search

dani-garcia / vaultwarden

Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
GNU Affero General Public License v3.0
36.78k stars 1.79k forks source link

DUO 2FA - login fails if email is not lowercase #955

Closed defung closed 4 years ago

defung commented 4 years ago

Subject of the issue

When logging in with DUO 2FA configured, login fails if email entered is not all lowercase.

Your environment

Steps to reproduce

  1. start up a bitwarden_rs container
  2. create an account with the following email: Test@test.com
  3. log in, and set up 2FA via DUO normally
  4. log out
  5. log in with the following email (note the capital T): Test@test.com
  6. perform DUO 2FA
  7. observe that login FAILED
  8. go back to login screen, and log in with the following email (note the lowercase t): test@test.com
  9. perform DUO 2FA
  10. observe that login SUCCEEDS, and you are now in your vault

Expected behaviour

From what I understand, email shouldn't be required to be all lowercase. Without DUO, we are able to login using mixed uppercase and lowercase email. But with DUO enabled, we are forced to use lowercase email.

Actual behaviour

With DUO enabled, users cannot login using mixed case emails. Users are forced to enter lower case email, even though the user registered with mixed case emails initially.

Relevant logs

AJAX call received HTTP 400 error:

POST /identity/connect/token response:
{"ErrorModel":{"Message":"Error validating duo authentication","Object":"error"},"Message":"","Object":"error","ValidationErrors":{"":["Error validating duo authentication"]},"error":"","error_description":""}

docker log output:

[2020-04-07 19:48:38][request][INFO] POST /api/accounts/prelogin
[2020-04-07 19:48:38][response][INFO] POST /api/accounts/prelogin (prelogin) => 200 OK
[2020-04-07 19:48:38][request][INFO] POST /identity/connect/token
[2020-04-07 19:48:38][error][ERROR] 2FA token not provided
[2020-04-07 19:48:38][response][INFO] POST /identity/connect/token (login) => 400 Bad Request
[2020-04-07 19:48:51][request][INFO] POST /identity/connect/token
[2020-04-07 19:48:51][error][ERROR] Error validating duo authentication
[2020-04-07 19:48:51][response][INFO] POST /identity/connect/token (login) => 400 Bad Request
defung commented 4 years ago

I don't know rust too well, but I suspect this needs some equalsIgnoreCase type of thing here:

https://github.com/dani-garcia/bitwarden_rs/blob/master/src/api/core/two_factor/duo.rs#L286

jjlin commented 4 years ago

Yeah, I already tested a fix.

defung commented 4 years ago

Thanks for the quick fix, @jjlin and @dani-garcia! When can we expect the new docker image to be released?

dani-garcia commented 4 years ago

The :latest tag should finish building in an hour or two, and a new numbered release on the weekend probably.