Reporoducable it on a self-hosted dockerized server v1.8.4 running on ubuntu 24.04 LTE arm64 VM, using Safari or Chrome as a client on MacOS Sonoma 14.5 M2.
Go to a user profile, as admin or team member. Click on "enable 2FA". The system will ask for the user password. Upon submit, it sends user to the homepage, bypassing the appearance of QR code.
2FA will be enabled at that point.
Expected behavior would be, before taking user to the homepage, to show him the QR code for 2FA, and collect a 2FA code to make sure that the user has it correctly.
There is a couple of workarounds:
Use recovery codes.
While logged in as a user for whom you want to know the 2FA QR or secret, follow the link:
https://input.yourserver.hostname/user/two-factor-qr-code
The server will return both the secret and the text representation of the QR.svg
The latter is also a security breach: having a 2FA secret available persistently is an attack surface. I will not be creating a separate issue for that.
@cypherpork for me this is not reproducable with your instructions. Do you see in the server logs anything that could hint on a configuration error of your setup?
Reporoducable it on a self-hosted dockerized server v1.8.4 running on ubuntu 24.04 LTE arm64 VM, using Safari or Chrome as a client on MacOS Sonoma 14.5 M2.
Go to a user profile, as admin or team member. Click on "enable 2FA". The system will ask for the user password. Upon submit, it sends user to the homepage, bypassing the appearance of QR code. 2FA will be enabled at that point.
Expected behavior would be, before taking user to the homepage, to show him the QR code for 2FA, and collect a 2FA code to make sure that the user has it correctly.
There is a couple of workarounds:
Use recovery codes.
While logged in as a user for whom you want to know the 2FA QR or secret, follow the link: https://input.yourserver.hostname/user/two-factor-qr-code The server will return both the secret and the text representation of the QR.svg
The latter is also a security breach: having a 2FA secret available persistently is an attack surface. I will not be creating a separate issue for that.