[K4] 1Password in Safari triggers undefined is not an object (evaluating 'i.form') error on TOTP form

[scottboms]

Description

When signing into a panel account with 2fac and TOPT enabled, an error which reads undefined is not an object (evaluating 'i.form') appears obscuring the TOPT code field though the field appears to still be properly populated (in my case from 1Password) and doesn't prevent login. Disabling TOPT in the config seems to make this error go away. This just started happening after upgrading to version 4.1.1.

Expected behavior

No errors interrupting login :)

To reproduce

1. From panel login screen, enter username and password and click Log in button.
2. After redirecting to the TOPT screen, enter the TOPT code either from a password manager or code delivered via email.
3. Error appears and dims Login code screen.

AUTH CONFIG:

'auth' => [
  'methods' => [
    'password' => ['2fa' => true],
    'challenges' => ['totp', 'email'],
  ],
],

Confirmed that this behavior still happens using a clean Starterkit. The error also appeared when enabling a TOPT code for the first time as well.

Your setup

Kirby 4.1.1 running on Apache 2.4.58 with PHP 8.3.3, local on macOS installed with Homebrew

Console output
Failed to load resource: the server responded with a status of 403 (Forbidden) http://localhost:8000/api/auth/code

Your system (please complete the following information)

• Device: Apple MacBook Pro M3
• OS: macOS 14.3.1
• Browser: Safari 17.3.1

Additional context
Not seeing the error in Firefox 123.0 so maybe specific to Safari

[bastianallgeier]

@lukasbestle could you have a look at this?

[lukasbestle]

Tried to reproduce this with Kirby 4.1.1 in Safari on macOS, but unfortunately without success.

@scottboms The console output you get is interesting and could be relevant. If it happens again, could you please check what the full response of that API request looks like and post the body?

[scottboms]

Strangely the only error I'm seeing in the browser console is something related to 1Password (presumably because it can't resolve the local domain). This happens every time I login locally but only started with 4.1.1. I hadn't seen any errors previously with any other 4.x release.

No errors showing up in my Apache error log fyi. If there's anything else I can do to try to help get to the bottom of this, let me know. I also tried removing all plugins, but the error persisted.

[lukasbestle]

Could you please try to go back to Kirby 4.1.0 in the same browser setup to verify that it is indeed a regression in 4.1.1?

[scottboms]

Just tried with 4.1.0 and seeing the same issue which got me thinking that this actually might be a different problem. And it seems I might be right. I tried turning off the 1Password extension and that seemed to actually do the trick and the error went away. So maybe something tied to how the extension identifies form fields.

Which is all to say this looks like it's a non-issue and I think you can close this out safely.

[lukasbestle]

Thanks for testing. The error message occurs in Kirby, so we might still want to fix this.

I no longer use 1Password, so I cannot reproduce this unfortunately. @bastianallgeier Do you still use it and could test it in Safari?

[bastianallgeier]

I'm afraid I'm using an older 1Password version without their required accounts and that does not work with the extension. I just tried.

[lukasbestle]

I think we can keep this issue open for a while, maybe someone else can reproduce this.

[github-actions]

This issue has been marked as stale because it requires further input but has not seen activity in the past months. This is for us to prioritize issues that are still relevant and actionable. It will be closed if no further activity occurs within the next 15 days. If this issue is still relevant to you, please help us in gathering the necessary input.