# |
Sep 19th 2019, 20:26 |
challgren |
Have you tried disable it |
# |
Sep 19th 2019, 20:25 |
daniel.upshaw |
Lol |
# |
Sep 19th 2019, 20:25 |
daniel.upshaw |
Fair, fair |
# |
Sep 19th 2019, 20:25 |
challgren |
Personally I avoid the security component, too much grief in my life for it |
# |
Sep 19th 2019, 20:24 |
daniel.upshaw |
Would have thought that would be handled |
# |
Sep 19th 2019, 20:24 |
daniel.upshaw |
Looks like nothing is unlocked |
# |
Sep 19th 2019, 20:23 |
daniel.upshaw |
There's a dump of ``` protected function _validToken(Controller $controller) { $check = $controller->getRequest()->getData(); dd($check);``` |
# |
Sep 19th 2019, 20:23 |
slackebot |
"%5B%22%5C%2Flogin%3Fredirect%3Dhttp%253A%252F%252Flocalhost%253A8765%252F%22%2C%5B%22username%22%2C%22password%22%5D%2C%5B%5D%5D" ] ]``` |
# |
Sep 19th 2019, 20:23 |
daniel.upshaw |
```array:4 [▼ "_csrfToken" => "7ab19826360385ee559f3b65c6386499fa547e5bea2cdadbb0c88c332afc638f692c36f2326a91c39edda711a37207dea41eeec29a7c83781ef69b5fb73d0b39" "username" => "testing" "password" => "testing" "_Token" => array:3 [▼ "fields" => "1c5dedeb5f156fc4cc4ea1ec764018a91f12f4af%3A" "unlocked" => "" "debug" => |
# |
Sep 19th 2019, 20:23 |
challgren |
Wonder if the template is getting the security hash in it |
# |
Sep 19th 2019, 20:21 |
daniel.upshaw |
Lol |
# |
Sep 19th 2019, 20:21 |
daniel.upshaw |
Frustrating |
# |
Sep 19th 2019, 20:21 |
challgren |
Ahh yeah that will do it 99% of the time |
# |
Sep 19th 2019, 20:21 |
daniel.upshaw |
`hash_equals` is supposed to return `true`, but never does |
# |
Sep 19th 2019, 20:20 |
slackebot |
= $this->_debugPostTokenNotMatching($controller, $hashParts); } throw new AuthSecurityException($msg); }``` |
# |
Sep 19th 2019, 20:20 |
daniel.upshaw |
``` protected function _validatePost(Controller $controller) { $token = $this->_validToken($controller); $hashParts = $this->_hashParts($controller); $check = hash_hmac('sha1', implode('', $hashParts), Security::getSalt()); if (hash_equals($check, $token)) { return true; } $msg = self::DEFAULT_EXCEPTION_MESSAGE; if (Configure::read('debug')) { $msg |
# |
Sep 19th 2019, 20:20 |
daniel.upshaw |
It happens in `SecurityComponent.php` |
# |
Sep 19th 2019, 20:20 |
daniel.upshaw |
:,) |
# |
Sep 19th 2019, 20:20 |
challgren |
Bah I guess I need to go to the bar already! :P |
# |
Sep 19th 2019, 20:19 |
challgren |
Look through the stack on the bar request |
# |
Sep 19th 2019, 20:19 |
daniel.upshaw |
Hmmm |
# |
Sep 19th 2019, 20:19 |
daniel.upshaw |
It's a fresh install of 3.8 |
# |
Sep 19th 2019, 20:19 |
challgren |
https://github.com/CakeDC/users/blob/develop/src/Controller/Component/LoginComponent.php#L44 |
# |
Sep 19th 2019, 20:18 |
daniel.upshaw |
Ah same, I'm still learning it |
# |
Sep 19th 2019, 20:18 |
challgren |
Ahh ok, yeah Im not good with the middleware version |
# |
Sep 19th 2019, 20:18 |
daniel.upshaw |
https://github.com/CakeDC/users/blob/develop/src/Controller/UsersController.php https://github.com/CakeDC/users/blob/develop/src/Controller/Traits/LoginTrait.php |
# |
Sep 19th 2019, 20:18 |
daniel.upshaw |
Trying the new stuff |
# |
Sep 19th 2019, 20:18 |
daniel.upshaw |
Yep! |
# |
Sep 19th 2019, 20:17 |
challgren |
Ohh you using the middleware version of component version? |
# |
Sep 19th 2019, 20:17 |
daniel.upshaw |
Nice bot, it's the CakeDC default UserController, I'll find it |
# |
Sep 19th 2019, 20:17 |
slackebot |
!gist |
# |
Sep 19th 2019, 20:17 |
slackebot |
Command sent from Slack by challgren: |
# |
Sep 19th 2019, 20:17 |
challgren |
Can you gist your controller method? |
# |
Sep 19th 2019, 20:16 |
daniel.upshaw |
Ah okay, yes it contains the `username` and `password` fields |
# |
Sep 19th 2019, 20:16 |
challgren |
Sorry I cant watch the video right now |
# |
Sep 19th 2019, 20:16 |
challgren |
Is your post containing fields? |
# |
Sep 19th 2019, 20:15 |
daniel.upshaw |
But every time I post the login, it throws that error |
# |
Sep 19th 2019, 20:15 |
daniel.upshaw |
Well it does load on a GET request |
# |
Sep 19th 2019, 20:15 |
daniel.upshaw |
Oh, like the login page itself |
# |
Sep 19th 2019, 20:15 |
challgren |
Is your login page configured to allow all users? |
# |
Sep 19th 2019, 20:13 |
slackebot |
<daniel.upshaw> |