Jump to content


Tyler Loewen

  • Content Count

  • Joined

  • Last visited

About Tyler Loewen

  • Rank
    New Member

Recent Profile Visitors

983 profile views
  1. Turns out it was a problem with a plugin in Auth0 and I've managed to fix it. Cheers!
  2. I'm redirected to this URL from my Auth0 login/authorization page: https://mysite.com/forums/login/?_processLogin=10&csrfKey=XXX&ref=XXX&error=access_denied&error_description={"errors":{"email":["has already been taken"]}} Rather than an Invision Community error page, I'm just shown the login page. Invision Community is not logging any errors.
  3. I'm trying to add a new OAuth2 login handler using Auth0. The first time I sign in using Auth0, it either creates a new account, or links connected accounts. This works fine. The problem I'm experiencing is when I try to sign in for a second time. Upon being redirected back to my Invision Community, I get an error message saying that the email has already been taken. "error": { "message": "{\"errors\":{\"email\":[\"has already been taken\"]}}", "oauthError": "access_denied", "type": "oauth-authorization" }, For reference, we have two login methods act
    Bug: My site uses S3 to store most file uploads. When I upload a verification image, it uploads it to disk (it's set to upload to disk in the file management settings). The image properly displays in the user account settings panel. But in the moderator verification section, it has a broken link using one of our S3 bucket URLs. Setting the file management for verification to S3 resolves this issue. Suggestion: Ability to override the Font Awesome includes so that I can use my own, updated, pro version of Font Awesome. And the ability to not include it at all in the case of it already bein
  4. Being able to reset an account's 2FA via email allows for an exploit if a hacker is able to compromise the user's email address. If the user's email address is compromised, the hacker will be able to reset both the account's password and 2FA thus having the ability to access the account. An available solution is to require contacting the administrator to reset the user's 2FA. But this requires an admin's time plus a hacker could still social engineer the admin. Having 2FA backup codes would make the 2FA system less exploitable while not requiring an admin's time to reset the 2FA. I t
  5. 1. No, not with your plugin, but unless the one reset handling module is extended, the user get automatically logged in upon clicking the password reset confirmation link (positive of this). I don't know the exact mechanism of your plugin, but I figured I'd ask just in-case. Maybe your plugin does have protection against this. I haven't purchased it so I wouldn't know. Code run upon clicking a valid password reset link: /* Reset the failed logins storage - we don't need to save because the login handler will do that for us later */ $member->failed_logins = array();
  6. Are you re-formatting or replacing all characters which don't make up a valid URL? Using urlencode or a similar function might solve these problems. Questions: When resetting a password via email, visiting the reset link will automatically login the user without the need for the user to enter any login credentials, potentially by-passing the 2FA prompt. Does this have protection against that? This is the issue gotoel was describing. Will you add the ability to create 16+ character backup codes in the case the user loses access to their authentication device? Is it possib
  • Create New...

Important Information

We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. See more about cookies and our Privacy Policy