search

Bubka / 2FAuth

A Web app to manage your Two-Factor Authentication (2FA) accounts and generate their security codes
https://docs.2fauth.app/
GNU Affero General Public License v3.0
2.12k stars 142 forks source link

WebAuthn account recovery and password recovery doesn't work. Email template broken. #298

Closed PeopleInside closed 7 months ago

PeopleInside commented 7 months ago

Version

5.0.3

Details & Steps to reproduce

  1. In settings activate WebAuthn (I tested with Android device added)
  2. Open an incognito window and simulate the have lost your device. Ask for a recovery link
  3. The recovery link will open the recovery page, insert your password and try to log-in
  4. Nothing happen when press continue.

Expectation

Expect to login after following the device lost procedure. The screen shot the recovery page but after inserted the password the WebAuthn still be active and still be unable to login

Error & Logs

no logs

Execution environment

Date: Thu, 15 Feb 2024 14:40:52 +0000 userAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0 Version: 5.0.3 Environment: production Install path: / Debug: false Cache driver: file Log channel: daily Log level: notice DB driver: mysql PHP version: 8.2.15 Operating system: Linux interface: fpm-fcgi Auth guard: web-guard webauthn user verification: preferred Trusted proxies: none

Additional information

Cannot test in the demo :-)

The issue is just the email template. I don't know why but when I recover a password or I try to recover access because of device lost, I get two email broken in the template with the wrong link. From those email I'm now able to fix the link to be correct and works.

What email I get:

<:message style="box-sizing: border-box; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; position: relative;"> # Hello! You are receiving this email because we received an account recovery request for your account. <:button :url="$actionUrl" :color="$color" style="box-sizing: border-box; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; position: relative;"> Recover Account This recovery link will expire in 60 minutes. If you did not request an account recovery, no further action is required. Regards,
2FAuth If you're having trouble clicking the "Recover Account" button, copy and paste the URL below into your web browser: [https://something.domain.ext//webauthn/recover?token=123456&email=emailaddress%40domain.ext](https://something.domain.ext//webauthn/recover?token=123456&email=emailaddress%40domain.ext)

The link will be: https://something.domain.ext//webauthn/recover?token=123456&email=emailaddress%40domain.ext](https://something.domain.ext//webauthn/recover?token=123456&email=emailaddress%40domain.ext)

So I just need fix this link removing the duplicate link and [ ( and the link works. The issue is present in reset password and also in the WebAuthn lost device reset.

I don't know why email get no well formatted and I don't know how to help to fix this. Are you able to reproduce?

No response

Bubka commented 7 months ago

This is really weird... I struggle to understand why this is happening while I stick to most Laravel default for this feature.

PeopleInside commented 7 months ago

This is really weird... I struggle to understand why this is happening while I stick to most Laravel default for this feature.

Are you able to reproduce?

Bubka commented 7 months ago

Yes I do. I already made several tests/changes to fix it but nothing worked.

PeopleInside commented 7 months ago

You may try to ask here if someone reply. Unfortunately I'm unable to help, I tried to look at this issue as well also if I'm not a developer :P but was not able to figure out.

Bubka commented 7 months ago

Got it! This is due to a directive introduced by Laravel v7 that breaks email rendering since v9. Removing the directive restore email formatting. Will push a fix asap.

rrrazor commented 7 months ago

Updated to 5.0.4, but nothing changed for me. Still receiving <:message style="... emails. Is it just me?

PeopleInside commented 7 months ago

Yes seems it's only you, for me all works. Have you cleaned the cache? Have you also checked if the changes has been applied to your install? You just need to have a line removed as showed here: https://github.com/Bubka/2FAuth/commit/f2d4c43239fd79fcf919b46f8925c35e72f8f1e2

rrrazor commented 7 months ago

Have you cleaned the cache? Have you also checked if the changes has been applied to your install?

Yes and yes. I have upgraded according to the upgrade instruction. Also have restarted my Apache server. Still the same problem. By the way, my email provider is MS Outlook

PeopleInside commented 7 months ago

Very strange because the fix works for me. What PHP version are you running? Have you checked and the fix is present in your installation?

Feel strange the fix is not working for you as everything seems fine and I don't think Outlook can cause an issue with that email.

rrrazor commented 7 months ago

What PHP version are you running?

PHP 8.1.2-1ubuntu2.14

Have you checked and the fix is present in your installation?

Yes, app/Providers/AppServiceProvider.php is updated

PeopleInside commented 7 months ago

What PHP version are you running?

PHP 8.1.2-1ubuntu2.14

Have you checked and the fix is present in your installation?

Yes, app/Providers/AppServiceProvider.php is updated

I don't know so. I tested for you some minutes ago but the issue is fixed for me. Sorry I have no idea of what can be the cause on your install to still have the old issue.