Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forced TOTP setup not working if backup codes are set #1160

Closed
mojansch opened this issue Nov 23, 2021 · 5 comments · Fixed by nextcloud/server#30193
Closed

Forced TOTP setup not working if backup codes are set #1160

mojansch opened this issue Nov 23, 2021 · 5 comments · Fixed by nextcloud/server#30193
Assignees
@ChristophWurst
Labels
3. to review bug

Comments

@mojansch
Copy link

mojansch commented Nov 23, 2021
edited
Loading

Steps to reproduce

  1. Enable 2FA via TOTP
  2. Generate backup codes
  3. Disable 2FA
  4. Log out
  5. As admin, force 2FA for user or for all users
  6. Log in as user
  7. Select TOTP

Expected behaviour

User gets shown a valid QR code

Actual behaviour

QR code says "undefined"

image

Server configuration

Operating system: Ubuntu 20.04.3

Web server: Apache 2.4.41

Database: MariaDB 10.3.31

PHP version: 7.4.3

Version: 22.2.3 with and without nextcloud/server#29752 applied

Updated from an older version or fresh install: Updated from older version

List of activated apps:

  - accessibility: 1.8.0
  - activity: 2.15.0
  - admin_audit: 1.12.0
  - bruteforcesettings: 2.2.0
  - cloud_federation_api: 1.5.0
  - dav: 1.19.0
  - federatedfilesharing: 1.12.0
  - files: 1.17.0
  - files_accesscontrol: 1.12.1
  - files_automatedtagging: 1.12.0
  - files_pdfviewer: 2.3.1
  - files_retention: 1.11.1
  - files_rightclick: 1.1.0
  - files_sharing: 1.14.0
  - files_trashbin: 1.12.0
  - files_versions: 1.15.0
  - geoblocker: 0.5.1
  - impersonate: 1.9.0
  - logreader: 2.7.0
  - lookup_server_connector: 1.10.0
  - oauth2: 1.10.0
  - password_policy: 1.12.0
  - privacy: 1.6.0
  - provisioning_api: 1.12.0
  - richdocuments: 4.2.3
  - richdocumentscode: 6.4.1303
  - serverinfo: 1.12.0
  - settings: 1.4.0
  - sharebymail: 1.12.0
  - support: 1.5.0
  - systemtags: 1.12.0
  - theming: 1.13.0
  - twofactor_backupcodes: 1.11.0
  - twofactor_totp: 6.1.0
  - updatenotification: 1.12.0
  - user_ldap: 1.12.1
  - viewer: 1.6.0
  - workflowengine: 2.4.0

Client configuration

Browser: Firefox, Chrome, Edge

Logs

Server log (data/nextcloud.log)
{
    "reqId": "n40xtIRWukNzjUqKis72",
    "level": 3,
    "time": "2021-11-23T10:55:07+01:00",
    "remoteAddr": "***REMOVED SENSITIVE VALUE***",
    "user": "0BD0C313-28FD-4BCE-AC6B-C5357F25CF53",
    "app": "PHP",
    "method": "GET",
    "url": "/index.php/login/setupchallenge",
    "message": "Undefined index: redirect_url at /var/www/html/nextcloud/core/templates/twofactorsetupselection.php#36",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29",
    "version": "22.2.3.0",
    "exception": {
        "Exception": "Error",
        "Message": "Undefined index: redirect_url at /var/www/html/nextcloud/core/templates/twofactorsetupselection.php#36",
        "Code": 0,
        "Trace": [
            {
                "file": "/var/www/html/nextcloud/core/templates/twofactorsetupselection.php",
                "line": 36,
                "function": "onError",
                "class": "OC\\Log\\ErrorHandler",
                "type": "::"
            },
            {
                "file": "/var/www/html/nextcloud/lib/private/Template/Base.php",
                "line": 180,
                "args": [
                    "/var/www/html/nextcloud/core/templates/twofactorsetupselection.php"
                ],
                "function": "include"
            },
            {
                "file": "/var/www/html/nextcloud/lib/private/Template/Base.php",
                "line": 150,
                "function": "load",
                "class": "OC\\Template\\Base",
                "type": "->"
            },
            {
                "file": "/var/www/html/nextcloud/lib/private/legacy/OC_Template.php",
                "line": 179,
                "function": "fetchPage",
                "class": "OC\\Template\\Base",
                "type": "->"
            },
            {
                "file": "/var/www/html/nextcloud/lib/public/AppFramework/Http/TemplateResponse.php",
                "line": 204,
                "function": "fetchPage",
                "class": "OC_Template",
                "type": "->"
            },
            {
                "file": "/var/www/html/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",
                "line": 171,
                "function": "render",
                "class": "OCP\\AppFramework\\Http\\TemplateResponse",
                "type": "->"
            },
            {
                "file": "/var/www/html/nextcloud/lib/private/AppFramework/App.php",
                "line": 156,
                "function": "dispatch",
                "class": "OC\\AppFramework\\Http\\Dispatcher",
                "type": "->"
            },
            {
                "file": "/var/www/html/nextcloud/lib/private/Route/Router.php",
                "line": 302,
                "function": "main",
                "class": "OC\\AppFramework\\App",
                "type": "::"
            },
            {
                "file": "/var/www/html/nextcloud/lib/base.php",
                "line": 1006,
                "function": "match",
                "class": "OC\\Route\\Router",
                "type": "->"
            },
            {
                "file": "/var/www/html/nextcloud/index.php",
                "line": 36,
                "function": "handleRequest",
                "class": "OC",
                "type": "::"
            }
        ],
        "File": "/var/www/html/nextcloud/lib/private/Log/ErrorHandler.php",
        "Line": 92,
        "CustomMessage": "--"
    }
}
@ChristophWurst
Copy link
Member

There is a request to /apps/twofactor_totp/settings/enable before the QR code is rendered. Could you check if that succeeds?

@mojansch
Copy link
Author

Could you check if that succeeds?

That request returns a 303 and redirects to
/index.php/login/selectchallenge?redirect_url=/index.php/apps/twofactor_totp/settings/enable

@ChristophWurst
Copy link
Member

While I haven't got the time to debug this in detail right now I think it's because of https://github.com/nextcloud/server/blob/a72af6acc38a2a6055fca933f0f5fe991b7f7333/core/Middleware/TwoFactorMiddleware.php#L102 vs https://github.com/nextcloud/server/blob/a72af6acc38a2a6055fca933f0f5fe991b7f7333/core/Middleware/TwoFactorMiddleware.php#L112. The second one should also check primary providers (all except backup codes), not all providers.

In that case it's a regression of nextcloud/server#28078.

@mojansch
Copy link
Author

Yup, that's the issue, I changed the second one to getPrimaryProviders() and it works. Thanks for the help!

@ChristophWurst ChristophWurst mentioned this issue Dec 10, 2021
Merged
@ChristophWurst
Copy link
Member

Fix is at nextcloud/server#30193

@ChristophWurst ChristophWurst self-assigned this Dec 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ChristophWurst ChristophWurst

Labels
3. to review bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix setting up 2FA when no providers are set up but backup codes nextcloud/server
2 participants
@ChristophWurst @mojansch