503 Service Unavailable after inserting 2FA - works with several tries

WordPress / two-factor

Two-Factor Authentication for WordPress.

https://wordpress.org/plugins/two-factor/

GNU General Public License v2.0

724 stars 151 forks source link

503 Service Unavailable after inserting 2FA - works with several tries #580

Closed x2on closed 5 months ago

x2on commented 1 year ago

Describe the bug

If i try to login in my wordpress installation, i often get a 503 Service unavailable error after inserting the 2FA in the login form. This happens if i enter the 2FA with an password safe (like Bitwarden. If i enter the code by hand it works most of the time. I think there must be a timing issue for this error.

Steps to Reproduce

Login with user / password
Automatically copy the 2FA to the form and hit enter
--> Error 503
Retry sometimes works, sometimes not.

Screenshots, screen recording, code snippet

/wp-login.php?action=validate_2fa

Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Environment information

Wordpress 6.2.2
Chrome newest version, Safari Mobile

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

iandunn commented 1 year ago

Does anything show up in your PHP or nginx/apache/IIS logs when it happens?

x2on commented 1 year ago

No just the 503 error

dd32 commented 1 year ago

This plugin doesn't trigger 503's responses directly, and the only place in core that triggers them (that I can think of/find) is maintenance mode during auto-updates, which theoretically could be triggered more often just after a login attempt (as the traffic to the site triggers cron, which triggers background updates).

I'm thinking it's more likely that this is caused by a security module - either a WordPress plugin, or more likely, a server-level rate-limiting on the login endpoint.

@x2on Are you able to confirm with your host whether there's any rate limiting on login that would trigger a 503?

x2on commented 1 year ago

I couldn't find anything about a rate limit at the server.

I currently only have "Limit Login Attempts Reloaded" active, and this plugin doesn't show an entry for that. Also if i deactivate the plugin the same error happens.

If i wait 2-5 seconds before entering the 2FA it currently works.

x2on commented 1 year ago

I made a few test. The problem only exists if i copy & paste the code to the form. If i enter the number by keyboard it works.

Any idea?

kasparsd commented 5 months ago

Closing until we have the exact error message or steps to replicate the issue.

I personally haven't observed this behaviour in any of the sites using this plugin. It could be related to the site setup so please do report back if you get more details.