ddspringle / framework-one-secure-auth Goto Github PK
View Code? Open in Web Editor NEWAn example fw/1 application with secure single and two-factor (2FA) authentication and session management functions
License: Apache License 2.0
framework-one-secure-auth's Issues
Decouple from fw/1 and make a dependency
Instead of updating fw/1 in this repo every time it has a new release, it would be better to decouple it from this project and use CommandBox (or manual install of fw/1) to install it as a dependency.
Requires updating box.json, removing the framework directory and updating README install docs to reflect fw/1 as a pre-requisite when installing manually.
Wrong IV length: must be 16 bytes long
Such an error will display after registration form is submitted.
Environment: Lucee 5.2.7+63 (Commanbox) + MySQL 5.7
StackTrace
lucee.runtime.exp.NativeException: Wrong IV length: must be 16 bytes long at
com.sun.crypto.provider.CipherCore.init(CipherCore.java:516) at
com.sun.crypto.provider.AESCipher.engineInit(AESCipher.java:339) at
javax.crypto.Cipher.implInit(Cipher.java:806) at
javax.crypto.Cipher.chooseProvider(Cipher.java:864) at
javax.crypto.Cipher.init(Cipher.java:1396) at
javax.crypto.Cipher.init(Cipher.java:1327) at
lucee.runtime.crypt.Cryptor._crypt(Cryptor.java:132) at
lucee.runtime.crypt.Cryptor.crypt(Cryptor.java:63) at
lucee.runtime.crypt.Cryptor.encrypt(Cryptor.java:155) at
lucee.runtime.crypt.Cryptor.encrypt(Cryptor.java:170) at
lucee.runtime.functions.other.Encrypt.invoke(Encrypt.java:68) at
lucee.runtime.functions.other.Encrypt.call(Encrypt.java:50) at
model.services.securityservice_cfc$cf.udfCall1(/model/services/SecurityService.cfc:135) at
model.services.securityservice_cfc$cf.udfCall(/model/services/SecurityService.cfc) at
lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:107) at
lucee.runtime.type.UDFImpl._call(UDFImpl.java:357) at
lucee.runtime.type.UDFImpl.call(UDFImpl.java:226) at
lucee.runtime.ComponentImpl._call(ComponentImpl.java:687) at
lucee.runtime.ComponentImpl._call(ComponentImpl.java:567) at
lucee.runtime.ComponentImpl.call(ComponentImpl.java:1988) at
lucee.runtime.util.VariableUtilImpl.callFunctionWithoutNamedValues(VariableUtilImpl.java:756) at
lucee.runtime.PageContextImpl.getFunction(PageContextImpl.java:1718) at
home.controllers.main_cfc$cf.udfCall(/home/controllers/main.cfc:134) at
lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:107) at
lucee.runtime.type.UDFImpl._call(UDFImpl.java:357) at
lucee.runtime.type.UDFImpl.callWithNamedValues(UDFImpl.java:212) at lucee.runtime.ComponentImpl._call(ComponentImpl.java:689) at lucee.runtime.ComponentImpl._call(ComponentImpl.java:567) at
lucee.runtime.ComponentImpl.callWithNamedValues(ComponentImpl.java:2005) at
lucee.runtime.util.VariableUtilImpl.callFunctionWithNamedValues(VariableUtilImpl.java:869) at
lucee.runtime.functions.dynamicEvaluation.Invoke.call(Invoke.java:50) at
framework.one_cfc$cf.udfCalla(/framework/one.cfc:1629) at
framework.one_cfc$cf.udfCall(/framework/one.cfc) at
lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:107) at
lucee.runtime.type.UDFImpl._call(UDFImpl.java:357) at
lucee.runtime.type.UDFImpl.call(UDFImpl.java:226) at
lucee.runtime.type.scope.UndefinedImpl.call(UndefinedImpl.java:771) at
lucee.runtime.util.VariableUtilImpl.callFunctionWithoutNamedValues(VariableUtilImpl.java:756) at
lucee.runtime.PageContextImpl.getFunction(PageContextImpl.java:1718) at
framework.one_cfc$cf.udfCall6(/framework/one.cfc:890) at
framework.one_cfc$cf.udfCall(/framework/one.cfc) at
lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:107) at
lucee.runtime.type.UDFImpl._call(UDFImpl.java:357) at
lucee.runtime.type.UDFImpl.call(UDFImpl.java:226) at
lucee.runtime.ComponentImpl._call(ComponentImpl.java:687) at
lucee.runtime.ComponentImpl._call(ComponentImpl.java:567) at
lucee.runtime.ComponentImpl.call(ComponentImpl.java:1988) at
lucee.runtime.util.VariableUtilImpl.callFunctionWithoutNamedValues(VariableUtilImpl.java:756) at
lucee.runtime.PageContextImpl.getFunction(PageContextImpl.java:1718) at
application_cfc$cf.udfCall(/Application.cfc:298) at
lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:107) at
lucee.runtime.type.UDFImpl._call(UDFImpl.java:357) at
