Solved: 4 Months, 1 Week, 5 Days ago 2fa - authorization code mismatch.
#1
Solved: 4 Months, 1 Week, 5 Days ago
I am using this plugin to add 2fa on my forum for users 
https://community.mybb.com/mods.php?action=view&pid=941


If a users have 2fa enable it will redirect them to a new page after filling username and password where it will require 2fa code.
If they add the code correct they will login succesfully, but if they leave that page without trying to add 2fa code and try to login again the following error will appear
authorization code mismatch. are you accessing this function correctly? please go back and try again.
I have checked these threads and didnt help me
https://community.mybb.com/thread-126359.html
https://community.mybb.com/thread-218862.html


Forum link: https://reusers.to/
Username:account1
Password:reusers.to
I have created a test account that have 2fa enable
Try to login, When 2fa page appear dont type anything and go to home page
Then try to login again and you will see the error.
that error appear if you add 2fa code wrong or if you dont type anything and leave that page.
[Image: banner.gif]
Reply
#2
Solved: 4 Months, 1 Week, 5 Days ago
Yes, this is most probably because of the code for the global_start hook:
function mybb2fa_check_block()
{
	global $session, $mybb, $db;

	$query = $db->simple_select("sessions", "mybb2fa_block", "sid='".$db->escape_string($mybb->cookies['sid'])."'");
	$block = $db->fetch_field($query, "mybb2fa_block");

	if($block == 1)
	{
	    $session->load_guest();
	}
}

The global_start hook runs after setting $mybb->post_code as you can see in the following link:
https://github.com/mybb/mybb/blob/8b22ad...al.php#L55

Try to replace the first block I posted above with the following:
function mybb2fa_check_block()
{
	global $session, $mybb, $db;

	$query = $db->simple_select("sessions", "mybb2fa_block", "sid='".$db->escape_string($mybb->cookies['sid'])."'");
	$block = $db->fetch_field($query, "mybb2fa_block");

	if($block == 1)
	{
	    $session->load_guest();
	    $mybb->post_code = generate_post_check();
	}
}

Also, you could be interested on the Alpha release for testing purposes of the following plugin:
https://github.com/demtor/MyBB-2FA
Reply
#3
Solved: 4 Months, 1 Week, 5 Days ago
(2021-02-25, 09:10 PM)Omar G. Wrote: Yes, this is most probably because of the code for the global_start hook:
function mybb2fa_check_block()
{
	global $session, $mybb, $db;

	$query = $db->simple_select("sessions", "mybb2fa_block", "sid='".$db->escape_string($mybb->cookies['sid'])."'");
	$block = $db->fetch_field($query, "mybb2fa_block");

	if($block == 1)
	{
	    $session->load_guest();
	}
}

The global_start hook runs after setting $mybb->post_code as you can see in the following link:
https://github.com/mybb/mybb/blob/8b22ad...al.php#L55

Try to replace the first block I posted above with the following:
function mybb2fa_check_block()
{
	global $session, $mybb, $db;

	$query = $db->simple_select("sessions", "mybb2fa_block", "sid='".$db->escape_string($mybb->cookies['sid'])."'");
	$block = $db->fetch_field($query, "mybb2fa_block");

	if($block == 1)
	{
	    $session->load_guest();
	    $mybb->post_code = generate_post_check();
	}
}

Also, you could be interested on the Alpha release for testing purposes of the following plugin:
https://github.com/demtor/MyBB-2FA

I will take a look on that plugin, 
I change that code and it fix the error but now if I go to homepage without typing anything on 2fa page and try to login with another account it says that I have logged succesfully but I havent login
[Image: banner.gif]
Reply
#4
Solved: 4 Months, 1 Week, 5 Days ago
Yeah, I won't be sure, the plugin should logout the user if not 2FA was entered, the approach it currently uses is not optimal nor seems to be working.

I have a plugin with similar approach, but mine will always display the 2FA page until the user types a correct or incorrect code. If the code is incorrect then the user is logged out.
Reply
#5
Solved: 4 Months, 1 Week, 5 Days ago
(2021-02-25, 11:34 PM)Omar G. Wrote: I have a plugin with similar approach, but mine will always display the 2FA page until the user types a correct or incorrect code. If the code is incorrect then the user is logged out.
 
Can you send me a link to test it?
[Image: banner.gif]
Reply
#6
Solved: 4 Months, 1 Week, 5 Days ago
It is a PGP plugin, for a 2FA plugin try the one I shared above.
Reply
#7
Solved: 4 Months, 1 Week, 5 Days ago
That plugin works fine for me, The same error happends but it will happend only to users with dublicated accounts,
Another question I have about this plugin, What if someone deleted the 2fa code from his device? What will hapend next?
Is there any other way to reset it by email or If I could reset it through phpmyadmin for specified users?
[Image: banner.gif]
Reply
#8
Solved: 4 Months, 1 Week, 5 Days ago
You could reset anything you want if you have direct access to the DB. I don't think this plugin offers a way for account recovery.

Most services that I know don't offer such, unless you contact the site support somehow.
Reply
#9
Solved: 4 Months, 1 Week, 5 Days ago
I will just make an announcment, If someone lost his 2fa code to contact with me
Could you explain how to disable 2fa for a user through phpmyadmin?
[Image: banner.gif]
Reply
#10
Solved: 4 Months, 1 Week, 5 Days ago
For the plugin you mentioned in your original post simply empty the secret field in the users table.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)