pagemachine / hairu Goto Github PK

Hi, really great extension :). It would be really great if you could log in with the e-mail instead of username. Is that possible?

Hey there, FE Integration of hairu breaks on a TYPO3 7.5 Installation with the following error:

#1289386765: Could not analyse class:PAGEmachine\Hairu\Controller\AuthenticationController maybe not loaded or no autoloader?

Integration was fully functional on TYPO3 7.4. Will investigate further, if there's anything I can to do help fixing please let me know.

Since the latest TYPO3 version released today, this extension doesn't seem to work anymore on our end.
Login procedure will not succeed.

Ich finde die extension gut, leider ist mir nach der installation aufgefallen, das keine deutsche übersetzung vorhanden ist. Ich würde es begrüßen, wenn ihr eine deutsche Übersetzung umsetzen würdet.

Vielen Dank im voraus.

Ertan Sahinglu

We're consistently receiving the following errors when submitting the password change form:

There where some errors with your input:
- Repeat password: The given values are not equal.

Upon inspecting, the field values in the frontend are generated / replaced by rsaauth, I think starting with a XHR to index.php?eID=RsaPublicKeyGenerationController.
Both <input type="password">-fields receive differing, rsa-encrypted values (e.g. "rsa:...").
Those are then sent to the PasswordController.php, which adds its $passwordRepeatArgumentValidator here:
https://github.com/pagemachine/hairu/blob/306b36c/Classes/Controller/PasswordController.php#L59

This results in the EqualValidator.php later having a falsy value for $valueIsValid here:
https://github.com/pagemachine/hairu/blob/306b36c/Classes/Validation/Validator/EqualValidator.php#L50
because the two values here ($value & $otherValue) are still the differing values sent by the frontend. Should those be decrypted on the backend-side before comparing? Or is the expectation here that the frontend should never send those encrypted values?

We're running TYPO3 8.7.15 with rsaauth in corresponding version 8.7.15 and hairuin version 2.1.0.
We are using felogin (also in corresponding 8.7.15 version) in addition for the login forms, if that could possibly make a difference.

Encrypting passwords with RSA before transmission greatly increases security over plain HTTP connections as passwords cannot be passively intercepted then. The login form already uses the rsaauth extension by calling the hooks made for felogin.
But if the user initiates a password reset, he can specify a new password on a different page. The password field on that page is not encrypted at all. It would be nice if RSA encryption could be used there, too.

The password reset functionality has different responses depending on whether the user account exists or not. This kind of behavoiur leaks information and is discouraged in most security guidelines.

Solution could be, for example, a configuration option to always respond with "success" even if the user account does not exist.

The passwort-reset link for text emails (PasswordResetMail.txt template) does not work without any message whats wrong, it just shows the reset form again. Its because the link contains html-entities which have to be decoded here:

{hashUri -> f:format.htmlentitiesDecode()}

Hey guys,

what do I need to do to redirect my users to a certain page after login / logout?

The plugin is on Page A,
Page B is the page that is being protected. Both pages are on the same level.

Right now after a login the Page A just reloads and the login form is displayed again with an error message.
When I navigate to Page B manually, I see that I am logged in anyway.

I stumbled upon the 'redirect_url' in the ShowLoginForm template but this variable is always empty. There is a slot the handles redirects but I did not find a way to configure the redirect.

Context

We have redirect_url as hidden field, which should redirect to the contained value after a successful login. Unfortunately this does not happen anymore.

Environment

TYPO3 8.7.18
hairu 2.1.1

Process

1. Call a page with the login form where a redirect_url is stored in the hidden-field - or call the login with the parameter /?redirect_url=xy
2. Log in successfully
3. No forwarding

Expected result

Redirect after successful login to the url that stored in the value of the hidden field redirect_url.

Current result

Unfortunately it ignores the value of the hidden-field redirect_url and do not redirect.

Possible Fix

It looks like the signalSlotDispatcher is not registered correctly.

In TYPO3 v8 LTS, this: https://github.com/pagemachine/hairu/blob/25282d3/Classes/Controller/AuthenticationController.php#L281 does not seem to work any more. It will render the HTML template anyway (twice then).

Workaround could be to do $this->view->getRenderingContext()->getTemplatePaths()->setFormat('txt'), which does work for me.

