(Grav GitSync) Automatic Commit from dan

pages/01.blog/microsoft-and-the-oddities-of-accepting-emails/item.en.md

@@ -0,0 +1,66 @@
+---
+title: 'Microsoft and the oddities of accepting emails'
+taxonomy:
+    category:
+        - news
+    tag:
+        - server
+aura:
+    author: dan
+---
+
+# Microsoft and the oddities of accepting emails
+
+Microsoft has had some problems with its Exchange services this year - https://blog.mxtoolbox.com/2022/01/. Maybe it has nothing to do with the problem of one of our customers, but Microsoft has very strange methods when it comes to accepting emails. 
+
+In this particular bug, mxtoolbox mentions that some emails may not even reach the destination. So don't be surprised if you send photos to your family and friends or an invoice to your client and don't get a response back. It could be exactly the reason that they did not receive your email.
+
+
+## Microsoft randomly blocks IPs
+
+In our case, our customer was simply banned without any reason. The server is running over years and after some tests, nothing strange behaviour happened before or after.  
+Microsoft is known for randomly blocking IPs or generally using weird techniques when it comes to emails. Hetzner, Digitalocean, Linode, mailbox.org, protonmail.com ... they all have ongoing problems with Microsoft. And no one can really say why Microsoft keeps blocking IPs.
+
+Not even Microsoft itself knows it:
+
+> Hello,
+>
+> My name is "THE NAME" and I work with the Outlook.com Sender Support Team.
+>
+> I do not see anything offhand with IP: (OUR CUSTOMERS-IP) that would be preventing your mail from reaching our customers. 
+
+
+Another email:
+
+> We were unable to identify anything on our side that would prevent your mail from reaching Outlook.com customers.
+>
+> If you are still experiencing deliverability issues, please reply to this email with a detailed description of the problem you are having, including specific error messages, and an agent will contact you.
+
+So we responded directly, and it's pretty obvious that the problem is on Microsofts side:
+
+> host
+    css-one-microsoft-com.mail.protection.outlook.com[40.93.207.0] said: 550
+    5.7.511 Access denied, banned sender[IP]. To request removal
+    from this list please forward this message to
+    delist@messaging.microsoft.com. For more information please go to
+    http://go.microsoft.com/fwlink/?LinkId=526653. AS(1410)
+    [CB1PEPF0000205E.namprd00.prod.outlook.com] (in reply to RCPT TO command)
+
+But it seems that mainly 365/Outlook business users are affected. Home users with Outlook or Hotmail accounts seem to work fine. At least we tried our private test accounts (outlook & hotmail) and there are no problems.  
+
+
+# Microsoft has his own RBL (Realtime Blackhole List)
+
+It would be great for everyone if Microsoft would also use the RBL lists that have been freely available for 25 years. But unfortunately this is not the case. Microsoft uses its own list.  
+Checks for us and other email providers leaves us in the dark. 
+
+
+# Microsoft delisting requests
+
+There are a couple of options you can try:
+
+- https://sender.office.com/
+- https://support.microsoft.com/en-us/supportrequestform/8ad563e3-288e-2a61-8122-3ba03d6b8d75
+
+In our particular case, there is nothing we can do. We can only annoy them and send them more emails to finally delete the blocked IP.   
+If you have other ideas, let us know in the comments below or at [fosstodon](https://fosstodon.org/@techsaviours).

plugins/admin/.editorconfig

@@ -10,7 +10,7 @@ end_of_line = lf
 trim_trailing_whitespace = true
 insert_final_newline = true
 indent_style = space
-indent_size = 4
+indent_size = 2
 
 # 2 space indentation
 [*.{yaml,.yml}]

plugins/admin/CHANGELOG.md

@@ -1,3 +1,13 @@
+# v1.10.27
+## 01/12/2022
+
+1. [](#new)
+   * Support for `YubiKey OTP` 2-Factor authenticator
+   * New `elements` container field that shows/hides children fields based on boolean trigger value
+   * Requires Grav `v1.7.27` and Login `v3.6.2`
+2. [](#improved)
+   * Added new asset language strings
+
 # v1.10.26.1
 ## 01/03/2022
 

plugins/admin/blueprints.yaml

@@ -1,7 +1,7 @@
 name: Admin Panel
 slug: admin
 type: plugin
-version: 1.10.26.1
+version: 1.10.27
 description: Adds an advanced administration panel to manage your site
 icon: empire
 author:
@@ -15,9 +15,9 @@ docs: https://github.com/getgrav/grav-plugin-admin/blob/develop/README.md
 license: MIT
 
