Drupal Warning "You cannot access this page directly" HybridAuth Social Login

  1. Home
  2. Drupal Warning "You cannot access this page directly" HybridAuth Social Login

Recently we were found a lot of messages about access denied and endpoint error in Drupal logs, all messages are on the same topic and related to HybridAuth Social Login Drupal module (hybridauth), what is being used to simplify a user login process.

Numbers of messages are high, what is negative for a site performance and also makes hard to detect real issues in Drupal Report log.

Errors, HybridAuth: You cannot access this page directly
Errors and warning are generated, one is "hybridauth" and "access denied"
Exception: Endpoint: Error while trying to init Hybrid_Auth: You cannot access this page directly. in Hybrid_Endpoint->authInit()
This one, from HybridAuth module.
Error message text: "Endpoint: Error while trying to init Hybrid_Auth: You cannot access this page directly. in Hybrid_Endpoint->authInit() (line 217 of /var/www/html/sites/all/libraries/hybridauth/hybridauth/Hybrid/Endpoint.php)."
access denied, hybridauth/endpoint warning
This one, from Drupal core.
Warning message: access denied, hybridauth/endpoint warning

What can we do to clear them and avoided in the future?

The first thing we need to get details from the server log, who(bot/server) is trying to use Hybridauth link, to do that we need to check Access.log for Apache server or Nginx

Find bots in Apache2 access.log
cat access.log | grep -o "(*[^(]bot[^)]*" | sort | uniq -c

Use this code, to get a list of bots, that are accessing the site.

From this information, what we have, we can make a decision, that all incoming requests are going from one IP address, in our case it's 5.9.60.241, and a bot is from MajesticSEO

Record responsible for warnings/errors in Access.log looking like this:
5.9.60.241 - - [25/Oct/2017:16:18:55 +0000] "GET /hybridauth/endpoint?hauth.start=Google&hauth.time=1492848311 HTTP/1.1" 302 7453 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)"

this is MajesticSEO Crawler 

The crawler detected hybridauth links and inflicting those warnings and errors in site log.

Below are solutions to prevent error messages, by denying access to MajesticSEO Crawler.

What is interesting, the crawler is ignoring block settings inside robots.txt, so the only option is to block it and write a ticket to MagesticSEO support.  

Solution for Apache2: Block a spamming bot in .htaccess file
RewriteCond %{HTTP_USER_AGENT} (MJ12bot) [NC]
RewriteRule (.*) - [F,L]

In our case,  the "MJ12bot" crawler bot was responsible for multiple Drupal warnings: "You cannot access this page directly", so the right choice is to block such crawler.

Solution for Nginx: Block a spamming bot in Config file
location / {
if ($http_user_agent ~ (MJ12bot) ) {
return 403;
}
}

Same can be done for Nging, block "MJ12bot" crawler bot

Warning
Drupal
Drupal7
Error
Warning
HybridAuth