[PUI] Login silently fails with MFA enabled

[sur5r]

Please verify that this bug has NOT been raised before.

• I checked and didn't find a similar issue

Describe the bug*

In inventree/inventree-brother-plugin#49 @matmair said that PUI is supposed to redirect to PUI during login when a user has MFA enabled. Unfortunately, this does not work for me.

The POST request to /api/auth/login made by PUI results in 403 with

{"detail":"MFA required for this user"}

Also, the Console in WebDevTools spits this:

Uncaught (in promise) TypeError: r.hasOwn is not a function
    de                  https://inventree.domain.tld/static/web/assets/index-B0j1uz07.js:3
    e                   https://inventree.domain.tld/static/web/assets/index-B0j1uz07.js:3
    promise callback*$e https://inventree.domain.tld/static/web/assets/index-B0j1uz07.js:3
    c                   https://inventree.domain.tld/static/web/assets/Login-34CefvDW.js:1
    eR                  https://inventree.domain.tld/static/web/assets/vendor-50JW9u3H.js:59
    nR                  https://inventree.domain.tld/static/web/assets/vendor-50JW9u3H.js:59
    rR                  https://inventree.domain.tld/static/web/assets/vendor-50JW9u3H.js:59
    Lg                  https://inventree.domain.tld/static/web/assets/vendor-50JW9u3H.js:59
    lS                  https://inventree.domain.tld/static/web/assets/vendor-50JW9u3H.js:59
    If                  https://inventree.domain.tld/static/web/assets/vendor-50JW9u3H.js:59
    c0                  https://inventree.domain.tld/static/web/assets/vendor-50JW9u3H.js:62
    Tb                  https://inventree.domain.tld/static/web/assets/vendor-50JW9u3H.js:59
    If                  https://inventree.domain.tld/static/web/assets/vendor-50JW9u3H.js:59
    jm                  https://inventree.domain.tld/static/web/assets/vendor-50JW9u3H.js:59
    wR                  https://inventree.domain.tld/static/web/assets/vendor-50JW9u3H.js:59
[index-B0j1uz07.js:3:5055](https://inventree.domain.tld/static/web/assets/index-B0j1uz07.js)

Assuming this is as helpful to you as it is to me, I disabled obfuscation in vite.config.ts which turns it to

Uncaught (in promise) TypeError: params.hasOwn is not a function
    post                          https://inventree.domain.tld/static/web/assets/index-D1HeuvK-.js:791
    doBasicLogin                  https://inventree.domain.tld/static/web/assets/index-D1HeuvK-.js:832
    promise callback*doBasicLogin https://inventree.domain.tld/static/web/assets/index-D1HeuvK-.js:829
    handleLogin                   https://inventree.domain.tld/static/web/assets/Login-D6W4F6wJ.js:99
    Nb                            https://inventree.domain.tld/static/web/assets/vendor-givYlcs0.js:7195
    Tb                            https://inventree.domain.tld/static/web/assets/vendor-givYlcs0.js:7207
    Ub                            https://inventree.domain.tld/static/web/assets/vendor-givYlcs0.js:7210
    nf                            https://inventree.domain.tld/static/web/assets/vendor-givYlcs0.js:8147
    se                            https://inventree.domain.tld/static/web/assets/vendor-givYlcs0.js:8170
    hd                            https://inventree.domain.tld/static/web/assets/vendor-givYlcs0.js:8442
    Qk                            https://inventree.domain.tld/static/web/assets/vendor-givYlcs0.js:11746
    Jb                            https://inventree.domain.tld/static/web/assets/vendor-givYlcs0.js:7148
    hd                            https://inventree.domain.tld/static/web/assets/vendor-givYlcs0.js:8243
    fd                            https://inventree.domain.tld/static/web/assets/vendor-givYlcs0.js:7641
    ed                            https://inventree.domain.tld/static/web/assets/vendor-givYlcs0.js:7624
    addEventListener eval:4
    pf                            https://inventree.domain.tld/static/web/assets/vendor-givYlcs0.js:8213
    qf                            https://inventree.domain.tld/static/web/assets/vendor-givYlcs0.js:8186
    sf                            https://inventree.domain.tld/static/web/assets/vendor-givYlcs0.js:8193
    sf                            https://inventree.domain.tld/static/web/assets/vendor-givYlcs0.js:8192
    createRoot                    https://inventree.domain.tld/static/web/assets/vendor-givYlcs0.js:12867
    <anonymous>                   https://inventree.domain.tld/static/web/assets/index-D1HeuvK-.js:1344

I hope this helps.

Steps to Reproduce

1. Open a private browser window
2. Go to /platform
3. Try and log in with an account that has MFA enabled
4. Observe an eternal spinning circle and nothing else

Expected behaviour

After clicking "Log in", get redirected to CUI to complete MFA authentication.

Deployment Method

• Docker
• Package
• Bare metal
• Other - added info in Steps to Reproduce

Version Information

Version Information:

InvenTree-Version: 0.17.0 dev
Django Version: 4.2.16
Commit Hash: 327884c
Commit Date: 2024-11-29
Commit Branch: master
Database: postgresql
Debug-Mode: False
Deployed using Docker: False
Platform: Linux-6.1.0-13-cloud-amd64-x86_64-with-glibc2.36
Installer: GIT

Active plugins: [{'name': 'InvenTreeBarcode', 'slug': 'inventreebarcode', 'version': '2.1.0'}, {'name': 'InvenTreeCoreNotificationsPlugin', 'slug': 'inventreecorenotificationsplugin', 'version': '1.0.0'}, {'name': 'InvenTreeCurrencyExchange', 'slug': 'inventreecurrencyexchange', 'version': '1.0.0'}, {'name': 'InvenTreeLabel', 'slug': 'inventreelabel', 'version': '1.1.0'}, {'name': 'InvenTreeLabelMachine', 'slug': 'inventreelabelmachine', 'version': '1.0.0'}, {'name': 'InvenTreeLabelSheet', 'slug': 'inventreelabelsheet', 'version': '1.0.0'}, {'name': 'DigiKeyPlugin', 'slug': 'digikeyplugin', 'version': '1.0.0'}, {'name': 'LCSCPlugin', 'slug': 'lcscplugin', 'version': '1.0.0'}, {'name': 'MouserPlugin', 'slug': 'mouserplugin', 'version': '1.0.0'}, {'name': 'TMEPlugin', 'slug': 'tmeplugin', 'version': '1.0.0'}, {'name': 'Brother Labels', 'slug': 'brother', 'version': '1.0.0'}]

Please verify if you can reproduce this bug on the demo site.

• I can reproduce this bug on the demo site.

Relevant log output

[SchrodingersGat]

@matmair this is the only instance of hasOwn in the code:

which was recently changed (in #8317)

[sur5r]

I just reverted that line and it solves the issue.

It now behaves as follows:

1. For short moment, a popup appears in the lower right corner stating "Login failed"
2. Redirect to CUI with MFA prompt
3. Redirect to PUI

[SchrodingersGat]

@sur5r thanks for the feedback.

From here: https://stackoverflow.com/questions/69561596/object-hasown-vs-object-prototype-hasownproperty

Object.hasOwn() is intended as a replacement for Object.hasOwnProperty() and is a new method available to use (yet still not fully supported by all browsers like safari yet but soon will be)

Are you using Safari?

[SchrodingersGat]

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/hasOwn#browser_compatibility

[sur5r]

No, I'm on Firefox 133.

[sur5r]

Thanks! Tried it here and it works now.

[SchrodingersGat]

Awesome, thanks for letting me know