ddspringle / framework-one-secure-auth Goto Github PK
View Code? Open in Web Editor NEWAn example fw/1 application with secure single and two-factor (2FA) authentication and session management functions
License: Apache License 2.0
An example fw/1 application with secure single and two-factor (2FA) authentication and session management functions
License: Apache License 2.0
Instead of updating fw/1 in this repo every time it has a new release, it would be better to decouple it from this project and use CommandBox (or manual install of fw/1) to install it as a dependency.
Requires updating box.json, removing the framework
directory and updating README install docs to reflect fw/1 as a pre-requisite when installing manually.
Such an error will display after registration form is submitted.
Environment: Lucee 5.2.7+63 (Commanbox) + MySQL 5.7
StackTrace
lucee.runtime.exp.NativeException: Wrong IV length: must be 16 bytes long at
com.sun.crypto.provider.CipherCore.init(CipherCore.java:516) at
com.sun.crypto.provider.AESCipher.engineInit(AESCipher.java:339) at
javax.crypto.Cipher.implInit(Cipher.java:806) at
javax.crypto.Cipher.chooseProvider(Cipher.java:864) at
javax.crypto.Cipher.init(Cipher.java:1396) at
javax.crypto.Cipher.init(Cipher.java:1327) at
lucee.runtime.crypt.Cryptor._crypt(Cryptor.java:132) at
lucee.runtime.crypt.Cryptor.crypt(Cryptor.java:63) at
lucee.runtime.crypt.Cryptor.encrypt(Cryptor.java:155) at
lucee.runtime.crypt.Cryptor.encrypt(Cryptor.java:170) at
lucee.runtime.functions.other.Encrypt.invoke(Encrypt.java:68) at
lucee.runtime.functions.other.Encrypt.call(Encrypt.java:50) at
model.services.securityservice_cfc$cf.udfCall1(/model/services/SecurityService.cfc:135) at
model.services.securityservice_cfc$cf.udfCall(/model/services/SecurityService.cfc) at
lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:107) at
lucee.runtime.type.UDFImpl._call(UDFImpl.java:357) at
lucee.runtime.type.UDFImpl.call(UDFImpl.java:226) at
lucee.runtime.ComponentImpl._call(ComponentImpl.java:687) at
lucee.runtime.ComponentImpl._call(ComponentImpl.java:567) at
lucee.runtime.ComponentImpl.call(ComponentImpl.java:1988) at
lucee.runtime.util.VariableUtilImpl.callFunctionWithoutNamedValues(VariableUtilImpl.java:756) at
lucee.runtime.PageContextImpl.getFunction(PageContextImpl.java:1718) at
home.controllers.main_cfc$cf.udfCall(/home/controllers/main.cfc:134) at
lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:107) at
lucee.runtime.type.UDFImpl._call(UDFImpl.java:357) at
lucee.runtime.type.UDFImpl.callWithNamedValues(UDFImpl.java:212) at lucee.runtime.ComponentImpl._call(ComponentImpl.java:689) at lucee.runtime.ComponentImpl._call(ComponentImpl.java:567) at
lucee.runtime.ComponentImpl.callWithNamedValues(ComponentImpl.java:2005) at
lucee.runtime.util.VariableUtilImpl.callFunctionWithNamedValues(VariableUtilImpl.java:869) at
lucee.runtime.functions.dynamicEvaluation.Invoke.call(Invoke.java:50) at
framework.one_cfc$cf.udfCalla(/framework/one.cfc:1629) at
framework.one_cfc$cf.udfCall(/framework/one.cfc) at
lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:107) at
lucee.runtime.type.UDFImpl._call(UDFImpl.java:357) at
lucee.runtime.type.UDFImpl.call(UDFImpl.java:226) at
lucee.runtime.type.scope.UndefinedImpl.call(UndefinedImpl.java:771) at
lucee.runtime.util.VariableUtilImpl.callFunctionWithoutNamedValues(VariableUtilImpl.java:756) at
lucee.runtime.PageContextImpl.getFunction(PageContextImpl.java:1718) at
framework.one_cfc$cf.udfCall6(/framework/one.cfc:890) at
framework.one_cfc$cf.udfCall(/framework/one.cfc) at
lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:107) at
lucee.runtime.type.UDFImpl._call(UDFImpl.java:357) at
lucee.runtime.type.UDFImpl.call(UDFImpl.java:226) at
lucee.runtime.ComponentImpl._call(ComponentImpl.java:687) at
lucee.runtime.ComponentImpl._call(ComponentImpl.java:567) at
lucee.runtime.ComponentImpl.call(ComponentImpl.java:1988) at
