search

RocketChat / Rocket.Chat

The communications platform that puts data protection first.
https://rocket.chat/
Other
40.16k stars 10.38k forks source link

Reset TOTP / 2FA does not work and hides API error if Administrator uses 2FA #23829

Open svrnwnsch opened 2 years ago

svrnwnsch commented 2 years ago

Description:

As an administrator I want to reset the TOTP for an user. I changed all settings so that I see the following button in the UI: grafik I click on it but the user still has there 2FA enabled (and therefor cannot login).

On the Dev tools I see the request PUT https://server.url/api/v1/users.resetTOTP fails with:

{
    "success": false,
    "error": "TOTP Required [totp-required]",
    "errorType": "totp-required",
    "details": {
        "method": "totp",
        "codeGenerated": false,
        "availableMethods": [
            "totp"
        ]
    }
}

Steps to reproduce:

  1. Create a user with 2FA enabled
  2. Try to reset the 2FA as an administrator by clicking on the "Reset TOTP" button
  3. No error message or success message but it did not work

Expected behavior:

I get a Prompt to input my 2FA token as an Administrator. And then the user 2FA is reseted.

Actual behavior:

Nothing happens

Server Setup Information:

Client Setup Information

Additional context

Relevant logs:

mesouug commented 2 years ago

It actually responds with error: image

Same problem with resetting user password (but here we do see error message): image

And we are not using 2FA/TOTP for Admin user but for end user.

ulope commented 2 years ago

@svrnwnsch How did you manage to get that "Reset TOTP" option? It doesn't even show up in our installation.

slhck commented 1 year ago

I also do not see this option.

FWIW I went into the mongo console and did this:

use rocketchat;
db.users.update({ username: "foo" }, { $unset: { "services.totp": 1 } });
db.users.update(
  { username: "foo" },
  {
    $set: {
      "services.resume.loginTokens": [],
    },
  }
);