[CAL-3060] JSON Error during login due to incorrect encoding on CALENDSO_ENCRYPTION_KEY

[jdalrymple]

Issue Summary

After a fresh install, I go to login and after about 20 seconds, i see this error pop up in the login screen:

Note related issues: #9527 #9690 Original issue: https://github.com/calcom/docker/issues/321

Steps to Reproduce

1. Setup repository locally and generate template .env file as per the instructions
2. Update the .env file to use a secret generated by this command as described in the comments for the CALENDSO_ENCRYPTION_KEY env variable

openssl rand -base64 32

1. spin up docker containers via docker compose up -d
2. Login
3. Be greeted by this banner 'You are admin but you do not have a password length of at least 15 characters or no 2FA yet Change Password to gain admin access'
4. Attempt to setup twofactor auth and receive error messages shown in images below

Actual Results

Expected Results

Not have issues with the encryption key.

Technical details

Environment:

Hosting service: GCP e2-small OS: Debian Bullseye Docker Images: see docker compose file

Config:

I kept the defaults from here, however ive updated the NEXT_PUBLIC_WEBAPP_URL to be my own domain.

Evidence

This was tested using the docker containers outlined above, both locally and in the cloud to limit any additional sources of error.

Here are my findings in the order in which i found them:

update 1

I do see this error in the browser console:

Error setting up two-factor authentication SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data two-factor-auth-5a03d5ad2d4dbd78.js:1:5962
handleSetup NextJS

update 2

It looks like the fetch call to '...api/auth/two-factor/totp/setup' is returning an internal server error, which then sends back the JSON error when the response.json() function is called.

update 3

Default config is outdated. The newer config file makes sure to specify the length of the encryption key:

# Application Key for symmetric encryption and decryption
# must be 32 bytes for AES256 encryption algorithm
# You can use: `openssl rand -base64 32` to generate one
CALENDSO_ENCRYPTION_KEY=

update 4

So even changing the key to a 32 byte key using the algo mentioned above, the error still persists:

: RangeError: Invalid key length
@calcom/web:start:     at Cipheriv.createCipherBase (node:internal/crypto/cipher:122:19)
@calcom/web:start:     at Cipheriv.createCipherWithIV (node:internal/crypto/cipher:141:3)
@calcom/web:start:     at new Cipheriv (node:internal/crypto/cipher:249:3)
@calcom/web:start:     at Object.createCipheriv (node:crypto:141:10)
@calcom/web:start:     at symmetricEncrypt (/calcom/apps/web/.next/server/chunks/69559.js:1:278)
@calcom/web:start:     at handler (/calcom/apps/web/.next/server/pages/api/auth/two-factor/totp/setup.js:1:2125) {
@calcom/web:start:   code: 'ERR_CRYPTO_INVALID_KEYLEN'

update 5

Doing some local testing with the touched code, it looks like the base64 encoding of the string generated through openssl rand -base64 32 command, is failing when converting into a buffer which sets the encoding to latin1, resulting in a 44 length string, not 32. This is what causes the error.

update 6

Temporary solution would be to just create a 32 character long alphanumeric string without the openssl function, and updating the docs/comments to reflect the importance of this, seeing as the Buffer.from function expects the string to be binary/latin1 encoded

_{From SyncLinear.com | CAL-3060}

[PeerRich]

thank you for the detailed report.

i think you can get some self hosting help in our community: https://go.cal.com/discord

[amandesai01]

So what is the fix? I just finished setting up this and facing same issue. Unable to gain admin access since it requires 2FA

[tomquas]

if i understand correctly, a fix has been provided already with #13484 but has been declined by the dev team for the greater goal of #12698. that may make sense, but us docker self-hosters now have to wait till release 4.1+ for a working system. personally, i think it would have been the right thing to apply and deploy the fix and not render the self-hosted version unusable.

i also found that https://hub.docker.com/r/calcom/cal.com/tags is pretty outdated – 3.9.8 was just released, 3.9.1 is available on docker hub. just thinking loud...

[lucasjohnston]

To be super clear this means the current calcom build is effectively broken for new set-ups, as you can't login as an admin without configuring 2FA. Feels like there should be an interim fix here given the severity of impact?

[lucasjohnston]

As a short-term fix, I'd propose changing the CALENDSO_ENCRYPTION_KEY generation instructions from:

openssl rand -base64 32

to

python -c "import random; import string; print(''.join(random.choices(string.ascii_letters + string.digits, k=32)))"

It'll fill the gap temporarily given the current command doesn't work, and I think it's reasonable to assume most users have python installed :)