Skip to content

Two-step verification setup page was cached at cloudflare level on standard content page #794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
joepagan opened this issue Apr 17, 2025 · 8 comments
Closed

Two-step verification setup page was cached at cloudflare level on standard content page #794

joepagan opened this issue Apr 17, 2025 · 8 comments
Labels
question Further information is requested

Comments

@joepagan
Copy link

Bug Report

Hey,

As the image shows, someone managed to visit a public url /offices which normally shows an entry's content, but what has cached at cloudflare level is the Craft Two Factor Authentication setup page.

Image

I presume this has happened where a user who has not yet setup 2fa fully tried to login, abandoned that flow (or they were previously logged in before 2FA was enabled and it was retained), then they visited an uncached page and got this, maybe because the admin bar plugin is installed on this app and that triggered the 2fa html.

Is there anything which blitz can do to handle this?

Diagnostics Report

Application Info

  • PHP version: 8.3.16
  • Craft edition & version: Pro 5.6.17
  • Database driver & version: MySQL 28.1

Installed Plugins

  • Admin Bar: 5.3.2
  • AI Alt Text: v1.3.0
  • Blitz: 5.10.3
  • CKEditor: 4.6.0
  • CP Field Inspect: 2.0.4
  • Formie: 3.0.24
  • Linkit: 5.0.0
  • Navigation: 3.0.6
  • Neo: 5.4.1
  • Retour: 5.0.9
  • Scout: 5.0.5
  • SEOmatic: dev-develop-v5
  • Servd Assets and Helpers: 4.0.15
  • Site Copy X: 2.1.1
  • Translations: 4.1.1
  • Vite: 5.0.1

Loaded Modules

  • image-transform: modules\imagetransform\ImageTransformModule
  • multisite: modules\multisite\MultisiteModule
  • urlencode-response-headers: modules\urlencoderesponseheaders\UrlEncodeResponseHeadersModule
  • codeeditor: nystudio107\codeeditor\CodeEditor
  • sprig-core: putyourlightson\sprig\Sprig
  • verbb-base: verbb\base\Base