lucee.runtime.type.UDFImpl.call(UDFImpl.java:226) at
lucee.runtime.ComponentImpl._call(ComponentImpl.java:687) at
lucee.runtime.ComponentImpl._call(ComponentImpl.java:567) at lucee.runtime.ComponentImpl.call(ComponentImpl.java:1988) at
lucee.runtime.listener.ModernAppListener.call(ModernAppListener.java:424) at
lucee.runtime.listener.ModernAppListener._onRequest(ModernAppListener.java:223) at
lucee.runtime.listener.MixedAppListener.onRequest(MixedAppListener.java:43) at
lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2464) at
lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2454) at
lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2427) at
lucee.runtime.engine.Request.exe(Request.java:44) at
lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1091) at
lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1039) at
lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:102) at
lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51) at
javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at
org.cfmlprojects.regexpathinfofilter.RegexPathInfoFilter.doFilter(RegexPathInfoFilter.java:47) at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:64) at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:336) at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at
java.lang.Thread.run(Thread.java:745) Caused by: java.security.InvalidAlgorithmParameterException: Wrong IV length: must be 16 bytes long ... 101 more
application.securityService
As shown above, the encryptionIV1 is 12-byte long (B0O9PAmQSxo=). If I append four equality signs to it to make it 16-byte long (B0O9PAmQSxo=====), then dataEnc() will pass. But I doubt it's feasible to hard-code a number of 16 here.
Any insights will be appreciated. :)
Your password and confirmation password do not match. Please try again.
I just downloaded the source code and booted it up with CommandBox. The error comes up upon registration. I can confirm the passwords are identical.
Environment: Lucee 5.2.4+37 + MySQL.
What could be the possible cause of it?
Setting cookies doesn't work in CommandBox 3.4.0+00517
getPageContext().getResponse().addHeader("Set-Cookie"...
AND
cfcookie(...)
both fail to set a cookie when using fw1-sa within CommandBox.
I'd previously run into this when building out a project for a client and the only solution I could find, less than ideal, was to use:
cookie.blah = ...
I'll have to see if I can snake some of @bdw429s time to see if there is a better general workaround when using fw/1 under CommandBox for setting cookies w/ all the fixings (domain, path, expires, HTTPOnly, etc.)
Implement new Application.cfc fw/1 initialization
fw/1 is no longer required to be extended and can instead be included in the Application.cfc within the appropriate functions. As a better example of how to use fw/1 in a modern way the Application.cfc should be rewritten to use this new method of framework invocation.
Fix ACF incompatibilities
While testing the code on ACF recently I realized there's a few differences between Lucee and ACF that I did not account for. This issue is to remind me to make this ACF compatible again by the next release of ACF.
Diagnose member function issue
Found 'No matching Method/Function for Number.len() found' error on L112 and L223 ( arguments.value.len() ) when testing commit 2e240b8 w/ fw/1 4.0.0 on Lucee 5.1.0.34
Attempted rename of arguments.value to other names (arguments,input, arguments.data) to see if this was a naming issue, but error persisted.
Currently running same SecurityService in Lucee 4.5.4.017 using CB 4.3.0+188 w/o this issue.
Need to isolate if this is a Lucee 5.1.0.34 issue, a fw/1 4.0.0 issue, some combination of those two or something else entirely.
db vs repeatable
In your security service cfc you use repeatable and db repeatable encryption. What are the differences/use cases for those?
And do you have examples for how you're using the form/url encryption methods? I would like to encrypt/hash form/url field names too and I'm looking for best practices.
can't find component [model.beans.User]
When registering a new user, I get the following error window after pressing the Register button:
ERROR!
An error occurred!
