Contrib.social

You are not authorized to access this page on remote only

Open on Drupal.org →
Created on 2 May 2024, 11 months ago

Problem/Motivation

I have this problem where some users after login get a message shown: You are not authorized to access this page. The page they are redirected to is the verification page of this module.

Strange thing is
- When I create a user on my local environment there is no problem at all, when I create the same user on my remote environment the error is thrown.
- The message is also shown when the Administrator (user 1) is logging in.
- The permissions is not denied for everybody, some users (with the same roles) are still able to visit the tfa verification page.
- The user has tfa set-up but when this message is shown they don't have to enter the authentication code, they are just logged in and can use the website like normal when clicking away from the tfa page.

What I tried/tested
- Local and remote site are the same and up to date
- They have the same config
- Cleared cache on remote
- Rebuild permissions on remote
- I checked the log this is showing this error:

`Path: /tfa/1/rskW2ietyaNE48kTvDaRAx9Fh-Abl6669F_N6-QsEew?destination=/admin/content&check_logged_in=1. Drupal\Core\Http\Exception\CacheableAccessDeniedHttpException: Invalid user. in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 115 of /public_html/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).`

Any experience with this type of permissions problem with this module??

🐛 Bug report
Status

Active

Version

1.7

Component

User interface

Created by

🇳🇱Netherlands zebda

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @zebda
  • Comment 11 months ago
    🇺🇸United States greggles Denver, Colorado, USA
  • Comment 11 months ago
    🇺🇸United States cmlara

    At comment #2 this issue was moved to the security queue out of concern regarding “The user has tfa set-up but when this message is shown they don't have to enter the authentication code, they are just logged in”.

    Reminder to all TFA users that any issue that leads to TFA not being promoted when expected should initially be considered a security issue.

    In this case it was determined the site in question had the miniorange_2fa module installed. The error disappeared upon removal of the miniorange_2fa module.

    The scenario as described would make this a duplicate of 🐛 Installing contrib modules can lead to TFA accidently being bypassed Fixed . The fix was not backported to 1.x as it was built using 2.x only security design changes.

    The root cause of this fault remains as a reason for us to attempt to EOL 8.x-1.x branch as soon as reasonably possible.

  • Comment 5 months ago
    🇬🇧United Kingdom steven jones

    This should be moved to the miniorange_2fa issue queue, should it not?

  • Comment 5 months ago
    🇺🇸United States cmlara

    This issue is a bit of a convoluted problem.

    Personally I view this issue as having a root shared blame, TFA should have prevented the login from occurring on its own (we now have that fixed in the 2.x branch) Miniorange never should have been able to bypass us, and it isn’t security failing on our side that they could. Equally Miniorange should not have bypassed TFA’s login checks.

    More than anything I primarily have been leaving this open in our queue as a marker of a known fault in 8.x-1.x that can’t be fixed without the major architecture changes of 2.x.

    Miniorange (and other login modules) across the Drupal Ecosystem need to be fixed up to work together, and it ultimately might require core embracing Facilitate 2FA+MultiFactor compatibility (2FA/two-factor -> MFA/multi-factor) Active .

  • Comment 5 months ago
    🇵🇹Portugal jcnventura

    Indeed, core's user login should be a pluggable system, with core providing a simple plugin: password login. The password plug-in would take over the existing password flow (including password reset), but leave the ability to have other types of logins. The TFA login plug-in would then probably extend a good part of the password login, or clone it and modify it.
    This would leave open the door to other types of plugins like SSO and passkey where the concept of password (or TFA) does not exist on the Drupal side.

  • Comment 5 months ago
    🇵🇹Portugal jcnventura

    Weirdly enough, when searching the core issue queue for "passkey", I got zero results. Seems like Drupal is truly stuck in the early 2000s. I've created issue Support passkey and any other login flow that is more than username+password Active to attempt to finally do something about it.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024