knock-knock icon indicating copy to clipboard operation
knock-knock copied to clipboard
verified publisher icon verbb

Knock Knock disabled in .env but the url is still accessible.

Open RyanRoberts opened this issue 2 years ago • 4 comments

Question

On a staging site I have Knock Knock enabled and on the production site it's disabled through the environment variable KNOCK_KNOCK_IS_ENABLED=0. Despite this, the URL for the Knock Knock password screen is still accessible on production, which confused one of my clients who thought the live site was locked.

Is this intentional or something that can be changed?

Thanks

RyanRoberts avatar Jun 08 '23 15:06 RyanRoberts

How are you using the KNOCK_KNOCK_IS_ENABLED .env variable? In your knock-knock.php config file?

But yes, technically you can directly visit /knock-knock/who-is-there which is the challenge login, even when it isn't shown (you're logged in, or disabled)

engram-design avatar Jun 12 '23 02:06 engram-design

@engram-design here's how I have the config setup:

return [
	'enabled' => (bool) App::env('KNOCK_KNOCK_IS_ENABLED'),
	'password' => App::env('KNOCK_KNOCK_PASSWORD'),
	'loginPath' => App::env('KNOCK_KNOCK_LOGIN_PATH'),
	'template' => "_views/system/knockknock",
	'unprotectedUrls' => '',
];

RyanRoberts avatar Jun 12 '23 08:06 RyanRoberts

What version of Knock Knock are you on? Worth noting https://github.com/verbb/knock-knock/issues/66

engram-design avatar Jun 12 '23 08:06 engram-design

I'm running the latest version 2.0.10 🤔

RyanRoberts avatar Jun 12 '23 09:06 RyanRoberts