Successful verification, failed to jump

[yu2n]

Hi, awesome author.

I have tried to configure TwoFactorAuth on windows many times. Its user authentication and OTP authentication functions are normally available, but after authentication, I jump to the APP website of my Nginx proxy.

Login

Login-Jump-Bugs

Main website: http://localhost:80/
OTP verification website: http://localhost:81/
APP service website: http://localhost:81/

Operating system version: Windows 10 x64
Nginx version: nginx-1.19.1
php version: php-7.4.8-nts-Win32-vc15-x64

My Config:
test-config.zip

C:\nginx-1.19.1\conf\nginx.conf

worker_processes  1;

error_log  logs/error.log  info;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  logs/access.log  main;

    sendfile        on;

    keepalive_timeout  65;

    # Main
    server {
        listen       80;
        server_name     localhost;

        location / {
            root   html;
            index  index.html index.htm;
            auth_request /twofactorauth/nginx/auth.php;
            proxy_pass http://localhost:81;
        }
        location = /twofactorauth/nginx/auth.php {
            auth_request off; 
            proxy_pass http://localhost:81/twofactorauth/nginx/auth.php; # This is the TOTP Server
            proxy_set_header X-Original-URI $request_uri;
        }
        location /twofactorauth/login/ {
            auth_request off; 
            proxy_pass http://localhost:81/twofactorauth/login/;
        }
        location /twofactorauth/db/ {
            deny all;
        } 
        # This ensures that if the TOTP server returns 401 we redirect to login
        error_page 401 = @error401;
        location @error401 {
            auth_request off; 
            return 302 $scheme://localhost/twofactorauth/login/login.php?from=$uri;
        }
    }
    
    # TwoFactorauth & KodExplorer
    server {
        listen       81;
        server_name  localhost;
        location / {
            root   html;
            index  index.php index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
        location ~ \.php$ {
            root           html;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }
    }
}

目前我已成功使用了另一个OTP验证程序，它比较简陋，还是期待能使用上您的作品。
simpleotp
https://github.com/yu2n/simpleotp

感谢您的阅读。

[efelon]

Even when I try to include the port in the "from" variable:
return 302 $scheme://$host/twofactorauth/login/login.php?from=$scheme://$host:$server_port$uri;
it still goes to $host/.

[fmeschbe]

I just ran into the exact same issue. Looking at the code, it seems that the from is not fully respected in that only the request path, query, and fragment are preserved, while the scheme and authority (host/port) parts are taken from the Two Factor Auth virtual host.

I do not exactly know the reason for this behaviour, but my fix for this is just simply:

diff --git a/login/login.php b/login/login.php
index 5c0b439..2bfc7af 100644
--- a/login/login.php
+++ b/login/login.php
@@ -85,12 +85,7 @@ else {
                //--------------------------------------------------
                // Checking which URL we should redirect the user to
                if (isset($_GET['from'])) {
-                       $from = $_GET['from'];
-                       if (preg_match('#^(?:https?:)?//#', $_GET['from'], $m)) {
-                               $url = parse_url($_GET['from']);
-                               $from = $url['path'] . (!empty($url['query']) ? '?' . $url['query'] : '') . (!empty($url['fragment']) ? '#' . $url['fragment'] : '');
-                       }
-                   $redirectTo = ((isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] === "on")? "https://" : "http://").$_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$from;
+                         $redirectTo = $_GET['from'];
                }
                else {
                    $redirectTo = AUTH_SUCCEED_REDIRECT_URL;