Backup Codes

[jamescochran]

How do they work? Is it use once and done? I installed this and then came back many months later not remembering my password but I did find a strange message I sent myself and used that code and logged in that night. But now I can't use that code again.

[jamescochran]

Of course I find it right after asking. Closing this though I would like to know if it prompts to change password after using a backup code. Because now I'm locked out again :(

"Backup Codes Backup codes work like one-time passwords. They can always be used instead of the normal password (e.g. if you forgot it), but only once. Attention: When you change your password, all backup codes will be deleted and you will have to create new ones."

[PhiTux]

You generated a total of 6 Backup-codes once they were generated. Each one is just single-use. But at every place where you can use your password/backup-codes there should popup a message, when only 3 or less backup-codes are left.

[jamescochran]

Thank you. Unfortunately I only saved 1 of them I guess and texted it to myself. Is there any way there can be a popup every time a backup code is used? I did not remember they were single use and since it was months later that I came back to the project I forgot that they were otherwise I would have changed my password right then.

[PhiTux]

Well at least the information was there, when you created the backup codes :/

But you're right. I'll try to edit it, so that it always shows the remaining backup codes.

[jamescochran]

I was able to restore an old copy of my users.json and get back in. Not sure of the security implications in the event that someone A. has your temp codes but they've been used and B. Has an old users.json they can use to get them back :)

EDIT: I just realized I can't change my password because I don't know the old one.

[PhiTux]

Concerning the security implications: That's just the same as with any other software. Only you should know your password=backup-codes and on the other hand databases/json-data can always be backuped by the admin! So all the security is lying your hands by making sure no one else knows the password or backup-codes.

Concerning the users.json with only one backed-up backup-code: It could/should work, if you login with your backed up users.json and use your backup-code (just as you already did). At this moment this backup-code gets removed. Then as next step you just replace the "new" users.json (now without your used backup-code) with the same users.json you just used seconds before from your backup. As long as you use the same SECRET_KEY you will stay logged in and then you can use the same secret key again to now change your password.

[jamescochran]

It would not let me use that same secret key. I was getting incorrect password. But I will try again starting from my backed up users.json. Understood about the security which was why I was trying to say all these events are unlikely to happen.

[jamescochran]

I just verified that I cannot change the password using the backup code. Perhaps I could if I had 2 backup codes but I only have one. Steps to reproduce:

1. Logged out then stopped the container
2. mv users.json users.json.20230420
3. Copied my backed up version of user.json in place
4. Started the container
5. In Safari I cleared the sites cookies and data and refreshed the page
6. Logged in with the 1 one time password I had
7. Went to settings and change password
8. Received "Password not changed - Old password was wrong!"

The password I was trying to use was the only one time password that I still had that I used to login.

[PhiTux]

No, I think you misunderstood me.

You have to copy the users.json twice! First (as you did) to be able to login with your one remaining backup-code. Then don't log out, just copy this same OLD users.json into its place again. And then use the same backup-code directly again to change the password.

[jamescochran]

Excellent. That worked. Thank you very much.

[PhiTux]

You're welcome :)

[PhiTux]

Coming in next version: always showing remaining backup-codes after using a backup-code (see 702d549)