search

boxen / our-boxen

Copy me for your team.
https://github.com/boxen/our-boxen/
MIT License
2.58k stars 882 forks source link

Can't log in, 2FA errors forever #839

Open indirect opened 7 years ago

indirect commented 7 years ago

2FA accounts are unable to log in when running script/server:

our-boxen andre$ script/boxen
--> Preparing to auto-update...
--> Complete! Nothing new from upstream.
--> Oh, looks like you've provided your login as environmental variable...

GitHub password: **********

--> It looks like you have two-factor auth enabled.

One time password (via SMS or device):
******

--> That one time password didn't work. Let's try again.

One time password (via SMS or device):
******

--> That one time password didn't work. Let's try again.

Repeat until you get tired and give up. It's an infinite loop.

(Yes, I'm 100% sure my password and token are correct, and I used them to log in to GitHub.com moments before using them in Boxen.)

jacobbednarz commented 7 years ago

Thanks for the report @indirect.

Are you able to check whether Boxen is listed as an authorized application at https://github.com/settings/applications? Could you also provide the version of boxen and our-boxen you are running?

From the messages above, it looks like something is breaking down at lib/boxen/preflight/creds.rb#L59. Could you try debugging around that HTTP request and ensure it is passing the correct token, etc?

indirect commented 7 years ago

@jacobbednarz ah, sorry I should have included versions and such. I did a straight up checkout of boxen/our-boxen@a61b60d22a60ba24d1c0f6bf0dcd48e63cafc344, and ran bundle install --path .bundle; script/boxen. That should make it pretty easy to repro. 👍

I did some print-debugging inside creds.rb, and it does appear to be passing the headers hash to Octokit with the correct OTP:


One time password (via SMS or device):
******
otp is 445316
headers: {"X-GitHub-OTP"=>"445316"}
otp is 445316
rescued OneTimePasswordRequired
--> That one time password didn't work. Let's try again.

Nevertheless, it seems like Octokit is raising OneTimePasswordRequired even with the header set correctly. :/

jacobbednarz commented 7 years ago

I've taken the following steps:

From what I can guess, the OTP stuff is being caused by one of the following:

indirect commented 7 years ago

Ugh. Thanks for checking on this! It working for you is super, super confusing. I'm using the Authy app on my iPhone, and I am able to generate valid OTP tokens and log in to github.com successfully, so I'm super confused about why Octokit can't log in using them. I guess I'll just manually generate a token and stuff it in my netrc and move on.

jacobbednarz commented 7 years ago

If you dump the HTTP request being made, does it line up with your Mac clock (and be within a couple of minutes)?

indirect commented 7 years ago

@jacobbednarz here's a full dump using the debug instructions from the Octokit readme and some extra debug prints from me (starting with "**"). It seems like Octokit is making a second request, and the second request is raising the exception, even though the first request failed? The only line of ruby code getting run is tmp_api.authorizations(:headers => headers).

My best guess about what's happening is that Octokit is following the returned Link URL to the second page, and that request is failing because the OTP code is only valid for one request? Not sure. Open to any ideas. In the end, I'm making this work by running boxen --token abc123 and letting it save my token into the keychain.

GitHub login: |indirect| 
GitHub password: **********
** got login and password, going to try `get_tokens`
** started get_tokens
** about to run `tmp_api.authorizations(:headers => {})
I, [2017-01-27T23:56:04.924339 #11160]  INFO -- : get https://api.github.com/authorizations?&per_page=100
D, [2017-01-27T23:56:04.924413 #11160] DEBUG -- request: Accept: "application/vnd.github.beta+json"
User-Agent: "Octokit Ruby Gem 2.7.2"
Authorization: "Basic aW5kaXJlY3Q6Z2JTZGFmbDswMQ=="
** rescued OneTimePasswordRequired
--> It looks like you have two-factor auth enabled.