lucee.runtime.util.VariableUtilImpl.callFunctionWithoutNamedValues(VariableUtilImpl.java:756) at
lucee.runtime.PageContextImpl.getFunction(PageContextImpl.java:1718) at
application_cfc$cf.udfCall(/Application.cfc:298) at
lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:107) at
lucee.runtime.type.UDFImpl._call(UDFImpl.java:357) at
lucee.runtime.type.UDFImpl.call(UDFImpl.java:226) at
lucee.runtime.ComponentImpl._call(ComponentImpl.java:687) at
lucee.runtime.ComponentImpl._call(ComponentImpl.java:567) at lucee.runtime.ComponentImpl.call(ComponentImpl.java:1988) at
lucee.runtime.listener.ModernAppListener.call(ModernAppListener.java:424) at
lucee.runtime.listener.ModernAppListener._onRequest(ModernAppListener.java:223) at
lucee.runtime.listener.MixedAppListener.onRequest(MixedAppListener.java:43) at
lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2464) at
lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2454) at
lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2427) at
lucee.runtime.engine.Request.exe(Request.java:44) at
lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1091) at
lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1039) at
lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:102) at
lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51) at
javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at
org.cfmlprojects.regexpathinfofilter.RegexPathInfoFilter.doFilter(RegexPathInfoFilter.java:47) at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:64) at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:336) at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at
java.lang.Thread.run(Thread.java:745) Caused by: java.security.InvalidAlgorithmParameterException: Wrong IV length: must be 16 bytes long ... 101 more
As shown above, the encryptionIV1
is 12-byte long (B0O9PAmQSxo=
). If I append four equality signs to it to make it 16-byte long (B0O9PAmQSxo=====
), then dataEnc()
will pass. But I doubt it's feasible to hard-code a number of 16
here.
Any insights will be appreciated. :)
I just downloaded the source code and booted it up with CommandBox. The error comes up upon registration. I can confirm the passwords are identical.
Environment: Lucee 5.2.4+37 + MySQL.
What could be the possible cause of it?
getPageContext().getResponse().addHeader("Set-Cookie"...
AND
cfcookie(...)
both fail to set a cookie when using fw1-sa within CommandBox.
I'd previously run into this when building out a project for a client and the only solution I could find, less than ideal, was to use:
cookie.blah = ...
I'll have to see if I can snake some of @bdw429s time to see if there is a better general workaround when using fw/1 under CommandBox for setting cookies w/ all the fixings (domain, path, expires, HTTPOnly, etc.)
fw/1 is no longer required to be extended and can instead be included in the Application.cfc within the appropriate functions. As a better example of how to use fw/1 in a modern way the Application.cfc should be rewritten to use this new method of framework invocation.
While testing the code on ACF recently I realized there's a few differences between Lucee and ACF that I did not account for. This issue is to remind me to make this ACF compatible again by the next release of ACF.
Found 'No matching Method/Function for Number.len() found' error on L112 and L223 ( arguments.value.len() ) when testing commit 2e240b8 w/ fw/1 4.0.0 on Lucee 5.1.0.34
Attempted rename of arguments.value to other names (arguments,input, arguments.data) to see if this was a naming issue, but error persisted.
Currently running same SecurityService in Lucee 4.5.4.017 using CB 4.3.0+188 w/o this issue.
Need to isolate if this is a Lucee 5.1.0.34 issue, a fw/1 4.0.0 issue, some combination of those two or something else entirely.
In your security service cfc you use repeatable and db repeatable encryption. What are the differences/use cases for those?