Blitz Plugin Settings

{
    "debug": false,
    "hintsEnabled": true,
    "cachingEnabled": true,
    "refreshCacheEnabled": true,
    "refreshMode": 1,
    "includedUriPatterns": [
        {
            "enabled": "1",
            "siteId": "",
            "uriPattern": ".*"
        }
    ],
    "excludedUriPatterns": [],
    "cacheStorageType": "putyourlightson\\blitz\\drivers\\storage\\DummyStorage",
    "cacheStorageSettings": [],
    "cacheStorageTypes": [],
    "cacheGeneratorType": "putyourlightson\\blitz\\drivers\\generators\\HttpGenerator",
    "cacheGeneratorSettings": {
        "concurrency": "3"
    },
    "cacheGeneratorTypes": [],
    "customSiteUris": [],
    "cachePurgerType": "putyourlightson\\blitz\\drivers\\purgers\\CloudflarePurger",
    "cachePurgerSettings": {
        "zoneIds": {
            "c52cfd68-1887-4a46-809b-017f537fddae": {
                "zoneId": "$CLOUDFLARE_ZONE_ID"
            },
            "d79ae16a-0897-4271-92ee-a55f38854b40": {
                "zoneId": "$CLOUDFLARE_ZONE_ID"
            },
            "3a9c30dc-38b5-4a41-9cd9-28520e9d0b5c": {
                "zoneId": "$CLOUDFLARE_ZONE_ID"
            },
            "21c8b357-6985-4e5e-90be-f9ccbdbf25cb": {
                "zoneId": "$CLOUDFLARE_ZONE_ID"
            },
            "0ac81c75-64e6-4542-9c77-1575607f2290": {
                "zoneId": "$CLOUDFLARE_ZONE_ID"
            }
        },
        "authenticationMethod": "apiToken",
        "apiToken": "*******************",
        "apiKey": "",
        "email": ""
    },
    "cachePurgerTypes": [],
    "deployerType": "putyourlightson\\blitz\\drivers\\deployers\\DummyDeployer",
    "deployerSettings": [],
    "deployerTypes": [],
    "ssiEnabled": false,
    "ssiTagFormat": "<!--#include virtual=\"{uri}\" -->",
    "detectSsiEnabled": true,
    "esiEnabled": false,
    "onlyCacheLowercaseUris": false,
    "queryStringCaching": 2,
    "includedQueryStringParams": [
        {
            "enabled": "1",
            "siteId": "",
            "queryStringParam": ".*"
        }
    ],
    "excludedQueryStringParams": [
        {
            "enabled": "1",
            "siteId": "",
            "queryStringParam": "gclid"
        },
        {
            "enabled": "1",
            "siteId": "",
            "queryStringParam": "fbclid"
        },
        {
            "enabled": "1",
            "siteId": "",
            "queryStringParam": "_gl"
        }
    ],
    "apiKey": "",
    "generatePagesWithQueryStringParams": true,
    "purgeAssetImagesWhenChanged": true,
    "refreshCacheAutomaticallyForGlobals": true,
    "refreshCacheWhenElementMovedInStructure": true,
    "refreshCacheWhenElementSavedUnchanged": false,
    "refreshCacheWhenElementSavedNotLive": false,
    "refreshExpiredCacheAfterVisit": true,
    "cacheNonHtmlResponses": false,
    "trackElements": true,
    "trackElementQueries": true,
    "excludedTrackedElementQueryParams": [],
    "cacheDuration": null,
    "nonCacheableElementTypes": [],
    "sourceIdAttributes": [],
    "liveStatuses": [],
    "integrations": [
        "putyourlightson\\blitz\\drivers\\integrations\\CommerceIntegration",
        "putyourlightson\\blitz\\drivers\\integrations\\SeomaticIntegration"
    ],
    "defaultCacheControlHeader": "no-store",
    "cacheControlHeader": "public, s-maxage=31536000, max-age=0",
    "cacheControlHeaderExpired": "public, s-maxage=5, max-age=0",
    "sendPoweredByHeader": false,
    "outputComments": true,
    "refreshCacheJobPriority": 10,
    "driverJobBatchSize": 100,
    "driverJobPriority": 100,
    "queueJobTtr": 300,
    "maxRetryAttempts": 10,
    "maxUriLength": 255,
    "mutexTimeout": 1,
    "commands": [],
    "injectScriptEvent": "DOMContentLoaded",
    "injectScriptPosition": 3
}

Recommendations

  • ❌ One or more globals exist and refreshCacheAutomaticallyForGlobals is enabled.
  • ❌ The blitz/cache/refresh-expired console command has not been executed within the past 24 hours.
  • ✅ Blitz is configured not to refresh cached pages when an element is saved but unchanged.
  • ✅ Blitz is configured not to refresh cached pages when an element is saved but not live.
  • ✅ Image transforms are configured to be generated before page load.
  • ✅ The @web alias is explicitly defined.
  • ✅ Queue jobs are configured not to run automatically via web requests.
  • ✅ The Async Queue plugin is not installed or enabled.

Site Tracking [1]

  • Tracked Pages: 816
  • Tracked Includes: 0
  • Tracked Query String Params: 0
  • Tracked Elements: 3940
    • craft\elements\Entry: 1,434
    • craft\elements\Tag: 1,107
    • craft\elements\Asset: 904
    • craft\elements\Entry: 414
    • verbb\navigation\elements\Node: 77
    • verbb\formie\elements\Form: 3
    • craft\elements\User: 1
  • Tracked Element Queries: 661
    • craft\elements\Entry: 511
    • verbb\navigation\elements\Node: 142
    • craft\elements\Asset: 7
    • craft\elements\Tag: 1
  • Tracked Tags: 0

Site Tracking [2]

