry · May 30, 2024, 10:57am

As the inonetime setting only seems to be relevant for manager access and not for front-end access, the value of this setting probably shouldn’t be checked at all:

if (!$settings['totp_disabled']) {

system · June 1, 2024, 10:58am

This topic was automatically closed 2 days after discussion ended and a solution was marked. New replies are no longer allowed. You can open a new topic by clicking the link icon below the original post or solution and selecting “+ New Topic”.