search

bluesky-social / pds

Bluesky PDS (Personal Data Server) container image, compose file, and documentation
Other
1.45k stars 134 forks source link

Two-factor authentication button not work #99

Open syuxs7854384 opened 1 month ago

syuxs7854384 commented 1 month ago

Two-factor authentication button not work

Error code 400

{error: "TokenRequired", message: "confirmation token required"}

AverageHelper commented 1 month ago

Getting this as well from bsky.app, just after having verified my email. Not sure if bsky.app needs to request a confirmation token from the user to provide in the updateEmail request, or if the server needs to calm down about how recently a valid email token was received.

Personally, it makes sense to run the email-verification flow again when activating email 2FA, at least as a sanity test that the flow works, else the user may be locked out of their account inadvertently.

dillfrescott commented 3 weeks ago

getting this too on my new PDS. I will wait a few hours and try again

dandln commented 3 weeks ago

Having the same issue. Here's the full output from the Firefox console in case it helps:

Uncaught (in promise) Error: confirmation token required
    u types.ts:126
    a updateEmail.ts:46
    toKnownErr updateEmail.ts:54
    updateEmail index.ts:1236
    promise callback*updateEmail index.ts:1235
    o Email2FAToggle.tsx:20
    Babel 4
    s Email2FAToggle.tsx:42
    e Button.tsx:154
    Babel 4
    P Button.tsx:155
    onClick PressResponder.js:314
    React 11
    r helpers.ts:100
    ls trycatch.ts:233
    Ta dom.ts:107
    React 5
    u index.js:20
    run renderApplication.js:24
    run index.js:34
    value index.js:72
    i registerRootComponent.tsx:36
    6760 index.web.js:8
    Webpack 5
Caused by: Error: confirmation token required
    u types.ts:126
    call xrpc-client.ts:105
    updateEmail index.ts:1234
    o Email2FAToggle.tsx:20
    Babel 4
    s Email2FAToggle.tsx:42
    e Button.tsx:154
    Babel 4
    P Button.tsx:155
    onClick PressResponder.js:314
    React 11
    r helpers.ts:100
    ls trycatch.ts:233
    Ta dom.ts:107
    React 5
    u index.js:20
    run renderApplication.js:24
    run index.js:34
    value index.js:72
    i registerRootComponent.tsx:36
    6760 index.web.js:8
    Webpack 5
types.ts:126:4
mp-pinheiro commented 1 week ago

Same issue on mine.

scolton99 commented 1 week ago

Same issue here -- it looks like maybe the code for this is just missing? I don't see the full implementation of 2FA in the TypeScript code. The com.atproto.server.createSession endpoint doesn't seem like it can accept the authFactorToken value and even if the call to com.atproto.server.updateEmail was working, it doesn't seem like it does anything with the emailAuthFactor: true from the body.

mp-pinheiro commented 1 week ago

Same issue here -- it looks like maybe the code for this is just missing? I don't see the full implementation of 2FA in the TypeScript code. The com.atproto.server.createSession endpoint doesn't seem like it can accept the authFactorToken value and even if the call to com.atproto.server.updateEmail was working, it doesn't seem like it does anything with the emailAuthFactor: true from the body.

That's what I thought as well, there's no PDS env var designated to it as well, and the atproto code makes almost no mention of email or 2FA. However, when we click "Require email code to log into your account" using an official, Bsky PDS account, it works. This is the request it performs:

curl 'https://magic.us-west.host.bsky.network/xrpc/com.atproto.server.updateEmail' \
  ...
  --data-raw '{"email":"REDACTED@EMAIL.COM, "emailAuthFactor":true}'

It seems like the same exact endpoint and request, but the magic.us-west.host.bsky.network endpoint responds 200 and 2FA works normally. Looking for this emailAuthFactor property, there's not much https://github.com/search?q=repo%3Abluesky-social%2Fatproto%20emailAuthFactor&type=code.

I don't know much about atproto, and I might be mistaken, but seems to me like Bsky is running a more updated version of the code in their official server that has this auth flow implemented?

scolton99 commented 1 week ago

Same issue here -- it looks like maybe the code for this is just missing? I don't see the full implementation of 2FA in the TypeScript code. The com.atproto.server.createSession endpoint doesn't seem like it can accept the authFactorToken value and even if the call to com.atproto.server.updateEmail was working, it doesn't seem like it does anything with the emailAuthFactor: true from the body.

That's what I thought as well, there's no PDS env var designated to it as well, and the atproto code makes almost no mention of email or 2FA. However, when we click "Require email code to log into your account" using an official, Bsky PDS account, it works. This is the request it performs:

curl 'https://magic.us-west.host.bsky.network/xrpc/com.atproto.server.updateEmail' \
  ...
  --data-raw '{"email":"REDACTED@EMAIL.COM, "emailAuthFactor":true}'

It seems like the same exact endpoint and request, but the magic.us-west.host.bsky.network endpoint responds 200 and 2FA works normally. Looking for this emailAuthFactor property, there's not much https://github.com/search?q=repo%3Abluesky-social%2Fatproto%20emailAuthFactor&type=code.

I don't know much about atproto, and I might be mistaken, but seems to me like Bsky is running a more updated version of the code in their official server that has this auth flow implemented?

I also don't claim to know much about this, but it was always my assumption that Bluesky was running something proprietary and closed-source internally, and the PDS implementation they're distributing now is a completely different codebase. There are lots of endpoints that respond differently in the PDS when compared with the public Bluesky data servers.

mp-pinheiro commented 1 week ago

I also don't claim to know much about this, but it was always my assumption that Bluesky was running something proprietary and closed-source internally, and the PDS implementation they're distributing now is a completely different codebase. There are lots of endpoints that respond differently in the PDS when compared with the public Bluesky data servers.

And if that's the case, on one hand, fair enough, this codebase is using a fairly permissive license, but not being transparent about this is so weird. Also, 2FA is such a core piece of app security, it's also very weird to not have this implemented and not have it clearly stated. It would definitely have given me pause for thought if I knew before migrating to mine own PDS.

dandln commented 5 days ago

Also, 2FA is such a core piece of app security, it's also very weird to not have this implemented and not have it clearly stated.

Worth noting too that email-based 2FA is one of the worst methods anyway. If it's the only option we can get right now then I'll take it of course, but support for app-based 2FA is really needed too.

I second that it's really strange to see a social network as big as Bluesky has become this year not implementing 2FA properly.

KarlLivesey commented 1 day ago

yeah a topt/passkey/yubikey support is what I want

BrianCArnold commented 20 hours ago

So, with a PDS being so manually administered, it doesn't seem too extreme to modify the local data store to keep the TOTP secret locally, and emit it once for registration in a user's TOTP application, authenticator, what have you, during account registration, and to give the PDS admin the ability to reset a TOTP, emitting the same secret?