 dependencies:
-    - { name: grav, version: '>=1.7.24' }
+    - { name: grav, version: '>=1.7.27' }
     - { name: form, version: '>=5.1.0' }
-    - { name: login, version: '>=3.5.0' }
+    - { name: login, version: '>=3.6.2' }
     - { name: email, version: '>=3.1.0' }
     - { name: flex-objects, version: '>=1.1.0' }
 

plugins/admin/classes/plugin/Controllers/Login/LoginController.php

@@ -275,11 +275,17 @@ class LoginController extends AdminController
             $twoFa = null;
         }
 
-        $code = $data['2fa_code'] ?? null;
-        $secret = $user->twofa_secret ?? null;
+        $code = $data['2fa_code'] ?? '';
+        $secret = $user->twofa_secret ?? '';
+        $twofa_valid = $twoFa->verifyCode($secret, $code);
+
+        $yubikey_otp = $data['yubikey_otp'] ?? '';
+        $yubikey_id = $user->yubikey_id ?? '';
+        $yubikey_valid = $twoFa->verifyYubikeyOTP($yubikey_id, $yubikey_otp);
+
         $redirect = (string)$this->getRequest()->getUri();
 
-        if (null === $twoFa || !$user->authenticated || !$code || !$secret || !$twoFa->verifyCode($secret, $code)) {
+        if (null === $twoFa || !$user->authenticated || (!$twofa_valid && !$yubikey_valid) ) {
             Admin::DEBUG && Admin::addDebugMessage('Admin login: 2FA check failed, log out!');
 
             // Failed 2FA auth, logout and redirect to the current page.

plugins/admin/languages/en.yaml

@@ -394,6 +394,7 @@ PLUGIN_ADMIN:
   AUTOESCAPE_VARIABLES: "Autoescape variables"
   AUTOESCAPE_VARIABLES_HELP: "Autoescapes all variables.  This will break your site most likely"
   ASSETS: "Assets"
+  CSS_ASSETS: "CSS Assets"
   CSS_PIPELINE: "CSS pipeline"
   CSS_PIPELINE_HELP: "The CSS pipeline is the unification of multiple CSS resources into one file"
   CSS_PIPELINE_INCLUDE_EXTERNALS: "Include externals in CSS pipeline"
@@ -406,12 +407,21 @@ PLUGIN_ADMIN:
   CSS_MINIFY_WINDOWS_OVERRIDE_HELP: "Minify Override for Windows platforms. False by default due to ThreadStackSize"
   CSS_REWRITE: "CSS rewrite"
   CSS_REWRITE_HELP: "Rewrite any CSS relative URLs during pipelining"
+  JS_ASSETS: "JavaScript Assets"
   JAVASCRIPT_PIPELINE: "JavaScript pipeline"
   JAVASCRIPT_PIPELINE_HELP: "The JS pipeline is the unification of multiple JS resources into one file"
   JAVASCRIPT_PIPELINE_INCLUDE_EXTERNALS: "Include externals in JS pipeline"
   JAVASCRIPT_PIPELINE_INCLUDE_EXTERNALS_HELP: "External URLs sometimes have relative file references and shouldn't be pipelined"
   JAVASCRIPT_PIPELINE_BEFORE_EXCLUDES: "JS pipeline render first"
   JAVASCRIPT_PIPELINE_BEFORE_EXCLUDES_HELP: "Render the JS pipeline before any other JS references that are not included"
+  JS_MODULE_ASSETS: "JavaScript Module Assets"
+  JAVASCRIPT_MODULE_PIPELINE: "JavaScript Module pipeline"
+  JAVASCRIPT_MODULE_PIPELINE_HELP: "The JS Module pipeline is the unification of multiple JS resources into one file"
+  JAVASCRIPT_MODULE_PIPELINE_INCLUDE_EXTERNALS: "Include externals in JS Module pipeline"
+  JAVASCRIPT_MODULE_PIPELINE_INCLUDE_EXTERNALS_HELP: "External URLs sometimes have relative file references and shouldn't be pipelined"
+  JAVASCRIPT_MODULE_PIPELINE_BEFORE_EXCLUDES: "JS Module pipeline render first"
+  JAVASCRIPT_MODULE_PIPELINE_BEFORE_EXCLUDES_HELP: "Render the JS pipeline before any other JS references that are not included"
+  GENERAL_CONFIG: "General Asset Configuration"
   JAVASCRIPT_MINIFY: "JavaScript minify"
   JAVASCRIPT_MINIFY_HELP: "Minify the JS during pipelining"
   ENABLED_TIMESTAMPS_ON_ASSETS: "Enable timestamps on assets"
@@ -748,6 +758,9 @@ PLUGIN_ADMIN:
   2FA_SECRET: "2FA Secret"
   2FA_SECRET_HELP: "Scan this QR code into your [Authenticator App](https://learn.getgrav.org/admin-panel/2fa#apps). Also it's a good idea to backup the secret in a safe location, in case you need to reinstall your app. Check the [Grav docs](https://learn.getgrav.org/admin-panel/2fa) for more information "
   2FA_REGENERATE: "Regenerate"
+  YUBIKEY_ID: "YubiKey ID"
+  YUBIKEY_OTP_INPUT: "YubiKey OTP"
+  YUBIKEY_HELP: "Insert your YubiKey into your computer and click the button to generate an OTP. The first 12 chars are your client ID and will be saved."
   FORCE_LOWERCASE_URLS: "Force lowercase URLs"
   FORCE_LOWERCASE_URLS_HELP: "By default Grav will set all slugs and routes to be lowercase. With this set to false, Uppercase slugs and routes can be used"
   INTL_ENABLED: "Intl module integration"

