Comments (6)
yrccondor
commented on June 3, 2024
Sorry for the late response.
Could you please enable the logging option on the WP-WebAuthn settings page and paste the logs here?
from wp-webauthn.
Signum
commented on June 3, 2024
Thanks for replying. I found out that I can indeed login using an incognito browser session. It does not work in my normal browser session when I log out from Wordpress.
Working incognito session:
[2023-08-14 21:33:07][4f0923] ajax_auth: Start
[2023-08-14 21:33:07][4f0923] ajax_auth: Empty username, try usernameless authentication
[2023-08-14 21:33:07][4f0923] ajax_auth: Usernameless authentication, allowedCredentials => []
[2023-08-14 21:33:07][4f0923] ajax_auth: user_verification => "false"
[2023-08-14 21:33:07][4f0923] ajax_auth: Usernameless authentication, user_verification => "true"
[2023-08-14 21:33:07][4f0923] ajax_auth: Challenge sent
[2023-08-14 21:33:11][9f3b87] ajax_auth_response: Client response received
[2023-08-14 21:33:11][9f3b87] ajax_auth_response: type => "auth"
[2023-08-14 21:33:11][9f3b87] ajax_auth_response: Usernameless authentication, try to find user by credential_id => "owBYi+hRXyAXoptWzUnrX1dkZDqfrC6c+zbBh24lgI+zamBLkrhQaiZ+PWtRBboNKhPL/98vpnaoJEsgsM/hVlWkAELtTfjSoCljK70h1EVc9TUDFF6rHVYECvCdbp32rv8ROEyPombJfIJbvPZAvLD+Qg2mPSi9v4mzSacyM8JmPlxVF6F0q1Zmv9zisKEBTDizyECHXFFgwce4PQJQ3SlIO1Mc7CTAb1MwX2+mUw==", userHandle => "MjExY2E5MDZlMDU3OTIzYTI3OGJkMWViNmE1ZTIyNDU1YjVjNDc2NTM4Mjc3ZGIzYjBmZmNjNWU4YjE2MTEzZg=="
[2023-08-14 21:33:11][9f3b87] ajax_auth_response: Credential found, usernameless => "true", user_key => "211ca906e057923a278bd1eb6a5e22455b5c476538277db3b0ffcc5e8b16113f"
[2023-08-14 21:33:11][9f3b87] ajax_auth_response: Found user => "admin", user_key => "211ca906e057923a278bd1eb6a5e22455b5c476538277db3b0ffcc5e8b16113f"
[2023-08-14 21:33:11][9f3b87] ajax_auth_response: data => {"id":"owBYi-hRXyAXoptWzUnrX1dkZDqfrC6c-zbBh24lgI-zamBLkrhQaiZ-PWtRBboNKhPL_98vpnaoJEsgsM_hVlWkAELtTfjSoCljK70h1EVc9TUDFF6rHVYECvCdbp32rv8ROEyPombJfIJbvPZAvLD-Qg2mPSi9v4mzSacyM8JmPlxVF6F0q1Zmv9zisKEBTDizyECHXFFgwce4PQJQ3SlIO1Mc7CTAb1MwX2-mUw","type":"public-key","rawId":"owBYi+hRXyAXoptWzUnrX1dkZDqfrC6c+zbBh24lgI+zamBLkrhQaiZ+PWtRBboNKhPL/98vpnaoJEsgsM/hVlWkAELtTfjSoCljK70h1EVc9TUDFF6rHVYECvCdbp32rv8ROEyPombJfIJbvPZAvLD+Qg2mPSi9v4mzSacyM8JmPlxVF6F0q1Zmv9zisKEBTDizyECHXFFgwce4PQJQ3SlIO1Mc7CTAb1MwX2+mUw==","response":{"authenticatorData":"g6HewlH0cGlR3O5fJwiVJ3zpluadh/MYVV+vnksmN7cFAAAAHg==","clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoidFZGZEl6VERIeVBKMlBtcVdXaWpKY0NFMEZSeElpYnZOeG5hazQ2TTJKNCIsIm9yaWdpbiI6Imh0dHBzOi8vd29ya2Fyb3VuZC5vcmciLCJjcm9zc09yaWdpbiI6ZmFsc2UsIm90aGVyX2tleXNfY2FuX2JlX2FkZGVkX2hlcmUiOiJkbyBub3QgY29tcGFyZSBjbGllbnREYXRhSlNPTiBhZ2FpbnN0IGEgdGVtcGxhdGUuIFNlZSBodHRwczovL2dvby5nbC95YWJQZXgifQ==","signature":"VHXUWvGVom1nyDmpHKmnnBCaRDDbMH3I5zEjTQ2af6P3r5xR/7ByFsQOd05KqhHzuSOhfxvx3VJEakWge2X4Bg==","userHandle":"MjExY2E5MDZlMDU3OTIzYTI3OGJkMWViNmE1ZTIyNDU1YjVjNDc2NTM4Mjc3ZGIzYjBmZmNjNWU4YjE2MTEzZg=="}}
[2023-08-14 21:33:11][9f3b87] ajax_auth_response: Challenge verified
[2023-08-14 21:33:11][9f3b87] ajax_auth_response: Log in user => "admin"
Non-working normal (non-incognito) session: no logs at all.
- Click on "Auth"
- Login form shows: "Auth failed - Try to enter the username"
- I enter "admin" as username and click on "Auth"
- Login form shows: "Auth failed"
I tried clearing the session cookie but that did not help either.
from wp-webauthn.
yrccondor
commented on June 3, 2024
That's weird, I'm suspecting it may not be a WebAuthen related issue but a browser policy issue. What browser are you using?
from wp-webauthn.
Signum
commented on June 3, 2024
Browsers used: Chromium, Vivaldi and Firefox.
It seems I have identified the culprit though: the NinjaFirewall plugin. More specifically this option:
Protect admin-ajax.php against suspicious bots
Perhaps the application firewall was not expecting the arguments that WP-Webauthn is sending.
I'm still puzzled why using the incognito mode did not cause any issues. But don't waste any more time on me. WP-Webauthn is innocent and I will instead bug the NinjaFirewall people. Thanks for your time.
from wp-webauthn.
Signum
commented on June 3, 2024
Perhaps https://wordpress.org/support/topic/breaks-wp-webauthn-plugin/#post-16974941 gives a hint. Perhaps there's really something unusual going on with the HTTP headers.
from wp-webauthn.
yrccondor
commented on June 3, 2024
WP-WebAuthn uses standard browser API (XMLHttpRequest) to send requests from the browser to the server. It only sends essential headers it needs and that's a common way to transfer data between the browser and the server so I believe there's nothing special 🤔 I'll check that plug-in anyway.
from wp-webauthn.
Related Issues (20)
- New passkey feature HOT 2
- Please add Magic Link support as a fallback HOT 5
- WP-WebAuthn breaks the Reset Password page HOT 5
- The extension "Sodium" is not available. Please install it to use this method. HOT 1
- Disable the need for gmp extension HOT 5
- Login fail HOT 1
- WP Network Support HOT 7
- Login shortcode and gutenberg block not working HOT 6
- Vivaldi browser and Bitwarden HOT 2
- Problems with login HOT 4
- Disable Username Field HOT 1
- Login failing with "Auth failed" but log showing everything is ok? HOT 3
- Preferred login method
- Login Fails but Authenticator Verification Works HOT 3
- Unable to Log In HOT 1
- Can't register new key with BitWarden addon on Chrome HOT 1
- Can't add 2 fingerprint authenticator HOT 4
- Feature request - Support word WordPress multi-site
- Rename variable $user_info to $user
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wp-webauthn.