  • Tracked Pages: 792
  • Tracked Includes: 0
  • Tracked Query String Params: 0
  • Tracked Elements: 3907
    • craft\elements\Entry: 1,400
    • craft\elements\Tag: 1,111
    • craft\elements\Asset: 898
    • craft\elements\Entry: 417
    • verbb\navigation\elements\Node: 77
    • verbb\formie\elements\Form: 4
  • Tracked Element Queries: 667
    • craft\elements\Entry: 517
    • verbb\navigation\elements\Node: 142
    • craft\elements\Asset: 7
    • craft\elements\Tag: 1
  • Tracked Tags: 0

Site Tracking [4]

  • Tracked Pages: 373
  • Tracked Includes: 0
  • Tracked Query String Params: 0
  • Tracked Elements: 2701
    • craft\elements\Tag: 1,101
    • craft\elements\Entry: 900
    • craft\elements\Asset: 443
    • craft\elements\Entry: 183
    • verbb\navigation\elements\Node: 72
    • verbb\formie\elements\Form: 2
  • Tracked Element Queries: 626
    • craft\elements\Entry: 495
    • verbb\navigation\elements\Node: 129
    • craft\elements\Asset: 1
    • craft\elements\Tag: 1
  • Tracked Tags: 0

Site Tracking [5]

  • Tracked Pages: 364
  • Tracked Includes: 0
  • Tracked Query String Params: 0
  • Tracked Elements: 2698
    • craft\elements\Tag: 1,104
    • craft\elements\Entry: 890
    • craft\elements\Asset: 437
    • craft\elements\Entry: 193
    • verbb\navigation\elements\Node: 72
    • verbb\formie\elements\Form: 2
  • Tracked Element Queries: 631
    • craft\elements\Entry: 499
    • verbb\navigation\elements\Node: 130
    • craft\elements\Asset: 1
    • craft\elements\Tag: 1
  • Tracked Tags: 0

Site Tracking [6]

  • Tracked Pages: 358
  • Tracked Includes: 0
  • Tracked Query String Params: 0
  • Tracked Elements: 2704
    • craft\elements\Tag: 1,104
    • craft\elements\Entry: 903
    • craft\elements\Asset: 434
    • craft\elements\Entry: 189
    • verbb\navigation\elements\Node: 72
    • verbb\formie\elements\Form: 2
  • Tracked Element Queries: 622
    • craft\elements\Entry: 493
    • verbb\navigation\elements\Node: 128
    • craft\elements\Tag: 1
  • Tracked Tags: 0
@joepagan joepagan added the bug Something isn't working label Apr 17, 2025
@bencroker
Copy link
Collaborator

Assuming this page should be cached, you can add a page specific option conditionally, to disable caching of the page when displaying a login page. For example:

{% if isLoginPage %}
    {% do craft.blitz.options.cachingEnabled(false) %}
{% endif %}

See https://putyourlightson.com/plugins/blitz#page-specific-options

@bencroker bencroker added question Further information is requested and removed bug Something isn't working labels Apr 18, 2025
@joepagan
Copy link
Author

Thanks for getting back, though this page was not a login page. Craft returned a completely different HTML document to what was expected in this scenario.

@bencroker
Copy link
Collaborator

In that case, you probably want to force Craft to redirect to a login page, rather than show one at /offices.

@joepagan
Copy link
Author

There is not a public login page on this entire website.

@bencroker
Copy link
Collaborator

bencroker commented Apr 18, 2025
edited
Loading

In that case, I don’t know what to recommend. This appears to be a Craft issue.

@joepagan
Copy link
Author

Ok no worries, I thought maybe blitz could detect if a request was to a backend page (if this is technically classed as one) I'm not sure. I'll make an issue on their repo.

@bencroker
Copy link
Collaborator

Blitz never caches CP pages, so this must be considered a “site” page.

@joepagan
Copy link
Author

sure, it's hijacked the html which should render in this case, I've opened a new issue here craftcms/cms#17129

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joepagan @bencroker