search

apache / cloudstack

Apache CloudStack is an opensource Infrastructure as a Service (IaaS) cloud computing platform
https://cloudstack.apache.org/
Apache License 2.0
2.09k stars 1.11k forks source link

2FA is enabled even if User fails to verify with TOTP code #9308

Open scottsignal opened 4 months ago

scottsignal commented 4 months ago
ISSUE TYPE
COMPONENT NAME
setup2FA
CLOUDSTACK VERSION
4.19.0.1
CONFIGURATION

N/A

OS / ENVIRONMENT

Ubuntu 22.04 Single-node Management Server MySQL 5.7

SUMMARY

2FA is enabled on a user even if user fails to verify TOTP auth code to enable

STEPS TO REPRODUCE

Create a user that is set to enable in 2FA upon login Choose either Google Authenticator or Other TOTP and click Setup Enter the wrong Token on accident and you are kicked back to login. Try logging in again and you are presented with a 2FA screen, however, you were never successfully enrolled so TOTP codes do not work.

EXPECTED RESULTS
Account isn't enrolled in 2FA until they verify with a code from their TOTP application
ACTUAL RESULTS
Account is enrolled in 2FA without a valid TOTP
harikrishna-patnala commented 4 months ago

There is a similar issue fixed with the PR https://github.com/apache/cloudstack/pull/7972 this is fixed in 4.18.2 version

and I've tested it with both 4.19.01 and 4.19.1 environment and it is working fine

  1. Create a new user "user1"
  2. Enabled "mandate.user.2fa"
  3. Tried log in with user "user1"
  4. Prompted to setup 2FA during the login
  5. Selected "Google Authenticator"
  6. Entered wrong passcode in the verification box and logged out after that
  7. Tried login again with user "user1"
  8. Selected "Google Authenticator", this time entered right passcode and I logged in and 2FA is enabled.

May I know which version of CS environment you are testing ? if it is prior 4.18.2 version then you can upgrade your environment and test it again please.

scottsignal commented 4 months ago

I am reproducing this on 4.19.0.1. This was a fresh install on 4.19 that was upgraded to 4.19.0.1. We have another environment I will try and reproduce it there.

scottsignal commented 4 months ago

So I managed to reproduce this once and then never again in the other instance. I will keep looking at this, however, I would like to back up to how I discovered this in the first place. I can reproduce another test case in both instances that may help. In your test case above replace step number six after clicking the setup button and accidentally press the back button or exit your browser. I can reproduce every time this way.

harikrishna-patnala commented 4 months ago

@scottsignal agreed to your point that clicking on back button is considering as the verification is already done. We need to fix this in UI.