But I'm not sure "abusing" the current view to render the mail template is the clean solution either way. It might be better to just use StandaloneView. It got a lot easier to use with v8 and the introduction of TemplatePaths.

Hello
it would be nice if it could possible to set the From name in the reset password.
Thanks

Hey,
I need to overwrite the action "startPasswordResetAction". Is that somehow possible?
I found the following typoscript code:

config.tx_extbase {
objects {
Tx_Extbase_Configuration_ConfigurationManager {
className = Tx_MyExt_Configuration_ConfigurationManager
}
}
}

But I am not really able to get anything to work with it.

Hi,

I have an issue with hairu 3.1 after upgrading to TYPO3 10.4 because UriBuilder expects an int for the pageUid argument. The value taken from TypoScript settings/constants is a numeric string leading to a TypeError. A simple fix for me is to typecast the argument like [...]->setTargetPageUid((int)$this->arguments['pageUid']). Is this something that needs to be adjusted in the viewhelper or am I doing something wrong?

Thanks in advance.

Cheers
Björn

When a post-login/logout redirect is set either by typoscript or as url parameter, the redirect gets processed in the first slot of the corresponding signals. Cancelling script execution and therefore prohibiting any following slots to be executed.

Having a slot to connect to before any redirect action takes place would be neat.

Are there any plans to ship with a default YAML router configuration? Its quite difficult to specify the passwort-reset routes e.g. for Authentication::showPasswordResetForm because of the optional parameter start=1, hash=[empty] in the first case and start=[empty], hash=[hashValue] in the other... not sure how to do this.

redirect_url from the form is somehow the default target and when typolinkLinkAccessRestrictedPages is active the target is in return_url. But this gets overwritten by redirect_url on any login.
So order in RedirectUrlSlot should be changed. Compare also FrontendLoginController.
PR follows.

I would need a Signal in PAGEmachine\Hairu\Controller\AuthenticationController->startPasswordResetAction; I will have to send a custom mail, I would like to cancel the default one, and have a signal with the whole data (user, hash, etc.) to send my own one. Would it be possible to add one?

About the mail cancelation, I don't know what would be the best way to do it. I think you will find a solution by yourself, but I am open for a discussion about it. :-)

I also think you could add other signal for further usage, but that is not the main goal of this ticket. ;-)

Thanks!

Hi - is there a way to add a "default"-redirect to the login-form?
Use case: provide a general login-page and redirect the user to a specific page after login.

1. A visitor was registered by 'femenager' extension and was not trying to login into a service using 'hairu'
2. The visitor trying to recovery of their password using 'hairu' and was set a new password
3. The visitor was tryed to login into the service using the new password and has no possibility to do it

Could you please help with the problem?

Hej,
not sure if this solution is the best, but it worked in my current setup.

hairu/Classes/Domain/Service/AuthenticationService.php

     * Returns whether any user is currently authenticated
     *
     * @return bool
     */
    public function isUserAuthenticated(): bool
    {
        $context = GeneralUtility::makeInstance(Context::class);
        return $context->getPropertyFromAspect('frontend.user', 'isLoggedIn');
    }

1. Not sure if bool should be used here, since the aspect has a defined return of mixed|null
2. Are contexts the way to go here or is it preferred to work closer along the internal API?

At the moment i only can set the login.page via constants, right? it would be better, if we could set the login.page for the plugin via flexform when we need to change the default loginpage. so we could choose if the plugin uses the default value or the specific one to rediect to a page after login.

I'd like to know if there's a way I can reduce the amount of messages that are displayed when a user joins the server but doesn't login.

Its kinda over-spamming the chat with it.

There's no version of typo3/cms-saltedpasswords available for TYPO3 9. Therefore, hairu cannot be installed on TYPO3 9 projects using composer.

This would be really interesting for me – but maybe also for other people – to get the following vars in the signal: $user, $hash, $hashUri and $expiryDate. Could you add them as an array to the list of parameters for the signal?

Thanks. :-)

When an user submits a request to have his password reset, the email address of the user is then displayed in the confirmation message. This means that the email address of every user can be retrieved by unauthenticated users if they only know the username. I think that the address of the user should be cut from the confirmation message.

Hi,
if I am not wrong, there is no real language support in this extension jet.