plugins/admin/pages/admin/login.md

@@ -37,4 +37,9 @@ forms:
         id: twofa-code
         autofocus: true
         placeholder: PLUGIN_ADMIN.2FA_CODE_INPUT
+        description: or
+      yubikey_otp: 
+        type: text
+        id: yubikey-otp
+        placeholder: PLUGIN_ADMIN.YUBIKEY_OTP_INPUT
 ---

plugins/admin/themes/grav/.eslintrc

@@ -35,7 +35,6 @@
     "generator-star-spacing": [2, { "before": true, "after": true }],
     "guard-for-in": 0,
     "handle-callback-err": [2, "^(err|error)$" ],
-    "indent": [2, 4, { "SwitchCase": 1 }],
     "key-spacing": [2, { "beforeColon": false, "afterColon": true }],
     "linebreak-style": 0,
     "lines-around-comment": 0,

plugins/admin/themes/grav/app/forms/fields/elements.js

@@ -0,0 +1,10 @@
+import $ from 'jquery';
+
+$(document).on('change', '[data-grav-elements] select', (event) => {
+  const target = $(event.currentTarget);
+  const value = target.val();
+  const id = target.closest('[data-grav-elements]').data('gravElements');
+
+  $(`[id^="${id}_"]`).css('display', 'none');
+  $(`[id="${id}__${value}"]`).css('display', 'inherit');
+});

plugins/admin/themes/grav/app/forms/fields/index.js

@@ -19,6 +19,7 @@ import './mediapicker';
 import './multilevel';
 import './text';
 import './range';
+import './elements';
 
 export default {
     FilepickerField: {

plugins/admin/themes/grav/css-compiled/template.css

@@ -1912,6 +1912,12 @@ table.noflex {
     display: none; }
   #admin-login .form-data {
     padding-right: 0; }
+  #admin-login .form-description {
+    display: block;
+    margin-top: -15px;
+    padding-bottom: 15px;
+    text-align: center;
+    font-size: 110%; }
   #admin-login .wrapper-spacer {
     width: 100% !important;
     display: block !important;

plugins/admin/themes/grav/scss/template/_login.scss

@@ -57,6 +57,7 @@
             width: 100%;
             @include flex(1);
         }
+
     }
 
     .form-field {
@@ -72,6 +73,14 @@
         padding-right: 0;
     }
 
+    .form-description {
+        display: block;
+        margin-top: -15px;
+        padding-bottom: 15px;
+        text-align: center;
+        font-size: 110%;
+    }
+
     .wrapper-spacer {
         width: 100% !important;
         display: block !important;

plugins/admin/themes/grav/templates/forms/fields/element/element.html.twig

@@ -0,0 +1,14 @@
+{% extends "forms/field.html.twig" %}
+
+{% block field %}
+  {% embed 'forms/default/fields.html.twig' with {name: field.name, fields: field.fields} %}
+    {% set initial_state = field.name|string is not same as (parent_value|string) ? 'display: none;' %}
+    {% block outer_markup_field_open %}
+      <div id="{{ parent_name ~ '__' ~ field.name|string }}" class="form-element" style="{{ initial_state }}">
+    {% endblock %}
+
+    {% block outer_markup_field_close %}
+        </div>
+    {% endblock %}
+  {% endembed %}
+{% endblock %}

