Google Authenticator QR code - 'Continue' button not working

[aricwatson]

Reported via email.

May be related to #10

QR code in Google Authenticator after press the 'Continue' button not work in live server.

Console Error :- Uncaught TypeError: Cannot read property 'submit' of undefinedonclick @ (index):48

My Magento Version 1.7.0.2
My Local server perfect worked.

[subscriberumail]

There is error in browser Console: Refused to execute script from 'https://myservername.com/js/index.php/x.js?f=prototype/prototype.js,pr…s,mage/adminhtml/events.js,mage/adminhtml/form.js,scriptaculous/effects.js' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.
This is because MIME is not correspond to (X-Content-Type-Options: nosniff).
I read this: http://stackoverflow.com/questions/24528211/refused-to-execute-script-from-because-its-mime-type-application-json-is

They told (it's seems to me): we need to comment with # one line in .htaccess file of store:
#Header set X-Content-Type-Options: nosniff

SOLUTION IS: Remove this header to prevent browser performing the MIME check.

If we do actions:
-made the change in .htaccess,
-clean the cache of magento,
-AND clean cookies in browser - it's important,
then prototype JS is not blocked, and button CONTINUE will work and the module will work.
Question is: can authors patch your code to enable the header above be enabled in .htaccess file ?

There are logs (but you just make change by yourself to your .htaccess file:
Header set X-Content-Type-Options: nosniff
and you will see a BUG):

2016-12-20T08:39:14+00:00 EMERG (0): googleAction start
2016-12-20T08:39:15+00:00 EMERG (0): check_twofactor_active - tfa state processing
2016-12-20T08:39:15+00:00 EMERG (0): check_twofactor_active - return controller twofactor or is active
2016-12-20T08:40:53+00:00 EMERG (0): check_twofactor_active - tfa state processing
2016-12-20T08:40:53+00:00 EMERG (0): check_twofactor_active - not active, try again
2016-12-20T08:40:53+00:00 EMERG (0): check_twofactor_active - redirect to https://localhost/index.php/admin/twofactor/google/key/42723b3081872b7735f1216acaf29125/
2016-12-20T08:40:55+00:00 EMERG (0): googleAction start
2016-12-20T08:40:55+00:00 EMERG (0): check_twofactor_active - tfa state processing
2016-12-20T08:40:55+00:00 EMERG (0): check_twofactor_active - return controller twofactor or is active
2016-12-20T09:00:09+00:00 EMERG (0): check_twofactor_active - tfa state processing
2016-12-20T09:00:09+00:00 EMERG (0): check_twofactor_active - not active, try again
2016-12-20T09:00:09+00:00 EMERG (0): check_twofactor_active - redirect to https://localhost/index.php/admin/twofactor/google/key/42723b3081872b7735f1216acaf29125/
2016-12-20T09:00:14+00:00 EMERG (0): googleAction start
2016-12-20T09:00:14+00:00 EMERG (0): check_twofactor_active - tfa state processing
2016-12-20T09:00:14+00:00 EMERG (0): check_twofactor_active - return controller twofactor or is active
2016-12-20T09:01:42+00:00 EMERG (0): verifyAction start
2016-12-20T09:01:42+00:00 EMERG (0): TFA Verify attempt for admin account d from IP 127.0.0.1
2016-12-20T09:01:42+00:00 EMERG (0): verifyAction - start Google validate
2016-12-20T09:01:42+00:00 EMERG (0): verifyGoogle - new google secret saved for admin account d from IP 127.0.0.1
2016-12-20T09:01:42+00:00 EMERG (0): check_twofactor_active - tfa state processing
2016-12-20T09:01:42+00:00 EMERG (0): check_twofactor_active - return controller twofactor or is active
2016-12-20T09:01:47+00:00 EMERG (0): googleAction start
2016-12-20T09:01:48+00:00 EMERG (0): check_twofactor_active - tfa state processing
2016-12-20T09:01:48+00:00 EMERG (0): check_twofactor_active - return controller twofactor or is active
2016-12-20T10:40:12+00:00 EMERG (0): check_twofactor_active - tfa state none
2016-12-20T10:40:18+00:00 EMERG (0): check_twofactor_active - tfa state none
2016-12-20T10:40:36+00:00 EMERG (0): authenticate_after - get2faState is not active
2016-12-20T10:40:36+00:00 EMERG (0): authenticate_after - redirect to https://localhost/index.php/admin/twofactor/google/key/1ad82bf0c598ab6ffbf696a9a5b533b7/
2016-12-20T10:40:45+00:00 EMERG (0): googleAction start
2016-12-20T10:40:46+00:00 EMERG (0): check_twofactor_active - tfa state processing
2016-12-20T10:40:46+00:00 EMERG (0): check_twofactor_active - return controller twofactor or is active

[miguelbalparda]

Why are you pulling your js files with https://myservername.com/js/index.php/x.js?f=prototype/prototype.js ?
It seems to be a module, what happens if you disable it and use this module?

[subscriberumail]

this js call was added by exactly your module here at line 58: /app/design/adminhtml/default/default/template/he_twofactor/google/auth.phtml
maybe you can change line 48 to remove xhtml1-strict.dtd (to make strict MIME type checking is disabled),
or you do some other thing to patch the issue ? I will wait your answer what to do.

[miguelbalparda]

Sorry, too early in the morning :) This is the first time this issue is reported, let me check this and get back to you.

[subscriberumail]

Have you checked the bug ?

[miguelbalparda]

Still working on it. What have you tried so far to fix this? Feel free to submit a PR with your fixes while we work on this.

[subscriberumail]

Now I commented with # one line in .htaccess file of store:
#Header set X-Content-Type-Options: nosniff

[joshkersey]

I can confirm the same issue as reported here when using the devel branch. I don't have the nosniff header in my .htaccess to comment it out. I will add that I also see the following two errors:

captcha.js:25 Uncaught ReferenceError: Class is not defined at captcha.js:25

(index):56 Uncaught ReferenceError: varienForm is not defined at (index):56

[joshkersey]

Was able to resolve this by changing js/index.php at line 45 to be true instead of false:

// allow web server set content type automatically
$contentType = false;

After making this update the script is working correctly and I'm able to access the admin using Magento 1.9.3.0 and the devel branch of this project.

[EricSeastrand]

The change in #20 should remedy the issue without having to modify that core file, but it hasn't yet been merged into the devel branch. The index.php file you modified may be overwritten by a future core update.

You may want to try installing the version from #20.