Open bioschaf opened 5 days ago
Hi, Please do so:
/api/v1/qrcode/decode
. What is the response code? 200
? 422
? if 422
, click the request line and look at its Response tab. What is the error returned?decode
request you will find a request to /api/v1/twofaccounts/preview
. Again, what is the response code and the error if any?If you get an error like The uri is not a valid otpauth uri, click the request to /api/v1/qrcode/decode
, then the Response tab. It contains the URI encoded in the QR code. Can you please copy it here after you have redacted sensitive data, I would like to see how it is formed. It should give something like otpauth://totp/confluence:[redacted_identifier]?issuer=confluence&secret=[redacted_secret]
What's the format of redacted_identifier
? an email? If not, does it contains any special character?
Hi,
{"data":""}
From that it seems the QR code cannot be read. I checked with 2FA-Apps and with https://iamyuthan.github.io/2FA-Solver/2FA-Solver.html The QR-Image seems fine. It contains otpauth://totp/domain.xy:name@otherdomain.xy?issuer=domain.xy&secret=16Alphanumeric
Ok I get it. I made some changes to the QrCode decoding service in v5.2 to enhance decoding but I forgot to change one line. I still need to reproduce the use case with test data but I'm pretty sure it matches your issue.
A fix is ready, but I will not release a new version before August.
As you were able to decode the QR code with another service, you can add your confluence account to 2FAuth using the advanced form. The fields wait for the values contained in otpauth://totp/domain.xy:[name@otherdomain.xy](mailto:name@otherdomain.xy)?issuer=domain.xy&secret=16Alphanumeric
:
domain.xy
goes to Service[name@otherdomain.xy](mailto:name@otherdomain.xy)
goes to Account.
But you won't be able to set the field with the exact same value because :
are not allowed. Just fill it with name@otherdomain.xy
, it has no impact on the OTPs validityTOTP
16Alphanumeric
goes to Secret6
sha1
30
Thank you for your replay. I checked with several older versions down to 4.2.4 but still could not import the QR code.
The most simple workaround would be to use "Import" then "Direct input" where I can paste the decoded URI without any modifications. The additional step of decoding, however, makes it hard to use your project in a multi-user enviroment.
For now I will apply this patch which seems to fix the issue
diff --git a/app/Services/QrCodeService.php b/app/Services/QrCodeService.php
index 9ce5cb72..f7bd5e19 100644
--- a/app/Services/QrCodeService.php
+++ b/app/Services/QrCodeService.php
@@ -64,7 +64,7 @@ public static function decode(\Illuminate\Http\UploadedFile $file)
}
}
- $data = urldecode($qrcode->text());
+ $data = urldecode($text);
Log::info('QR code decoded');
This is exactly the planned fix 😃 👍🏻
The additional step of decoding, however, makes it hard to use your project in a multi-user environment
Could you be more specific?! I don't understand what's wrong with the decoding step in a multi-user environment.
What I meant with that is I cannot tell an end user to go decode the qr-code himself and then paste that uri into your app.
But with the fix that is not necessary any more.
Indeed, registering an account using a qr code have to be straightforward. This is why 2FAuth automatically decodes the qr codes in a normal situation.
In your case, it didn't work because the text in the Confluence qr code couldn't be read without the more aggressive decoding options, and because of my mistake in passing $qrcode->text()
instead of $text
in $data = urldecode($qrcode->text());
Version
5.2.0
Details & Steps to reproduce
Try to import QR-Code provided by Confluence’s 2FA module. There is no error message, but no data is returned by the backend. If I try to use the “read from qr code” feature, a 422 error is returned.
Expectation
QR codes from confluence could be imported.
Error & Logs
No logging server side. No visible errors in the front end. 422 error from the backend in some cases.
Execution environment
No response
Containerization
Additional information
QR codes from other sources work as expected.
I checked the confluence QR code with other readers. It contains the correct information, if I import the qr contents it works just fine. I am also able to scan it with various 2FA apps. Since I have no control over the confluence instance and the qr code contains personal information, I cannot share it publicly. I could however share it directly with the developers for testing.