Logical error with wordfence_ls_authenticate action on a specific case.

  • Resolved Vijay Hardaha

    (@vijayhardaha)


    2 years, 2 months ago

    Logical error with wordfence_ls_authenticate action on a specific case.

    Hello WF Team,

    I have discovered a logical issue in a specific case I am using on a client website. I investigated the issue in deep and find the reason and solution for this. I will try my best to provide all the possible technical details.

    **What is the issue?**
    wordfence_ls_authenticate was supposed to work/trigger with login forms only but in my case, it works/triggers on registration forms(in my case WooCommerce registration form)

    **What do we need to produce this issue?**
    – WordFence & WooCommerce plugin lastest version installed & active.
    – Enable WooCommerce integration
    – Enable reCAPTCHA on the login and user registration pages
    – Disable When creating an account, automatically generate an account username for the customer based on their name, surname or email in WooCommerce account settings.
    – Disable When creating an account, send the new user a link to set their password in WooCommerce account settings.

    **What is my specific case?**
    This issue occurs when
    – Use the woocommerce registration form on the custom page using a custom-built shortcode.
    – customizing woocommerce login template and loading login and registration form dynamically using a query variable(with custom code, I can manage to pass ?register_form=1 and can display the login or registration form conditionally)
    – I just remove the login form from the woocommerce login template and just show the registration form.

    **What are the steps to reduce the error?**
    – Activate plugins and enable/disable settings as specified above.
    – now edit the myaccount/form-login.php WC template and remove the login form HTML with class woocommerce-form-login
    – Make sure the registration form should be visible and the username and password field should be shown on the reg. form.
    – now fill form fields and submit it.
    – You’ll find the wordfence_ls_authenticate action is being triggered and you’ll find login errors in response.

    **Why this issue happens in these cases?**
    I investigated the issue and found a logical error in the JS code. issue is in login-security/js/login.[xxxx].js file.

    
'input[name=log]',
'input[name=username]',
'input#username[name=username]',
'.woocommerce-form-login input[name=username]',
'.login input[name=username]'
'input[name=password]'

    These selectors are defined for matching the login form, but input[name=username] and input[name=password] both exists in registration form as well.
    so when I remove the login form, the registration form is found as a login form and the login submit event is attached with it.

    So the next question is why it doesn’t happen when the login form is available on the page.
    so the answer is loginLocator.locate() && loginLocator.getForm() these function only works for first match only. so when the login form is available it’s matched and the login submit event is attached with it
    then the code looks for a registration form the registration submit event is hooked.

    but when login is not available and we have a woocommerce registration page with username and password on, it matched as login form and login submit event is attached then again registration matched and another submit event is hooked with it.

    so overall I see it as a logical issue, although it’s on a specific case.

    **What is the solution?**
    For now, I have changed the selectors like this to solve the issue

    
'form:not(.woocommerce-form-register) input[name=username]',
'form:not(.woocommerce-form-register) input[name=password]'

    so I am strictly checking form is not woocommerce-form-register when I look for username and password name input, this way, I don’t get any match for login forms when I just have the registration form on the page.

    It’s not the perfect solution but in my case, it solves the issue. If WF developers think this issue should be addressed and fixed in the upcoming version, it will be good to know.

    At last, I want to mention if anyone is curious to know why I have a separate registration page with a shortcode so the answer is client’s requirement is to allow registration for specific people and they have password protected page, and a password is provided to their business customers only.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Thank-you @vijayhardaha for your detailed message around the issue that came up for you and how you went about resolving it in your case!

    Wordfence does by design only provide 2FA/reCAPTCHA for the default login/registration pages for WooCommerce and WordPress but we are certainly always looking to improve functionality or compatibility as time progresses.

    I’m unable to comment here on whether this specific update will be included, or provide regular updates to status but it has been passed along to the development team for consideration. We do discuss all user suggestions internally for possible inclusion.

    Thanks,

    Peter.

    Thread Starter Vijay Hardaha

    (@vijayhardaha)

    Thank you @wfpeter for your response.

    I understand that WordFence has features for the Default WooCommerce login/register pages and My registration page in which I have an issue that comes under the customization category.

    However, I want to mention a simple use-case for consideration, as a pretty basic customization of the WooCommerce login/registration page.

    If we swap the position of the login & registration forms on the WooCommerce login page so the Registration form HTML will be above the login form by that we’ll have a registration form on left and the login form on right.

    so in this case, the issue will generate since loginLocator.locate() will find the registration form first and return the valid status.

    Plugin Support wfpeter

    (@wfpeter)

    Thanks @vijayhardaha,

    Although I can’t comment on potential delivery dates due to previously decided updates to the plugin, this has now been discussed and we are indeed scheduling improvements to the selectors so forms with the same field names don’t match the wrong ones. Thanks for your input.

    Peter.

    Thread Starter Vijay Hardaha

    (@vijayhardaha)

    Ok, Thanks for the updates.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Logical error with wordfence_ls_authenticate action on a specific case.’ is closed to new replies.