Login fails with activated Turnstile Plugin

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author Paul Ryan

    (@figureone)

    If you configure Authorizer to:

    1. Hide WordPress logins
    2. Render the button to log in via OAuth2 (don’t automatically redirect to the OAuth2 login)
    3. Render the Cloudflare Turnstile

    Then if the user logging in first verifies the Cloudflare Turnstile before clicking the OAuth2 login button, does that result in a successful login?

    Thread Starter aschild

    (@aschild)

    Hello Paul,

    unfortunally this does not work.

    I think the problem is, when we get back from the oauth2 external login page, it should be logged in, but the turnstile plugin has not yet validated on that page

    André

    Plugin Author Paul Ryan

    (@figureone)

    Thanks for checking. I looked at the source code for the turnstile plugin and can see where the issue occurs. We can try working on an integration in Authorizer to forward the Cloudflare Turnstile response after logging in with Authorizer, so the turnstile plugin can validate it. But be aware that this will all happen *after* a successful OAuth2 login attempt, so the turnstile plugin won’t be protecting your OAuth2 endpoint from bots.

    Thread Starter aschild

    (@aschild)

    I think the clean way would be to have turnstile only active/checked, when doing a regular login, but not on Oauth2 logins.

    For Oauth2 it’s the job of the Oauth2 provider to do these types of checks.

    I assume there is no way to have turnstile conditionally only for regular form logins and not for Oauth2?

    For our usecase I could probably disable the formlogin soon

    Plugin Author Paul Ryan

    (@figureone)

    Got it, thanks for clarifying. I think simple-cloudflare-turnstile actually has a hook to disable it, which we can use in Authorizer right after processing an OAuth2 login: https://github.com/ElliotSowersby/simple-cloudflare-turnstile/blob/master/inc/turnstile.php#L164

    Can you try testing by adding the following code to Authorizer (wp-content/plugins/authorizer/src/authorizer/class-authentication.php), right before the final return in the authentication function processing results from OAuth2 and other external providers: https://github.com/uhm-coe/authorizer/blob/master/src/authorizer/class-authentication.php#L296

    		// Integration: disable Cloudflare Turnstile verification from the 
    		// simple-cloudflare-turnstile plugin if it is activated (conflicts with
    		// our redirects from external services).
    		add_filter( 'cfturnstile_widget_disable', '__return_true' );

    If that works we can get it merged and included in the next release (and you can continue to use the hotfix until that happens).

    Thread Starter aschild

    (@aschild)

    Sorry for this late response.

    I added the line to the authenticator source and now it works.

    Thanks

    Plugin Author Paul Ryan

    (@figureone)

    Thanks! We’ll include this in the next release and you can continue to use the hotfix in the meantime.

    Plugin Author Paul Ryan

    (@figureone)

    https://github.com/uhm-coe/authorizer/commit/dafcbe7490bd23c889f800cb2c5e7d4f7d5e07b6

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.