And do you have examples for how you're using the form/url encryption methods? I would like to encrypt/hash form/url field names too and I'm looking for best practices.
When registering a new user, I get the following error window after pressing the Register button:
ERROR!
An error occurred!
Action: home:main.process
Error: invalid component definition, can't find component [model.beans.User]
Type: expression
Details:
I'm not sure how to get the library necessary for this. I tried adding bouncycastle to the lib directory.
154: // using master encryption, encrypt with the master key 155: onePass = encrypt( arguments.value, variables.masterKey, 'AES/CBC/PKCS5Padding', 'HEX' ); 156: lastPass = encrypt( onePass, variables.masterKey, 'BLOWFISH/CTR/PKCS5Padding', 'HEX' ); 157: break; 158:
java.security.NoSuchAlgorithmException
Version Lucee 6.0.1.0
Version Name Gelert
Release date Oct 17, 2023
Label
Installed tag
libraries - Lucee Core Tag Library
Installed function
libraries - Lucee Core Function Library
Remote IP 127.0.0.1
Loader Version 6.0.1.0
Servlet Container WildFly / Undertow - 2.2.28.Final
Java 21.0.2 (Homebrew) 64bit
Host Name 127.0.0.1
OS Mac OS X (14.3.1) 64bit
Architecture 64bit
I'm new to OO and I'm digesting your code to learn best practices. I appreciate your patience and all of your experience.
Why is the user session management functionality in the securityService controller rather than UserService? Flip of the coin or is there a rationale?
There is a lot of overlap between the IP Blocking and IP Watching functionality - specifically adding, removing, reading, writing and importing functions. Aggregate those sets of functions to single functions that handle both IP watching and IP blocking.
Instead of having two distinct examples, it's feasible to include configuration options to determine if single or two factor authentication is desired for any particular application and implement each respectively.
Requires migrating 2FA specific functionality to this project, modifying them as required, adding a configuration option for single or two-factor auth selection and firing off appropriate views as needed. Also requires an update to README, and removal of the code in the 2FA project and redirecting users here in that README.
Hi,
Trying to implement this in my app but I am receiving the following error. I am using fw/1 4.2.
Problem with metadata for BaseBean (model.beans.BaseBean) because: Unable to getComponentMetadata(model.beans.BaseBean) because: Invalid CFML construct found on line 100 at column 84. (ColdFusion was looking at the following text:
(
The CFML compiler was processing:
), near line 100 in E:\cf\model\beans\BaseBean.cfc
- An expression beginning with application.securityService.dataEnc, on line 100, column 32.This message is usually caused by a problem in the expressions structure.
- A script statement beginning with return on line 100, column 25.
- A script statement beginning with { on line 98, column 50.
- A script statement beginning with if on line 98, column 17.
- A script statement beginning with public on line 93, column 9.
any ideas?
It looks like the process controller is truncated - what happens to the user object at this point and how is the view set? https://github.com/ddspringle/framework-one-secure-auth/blob/master/home/controllers/main.cfc
Per our slack chat, this is a reminder to merge the myApplication.cfc with application.cfc when you have time ๐
I'm totally new to FW1. I'm having this issue when entering an invalid login.
Lucee (Gelert) Os 6.0.1.83 (CFML Version 2016,0,03,300357) Running with Commandbox
I login with an invalid login and it goes to 404 and then gets in an endless loop of 501 until browser stops it?
http://127.0.0.1:64073/fw1-sa/index.cfm?action=admin:main.authenticate
http://127.0.0.1:64073/fw1-sa/index.cfm?action=admin%3Amain.logout&msg=404
http://127.0.0.1:64073/fw1-sa/index.cfm?action=admin%3Amain.logout&msg=501
http://127.0.0.1:64073/fw1-sa/index.cfm?action=admin%3Amain.logout&msg=501
http://127.0.0.1:64073/fw1-sa/index.cfm?action=admin%3Amain.logout&msg=501
http://127.0.0.1:64073/fw1-sa/index.cfm?action=admin%3Amain.logout&msg=501
http://127.0.0.1:64073/fw1-sa/index.cfm?action=admin%3Amain.logout&msg=501
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.