plugins/admin/themes/grav/templates/forms/fields/elements/elements.html.twig

@@ -0,0 +1,21 @@
+{% extends "forms/fields/select/select.html.twig" %}
+{% set field = field|merge({ autocomplete: 'off' }) %}
+
+{% if grav.admin is not defined %}
+{# load some frontend CSS/JS #}
+{% endif %}
+
+{% block global_attributes %}
+  data-grav-elements="{{ field.name }}"
+  {{ parent() }}
+{% endblock %}
+
+{% block field %}
+  {{ parent() }}
+  {% set parent_name = field.name %}
+  {% set parent_value = value %}
+  {% set fields = prepare_form_fields(field.fields, field.name) %}
+  {% if fields|length %}
+    {% include 'forms/default/fields.html.twig' with {name: field.name, fields: fields} %}
+  {% endif %}
+{% endblock %}

plugins/login/CHANGELOG.md

@@ -1,3 +1,10 @@
+# v3.6.2
+## 01/12/2022
+
+1. [](#new)
+   * Support for `YubiKey OTP` 2-Factor authenticator
+   * Requires Grav `v1.7.27`
+
 # v3.6.1
 ## 01/03/2022
 

plugins/login/blueprints.yaml

@@ -1,7 +1,7 @@
 name: Login
 slug: login
 type: plugin
-version: 3.6.1
+version: 3.6.2
 testing: false
 description: Enables user authentication and login screen.
 icon: sign-in
@@ -15,7 +15,7 @@ bugs: https://github.com/getgrav/grav-plugin-login/issues
 license: MIT
 
 dependencies:
-  - { name: grav, version: '>=1.7.21' }
+  - { name: grav, version: '>=1.7.27' }
   - { name: form, version: '>=5.1.0' }
   - { name: email, version: '>=3.1.0' }
 

plugins/login/classes/TwoFactorAuth/TwoFactorAuth.php

@@ -10,8 +10,14 @@
 namespace Grav\Plugin\Login\TwoFactorAuth;
 
 use Grav\Common\Grav;
+use Grav\Common\HTTP\Client;
+use Grav\Common\Utils;
 use RobThree\Auth\TwoFactorAuth as Auth;
 use RobThree\Auth\TwoFactorAuthException;
+use Symfony\Contracts\HttpClient\Exception\ClientExceptionInterface;
+use Symfony\Contracts\HttpClient\Exception\RedirectionExceptionInterface;
+use Symfony\Contracts\HttpClient\Exception\ServerExceptionInterface;
+use Symfony\Contracts\HttpClient\Exception\TransportExceptionInterface;
 
 /**
  * Class TwoFactorAuth
@@ -55,6 +61,10 @@ class TwoFactorAuth
      */
     public function verifyCode($secret, $code)
     {
+        if (!$secret || !$code) {
+            return false;
+        }
+
         $secret = str_replace(' ', '', $secret);
 
         return $this->twoFa->verifyCode($secret, $code);
@@ -73,4 +83,36 @@ class TwoFactorAuth
 
         return $this->twoFa->getQRCodeImageAsDataUri($label, $secret);
     }
+
+    /**
+     * @param string $yubikey_id
+     * @param string $otp
+     * @return bool
+     */
+    public function verifyYubikeyOTP(string $yubikey_id, string $otp): bool
+    {
+        // Quick sanity check
+        if (!$yubikey_id || !$otp || !Utils::startsWith($otp, $yubikey_id)) {
+            return false;
+        }
+
+        $api_url = "https://api.yubico.com/wsapi/2.0/verify?id=1&otp=%s&nonce=%s";
+        $client = Client::getClient();
+
+        $url = sprintf($api_url, $otp, Utils::getNonce('yubikey'));
+
+        try {
+            $response = $client->request('GET', $url);
+            if ($response->getStatusCode() === 200) {
+                $content = $response->getContent();
+                if (Utils::contains($content, 'status=OK')) {
+                    return true;
+                }
+            }
+        } catch (TransportExceptionInterface|ClientExceptionInterface|RedirectionExceptionInterface|ServerExceptionInterface $e) {
+            return false;
+        }
+
+        return false;
+    }
 }