Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect creation date shown for recovery codes #571

Open
2 tasks done
gavynj opened this issue Oct 18, 2024 · 0 comments
Open
2 tasks done

Incorrect creation date shown for recovery codes #571

gavynj opened this issue Oct 18, 2024 · 0 comments
Labels
impact/high type/bug Something isn't working

Comments

@gavynj
Copy link

gavynj commented Oct 18, 2024
edited by GuySartorelli
Loading

Module version(s) affected

5.2.4

Description

When viewing a member, at the bottom of their member screen on the backend it says whether they have MFA setup and when their recovery codes were created. However, for any user that has MFA setup, the recovery codes created date always shows as today.

Screenshot 2024-10-18 at 9 48 36 AM

For the above example, the date in the database was 25th May 2024.

How to reproduce

  • Setup MFA for a user
  • Manually change the Created date in the database to some time in the past (MFARegisteredMethod > SilverStripe\MFA\BackupCode\Method > Created)
  • View that user in the Security area
  • The created date for the recover codes will still be the current date

Possible Solution

There are two things wrong with this section in the admin.

Firstly, there is a typo which is why the date is always the current date.

Line 61 of src/FormField/RegisteredMFAMethodListField.php

'backupCreationDate' => $this->getBackupMethod()

backupCreationDate should be backupCreatedDate, as that is what the frontend code is expecting. This is causing the date to always show the current date.

Secondly, even when that is fixed, the backup method of the currently logged in user is being shown, not the user you are viewing.

Line 78 of src/FormField/RegisteredMFAMethodListField.php shows Security::getCurrentUser() being used whenever getBackupMethod() is called.

protected function getBackupMethod(): ?RegisteredMethod
{
     $backupMethod = MethodRegistry::singleton()->getBackupMethod();
     return RegisteredMethodManager::singleton()->getFromMember(Security::getCurrentUser(), $backupMethod);
}

I have a working solution here: gavynj@fbc9369#diff-84c429bec93f6d0c4a4cdd55997e8d496dc14b3cf61d27e0a7aad8325ed12638R61

Additional Context

No response

Validations

  • Check that there isn't already an issue that reports the same bug
  • Double check that your reproduction steps work in a fresh installation of silverstripe/installer (with any code examples you've provided)

PRs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
impact/high type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@emteknetnz @gavynj