Jump to content


Tyler Loewen

  • Posts

  • Joined

  • Last visited

 Content Type 



IPS4 Providers

Release Notes

IPS4 Guides

IPS4 Developer Documentation

Invision Community Blog



Everything posted by Tyler Loewen

  1. Turns out it was a problem with a plugin in Auth0 and I've managed to fix it. Cheers!
  2. I'm redirected to this URL from my Auth0 login/authorization page: https://mysite.com/forums/login/?_processLogin=10&csrfKey=XXX&ref=XXX&error=access_denied&error_description={"errors":{"email":["has already been taken"]}} Rather than an Invision Community error page, I'm just shown the login page. Invision Community is not logging any errors.
  3. I'm trying to add a new OAuth2 login handler using Auth0. The first time I sign in using Auth0, it either creates a new account, or links connected accounts. This works fine. The problem I'm experiencing is when I try to sign in for a second time. Upon being redirected back to my Invision Community, I get an error message saying that the email has already been taken. "error": { "message": "{\"errors\":{\"email\":[\"has already been taken\"]}}", "oauthError": "access_denied", "type": "oauth-authorization" }, For reference, we have two login methods active: Standard and Auth0. This error happens for both pre-existing and newly created accounts. How can I fix this so that users will be able to login with their credentials from our Auth0 app?
    Bug: My site uses S3 to store most file uploads. When I upload a verification image, it uploads it to disk (it's set to upload to disk in the file management settings). The image properly displays in the user account settings panel. But in the moderator verification section, it has a broken link using one of our S3 bucket URLs. Setting the file management for verification to S3 resolves this issue. Suggestion: Ability to override the Font Awesome includes so that I can use my own, updated, pro version of Font Awesome. And the ability to not include it at all in the case of it already being included. Suggestion: Ability to define custom CSS for each icon from within the plugin settings. That way I can change its size, add animations, add shadows, add transitions, etc. Suggestion: Ability to choose whether the images are saved or deleted upon approval/disapproval. This would help organisations like mine combat [credit card] fraud. Suggestion: Ability to add different verification procedures. One procedure like the one that already exists. One for ID and utility bill verification (multiple uploads). One for credit card verification where companies like mine can match up pictures of users' credit cards with the information we have from Stripe or PayPal. etc. Suggestion: Ability to add data to each successful verification, and this data can only be seen by members of chosen user groups. Like if my Discord handle were to be verified, a popup (or alt text) would show my verified Discord handle when a user where to hover or click on the verified icon. These features would be very useful for my business and other organisations or enterprises. I'd imagine you'd be able to charge a lot more if this plugin had those features. I very much like the plugin so far! Thank you for considering my suggestions.
  4. Being able to reset an account's 2FA via email allows for an exploit if a hacker is able to compromise the user's email address. If the user's email address is compromised, the hacker will be able to reset both the account's password and 2FA thus having the ability to access the account. An available solution is to require contacting the administrator to reset the user's 2FA. But this requires an admin's time plus a hacker could still social engineer the admin. Having 2FA backup codes would make the 2FA system less exploitable while not requiring an admin's time to reset the 2FA. I think this solution would be beneficial to Invision Power's commercial users and high traffic web sites.
  5. 1. No, not with your plugin, but unless the one reset handling module is extended, the user get automatically logged in upon clicking the password reset confirmation link (positive of this). I don't know the exact mechanism of your plugin, but I figured I'd ask just in-case. Maybe your plugin does have protection against this. I haven't purchased it so I wouldn't know. Code run upon clicking a valid password reset link: /* Reset the failed logins storage - we don't need to save because the login handler will do that for us later */ $member->failed_logins = array(); /* Now reset the member's password */ foreach ( \IPS\Login::handlers( TRUE ) as $handler ) { /* We cannot update our password in some login handlers, that's ok */ try { $handler->changePassword( $member, $values['password'] ); } catch( \BadMethodCallException $e ){} } /* Delete validating record and log in */ \IPS\Db::i()->delete( 'core_validating', array( 'member_id=? AND lost_pass=1', $member->member_id ) ); /* Log in and redirect */ \IPS\Session::i()->setMember( $member ); \IPS\Output::i()->redirect( \IPS\Http\Url::internal( '' ) ); 5. Yes, a successful brute-force via the login form may be extremely unlikely, but still as possible as say winning a large jackpot multiple times in a row. A dictionary attack could also be used.I can't remember if the flood check has a counter per IP address, or a global counter for failed logins. If the former, then a large botnet can be used to expedite this process. Nevertheless, if a hacker is able to test a password for an account to confirm that the password is correct, then as mentioned the hacker will be able to confirm the target's password. This can be dangerous because the target could then be suspect-able to getting accounts at other sites compromised. Additionally, attack surface area of IPBoard could be increased. Not too big of a concern as the possibility of this actually being exploited is slim to none, but I like to leave nothing open. I'd also be neat to have the UCP allow the user to have settings which [dis]allow changes to the user's password or email to require the OTP.
  6. Are you re-formatting or replacing all characters which don't make up a valid URL? Using urlencode or a similar function might solve these problems. Questions: When resetting a password via email, visiting the reset link will automatically login the user without the need for the user to enter any login credentials, potentially by-passing the 2FA prompt. Does this have protection against that? This is the issue gotoel was describing. Will you add the ability to create 16+ character backup codes in the case the user loses access to their authentication device? Is it possible to generate a new secret key granted the user enters a valid OTP? Is the secret key hidden/QR code hidden after activating the 2FA? Is the prompt for the OTP asked for after successfully logging in with the correct username and password for the user? This is a security flaw as it allows hackers to guess or bruteforce a user's password, even if the hacker won't be able to gain full control of the account because of the lack of having a valid OTP.
  • Create New...

Important Information

We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. See more about cookies and our Privacy Policy