yrccondor/wp-webauthn

Login failing with "Auth failed" but log showing everything is ok?

Opened this issue · 3 comments

Testing on Wordpress 6.4.2 with Woocommerce 8.4.0 on Debian + Nginx + PHP8.2-fpm, gmp and mbstring are installed.
Browser is Safari.

I can register an authenticator (fingerprint scanner) just fine. When i go to the login page i can click the 'Auth' button and it asks for my finger, then then goes through 'authenticating', then 'Auth Failed'.

I see this in the log: (i removed some bits, not sure which of them are needed for debugging and which show too much private data)
[2024-01-13 17:28:44][8e044a] ajax_auth: Start
[2024-01-13 17:28:44][8e044a] ajax_auth: type => "auth", user => "testuser"
[2024-01-13 17:28:44][8e044a] ajax_auth: allowedCredentials => [{"type":"public-key","id":"4u8J-........"}]
[2024-01-13 17:28:44][8e044a] ajax_auth: user_verification => "true"
[2024-01-13 17:28:44][8e044a] ajax_auth: Challenge sent
[2024-01-13 17:28:50][9f6357] ajax_auth_response: Client response received
[2024-01-13 17:28:50][9f6357] ajax_auth_response: type => "auth", user => "testuser"
[2024-01-13 17:28:50][9f6357] ajax_auth_response: data => {"id":"4u8J-.........","type":"public-key","rawId":"4u8J+.........","response":{"authenticatorData":".......","clientDataJSON":".........","signature":"........","userHandle":"......."}}
[2024-01-13 17:28:50][9f6357] ajax_auth_response: Challenge verified
[2024-01-13 17:28:50][9f6357] ajax_auth_response: Log in user => "testuser"

so that looks all ok?

Any hints or tips on what to do or test?

Hi,
The log looks fine so the problem may caused by the server response. If you know how to check network requests in the browser's devtool please let me know server's response on your authentication request so I can try to figure out what happened

Sorry for the delay.
i guess that the request to admin-ajax.php should return json data.
Sometimes it does:

{ "challenge": "yZfI-JE4pPo7.......", "rpId": ".......", "userVerification": "required", "allowCredentials": [ { "type": "public-key", "id": "4u8J-..........." } ], "timeout": 60000, "clientID": "170811432........." }

but sometimes it doesnt, and it responds the HTML code of the login page itself. (below is just a snippet)

`

Powered by WordPress







					<p>Please enter the two-factor authentication (2FA) verification code below to login. Depending on your 2FA setup, you can get the code from the 2FA app or it was sent to you by email.</p><p><strong>Note: if you are supposed to receive an email but did not receive any, please click the Resend Code button to request another code.</strong></p>				<p>
				</br>
				<label for="authcode">Authentication Code:</label>
				<input type="tel" name="authcode" id="authcode" class="input" value="" size="20" pattern="[0-9]*" autocomplete="off" />
				<script>
					const authcode = document.getElementById('authcode');
					authcode.addEventListener('input', function() {
					this.value = this.value.trim();
					});
				</script>
			</p>`

There is no json data at the beginning or end of the html code. Is there anything i can test to pin down the issue ?

Thanks,
Remco

looks like some other 2FA plugin is trying to take over the login page before you actually login. Could you please let me know what 2FA plugin you are using? I can then investigate if there's any compatibility issues