Action: home:main.process
Error: invalid component definition, can't find component [model.beans.User]
Type: expression
Details:
Cannot find any provider supporting BLOWFISH/CTR/PKCS5Padding
I'm not sure how to get the library necessary for this. I tried adding bouncycastle to the lib directory.
154: // using master encryption, encrypt with the master key 155: onePass = encrypt( arguments.value, variables.masterKey, 'AES/CBC/PKCS5Padding', 'HEX' ); 156: lastPass = encrypt( onePass, variables.masterKey, 'BLOWFISH/CTR/PKCS5Padding', 'HEX' ); 157: break; 158:
java.security.NoSuchAlgorithmException
Version Lucee 6.0.1.0
Version Name Gelert
Release date Oct 17, 2023
Label
Installed tag
libraries - Lucee Core Tag Library
Installed function
libraries - Lucee Core Function Library
Remote IP 127.0.0.1
Loader Version 6.0.1.0
Servlet Container WildFly / Undertow - 2.2.28.Final
Java 21.0.2 (Homebrew) 64bit
Host Name 127.0.0.1
OS Mac OS X (14.3.1) 64bit
Architecture 64bit
Why is session management in securityService rather than userService?
I'm new to OO and I'm digesting your code to learn best practices. I appreciate your patience and all of your experience.
Why is the user session management functionality in the securityService controller rather than UserService? Flip of the coin or is there a rationale?
Aggregate IP watching and blocking functions
There is a lot of overlap between the IP Blocking and IP Watching functionality - specifically adding, removing, reading, writing and importing functions. Aggregate those sets of functions to single functions that handle both IP watching and IP blocking.
Combine with 2FA example
Instead of having two distinct examples, it's feasible to include configuration options to determine if single or two factor authentication is desired for any particular application and implement each respectively.
Requires migrating 2FA specific functionality to this project, modifying them as required, adding a configuration option for single or two-factor auth selection and firing off appropriate views as needed. Also requires an update to README, and removal of the code in the 2FA project and redirecting users here in that README.
BaseBean issue?
Hi,
Trying to implement this in my app but I am receiving the following error. I am using fw/1 4.2.
Problem with metadata for BaseBean (model.beans.BaseBean) because: Unable to getComponentMetadata(model.beans.BaseBean) because: Invalid CFML construct found on line 100 at column 84. (ColdFusion was looking at the following text:
(
The CFML compiler was processing:
), near line 100 in E:\cf\model\beans\BaseBean.cfc
- An expression beginning with application.securityService.dataEnc, on line 100, column 32.This message is usually caused by a problem in the expressions structure.
- A script statement beginning with return on line 100, column 25.
- A script statement beginning with { on line 98, column 50.
- A script statement beginning with if on line 98, column 17.
- A script statement beginning with public on line 93, column 9.
any ideas?
Typo in UserService.cfc - Line 99
Typo in model/services/UserService.cfc - Line 99
ending '.' (period) should be ',' (comma).
This assumes I'm looking at the most recent version and not an idiot. I must add, a lot of your code makes me feel like an idiot. Thanks and nicely done.
Process registration not complete?
It looks like the process controller is truncated - what happens to the user object at this point and how is the view set? https://github.com/ddspringle/framework-one-secure-auth/blob/master/home/controllers/main.cfc
Reminder to merge Application.cfc and MyApplication.cfc
Per our slack chat, this is a reminder to merge the myApplication.cfc with application.cfc when you have time ๐
Invalid Login Error
I'm totally new to FW1. I'm having this issue when entering an invalid login.
Lucee (Gelert) Os 6.0.1.83 (CFML Version 2016,0,03,300357) Running with Commandbox
I login with an invalid login and it goes to 404 and then gets in an endless loop of 501 until browser stops it?
http://127.0.0.1:64073/fw1-sa/index.cfm?action=admin:main.authenticate
http://127.0.0.1:64073/fw1-sa/index.cfm?action=admin%3Amain.logout&msg=404
http://127.0.0.1:64073/fw1-sa/index.cfm?action=admin%3Amain.logout&msg=501
http://127.0.0.1:64073/fw1-sa/index.cfm?action=admin%3Amain.logout&msg=501
http://127.0.0.1:64073/fw1-sa/index.cfm?action=admin%3Amain.logout&msg=501
http://127.0.0.1:64073/fw1-sa/index.cfm?action=admin%3Amain.logout&msg=501
http://127.0.0.1:64073/fw1-sa/index.cfm?action=admin%3Amain.logout&msg=501
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.