** before get_otp
I, [2017-01-27T23:56:05.326115 #11160]  INFO -- : post https://api.github.com/authorizations
D, [2017-01-27T23:56:05.326174 #11160] DEBUG -- request: Accept: "application/vnd.github.beta+json"
User-Agent: "Octokit Ruby Gem 2.7.2"
Authorization: "Basic aW5kaXJlY3Q6Z2JTZGFmbDswMQ=="
One time password (via SMS or device):
******
** get_otp return 782335
** before get_tokens again
** started get_tokens
** about to run `tmp_api.authorizations(:headers => {"X-GitHub-OTP"=>"782335"})
I, [2017-01-27T23:56:12.639715 #11160]  INFO -- : get https://api.github.com/authorizations?headers%5BX-GitHub-OTP%5D=782335&per_page=100
D, [2017-01-27T23:56:12.660826 #11160] DEBUG -- request: Accept: "application/vnd.github.beta+json"
User-Agent: "Octokit Ruby Gem 2.7.2"
Authorization: "Basic aW5kaXJlY3Q6Z2JTZGFmbDswMQ=="
X-GitHub-OTP: "782335"
I, [2017-01-27T23:56:13.083434 #11160]  INFO -- Status: 200
D, [2017-01-27T23:56:13.083526 #11160] DEBUG -- response: server: "GitHub.com"
date: "Sat, 28 Jan 2017 07:56:13 GMT"
content-type: "application/json; charset=utf-8"
transfer-encoding: "chunked"
connection: "close"
status: "200 OK"
x-ratelimit-limit: "5000"
x-ratelimit-remaining: "4985"
x-ratelimit-reset: "1485593330"
cache-control: "private, max-age=60, s-maxage=60"
vary: "Accept, Authorization, Cookie, X-GitHub-OTP, Accept-Encoding"
etag: "W/\"dc15ee839174d41a75ed63362a0eb350\""
x-github-media-type: "github.beta; format=json"
link: "<https://api.github.com/authorizations?headers=%7B%22X-GitHub-OTP%22%3D%3E%22782335%22%7D&per_page=100&page=2>; rel=\"next\", <https://api.github.com/authorizations?headers=%7B%22X-GitHub-OTP%22%3D%3E%22782335%22%7D&per_page=100&page=2>; rel=\"last\""
access-control-expose-headers: "ETag, Link, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval"
access-control-allow-origin: "*"
content-security-policy: "default-src 'none'"
strict-transport-security: "max-age=31536000; includeSubdomains; preload"
x-content-type-options: "nosniff"
x-frame-options: "deny"
x-xss-protection: "1; mode=block"
x-served-by: "0e17b94a265a427d9cafe798ceea7c02"
x-github-request-id: "CBD5:2C95:71DD497:909038C:588C4E9C"
I, [2017-01-27T23:56:13.106454 #11160]  INFO -- : get https://api.github.com/authorizations?headers=%7B%22X-GitHub-OTP%22%3D%3E%22782335%22%7D&page=2&per_page=100
D, [2017-01-27T23:56:13.106533 #11160] DEBUG -- request: Accept: "application/vnd.github.beta+json"
User-Agent: "Octokit Ruby Gem 2.7.2"
Authorization: "Basic aW5kaXJlY3Q6Z2JTZGFmbDswMQ=="
** rescued OneTimePasswordRequired
--> That one time password didn't work. Let's try again.

** before get_otp
I, [2017-01-27T23:56:13.455564 #11160]  INFO -- : post https://api.github.com/authorizations
D, [2017-01-27T23:56:13.455612 #11160] DEBUG -- request: Accept: "application/vnd.github.beta+json"
User-Agent: "Octokit Ruby Gem 2.7.2"
Authorization: "Basic aW5kaXJlY3Q6Z2JTZGFmbDswMQ=="
One time password (via SMS or device):
jacobbednarz commented 7 years ago

I've tried replicating this for the last few days and I've come up empty 😞

@MikeMcQuaid are you able to take a look at the logs at GitHub for the possible cause here? I'd like to be able to safe guard against but not sure what is actually causing the issue.

MikeMcQuaid commented 7 years ago

@jacobbednarz Email support@github.com and they'll be able to help more.

jacobbednarz commented 7 years ago

@indirect did you get anywhere with this? I'm happy to make changes within Boxen if there is something we can do better.