I would suggest to add some language configurations to the "ext_localconf.php" such like

$GLOBALS['TYPO3_CONF_VARS']['SYS']['locallangXMLOverride']['de']['EXT:hairu/Resources/Private/Language/locallang.xlf'][] = 'EXT:hairu/Resources/Private/Language/de.locallang.xlf';
At least, in my configuration, this did the trick to translate textes in the frontend.

I am not sure if I can put some "ext_localconf.php" into my private extention folder.

Regards
Karl-Heinz

When I set a redirect_url in my form, like:
<input type="hidden" name="redirect_url" value="{f:uri.page(pageUid: 4, linkAccessRestrictedPages: 1)}"/>

.. i am redirected to the configured page on login success, but unfortunately also on login failure (e.g. wrong password).

Setup:
TYPO3 8.7.8
fluidtypo3/flux dev-development (also checked on stable 8.1.0)
in2code/femanager: dev-develop,
pagemachine/hairu: 3.1.3

When i update the Language in typo3 8.7xx the flashmessages of the login.fail.messages don't get transated. the languagefile seems a bit messy there (\typo3conf\l10n\de\hairu\Resources\Private\Language\de.locallang.xlf ). the target-Tag is closed immediately then opened again. if i manually fix that in that file, all is ok. so please fix this, to use the translation (here german) thx:

<trans-unit id="login.failed.title">
        <source>Login failure</source>
      <target></target><alt-trans xml:space="preserve" origin="pkerling"><target>Anmeldung fehlgeschlagen</target></alt-trans></trans-unit>

<trans-unit id="login.failed.message">
       <source>Most likely you didn't enter the username or password correctly. Be certain that you enter them precisely as they are, including upper/lower case. Another possibility is that cookies might be disabled in your web browser.</source>
     <target></target><alt-trans xml:space="preserve" origin="pkerling"><target>Höchstwahrscheinlich wurden Benutzername oder Passwort falsch eingegeben.Bitte vergewissern Sie sich, dass diese Angaben korrekt sind, inklusive Groß- und Kleinschreibung. Außerdem könnten Cookies in Ihrem Browser deaktiviert sein.</target></alt-trans></trans-unit>

The core had a security improvement for the fe_login extension.

The extension fe_login now destroys the sessions of the fe_user when the password for this user is changed.

The core team advises that the developers of extensions which handle password changes add changes like the core did to the extensions:
https://typo3.org/security/advisory/typo3-core-sa-2019-011/

https://docs.typo3.org/typo3cms/extensions/core/latest/Changelog/8.7.x/Important-87298-DestroySessionsOnPasswordChange.html

Hi,

commit 2f86a70 "Drop obsolete validator" the
ValidFrontendUserValidator
class file was deleted.

As this is a potential breaking change (it broke pw reset on our system) I think this should not have been released on a patch level?

Manually uploading the missing file quickly fixes the immediate issue of course.
Why was it flagged as obsolete in the first place though?
Did we miss a breaking change announcement or was the validator flagged as deprecated for some time?

Can you shed some light? Thx ...

If I try to use the stdWrap method "lang" on the mail subject I only get "Array" as mail subject:

plugin.tx_hairu.settings.passwordReset.mail.subject.stdWrap.lang {
                    de = Passwort zurücksetzen
                    fr = Réinitialiser le mot de passe
                }

The Readme.md says this:
"You can also use the stdWrap property on any settings value for custom processing."

As far as I understand, stdWrap includes all this:
https://docs.typo3.org/typo3cms/TyposcriptReference/Functions/Stdwrap/Index.html

I am having some issues in PAGEmachine\Hairu\Controller\AuthenticationController->startPasswordResetAction: when the mail is sent, you call a redirect.

I understand the need for this, but this is kind of buggy when using an Ajax call, as it calls a whole new page. I replaced with "forward" to test, and everything goes well after that.

I guess you used a redirect to prevent the form being submitted again after a page refresh, so I think you could not just replace by a forward?

Could we discuss on that?

Currently the TYPO3 caching framework is used to store password reset tokens. If the caches are flushed, all tokens are lost which results in broken links for users which have started a password reset before the flush.

The password reset tokens should be stored in a custom table or at least in the TYPO3 registry. We still need some kind of lifetime and garbage collection though.

Hi !

Is Hairu compatible with typo3 v8.7 ?
If yes, could you make a release to TER ?

Thanks,
sstorme