search

nextcloud / twofactor_totp

🔑 Second factor TOTP (RFC 6238) provider for Nextcloud
https://apps.nextcloud.com/apps/twofactor_totp
GNU Affero General Public License v3.0
286 stars 58 forks source link

TOTP 7.0.0 unable to activate, unable to create backupcodes, spinner never stops #1325

Open Knubbel opened 1 year ago

Knubbel commented 1 year ago

Steps to reproduce

  1. try to enable TOTP via UI

Expected behaviour

the QR code should be shown, the spinner should stop quickly

Actual behaviour

the spinner never stops rotating it is impossible to create backup codes (the spinner here also goes on indefinitely) It is impossible to log in when supposedly TOTP is active (for this specific user)

Log error:

OCA\TwoFactorTOTP\Exception\NoTotpSecretFoundException: 
/var/www/nextcloud/apps/twofactor_totp/lib/Provider/TotpProvider.php - line 105:
OCA\TwoFactorTOTP\Service\Totp->validateSecret()
/var/www/nextcloud/lib/private/Authentication/TwoFactorAuth/Manager.php - line 268:
OCA\TwoFactorTOTP\Provider\TotpProvider->verifyChallenge("*** sensiti ... *")
/var/www/nextcloud/core/Controller/TwoFactorChallengeController.php - line 182:
OC\Authentication\TwoFactorAuth\Manager->verifyChallenge("*** sensiti ... *")
/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 225:
OC\Core\Controller\TwoFactorChallengeController->solveChallenge("*** sensiti ... *")
/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 133:
OC\AppFramework\Http\Dispatcher->executeController()
/var/www/nextcloud/lib/private/AppFramework/App.php - line 172:
OC\AppFramework\Http\Dispatcher->dispatch()
/var/www/nextcloud/lib/private/Route/Router.php - line 298:
OC\AppFramework\App::main()
/var/www/nextcloud/lib/base.php - line 1047:
OC\Route\Router->match()
/var/www/nextcloud/index.php - line 36:
OC::handleRequest()

Server configuration

Operating system:

Web server:

Database:

PHP version:

Version: (see admin page)

Updated from an older version or fresh install:

List of activated apps:

Enabled:
  - activity: 2.17.0
  - admin_audit: 1.15.0
  - audioplayer: 3.3.1
  - bruteforcesettings: 2.5.0
  - calendar: 4.2.3
  - camerarawpreviews: 0.8.1
  - circles: 25.0.0
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contacts: 5.1.0
  - dashboard: 7.5.0
  - dav: 1.24.0
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.1
  - files_downloadactivity: 1.15.0
  - files_pdfviewer: 2.6.0
  - files_photospheres: 1.25.2
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - firstrunwizard: 2.14.0
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - maps: 0.2.4
  - metadata: 0.17.0
  - news: 20.0.1
  - nextcloud_announcements: 1.14.0
  - notes: 4.6.0
  - notifications: 2.13.1
  - notify_push: 0.5.2
  - oauth2: 1.13.0
  - password_policy: 1.15.0
  - photos: 2.0.1
  - previewgenerator: 99.99.99
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - recommendations: 1.4.0
  - related_resources: 1.0.3
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - spreed: 15.0.3
  - support: 1.8.0
  - survey_client: 1.13.0
  - systemtags: 1.15.0
  - tasks: 0.14.5
  - text: 3.6.0
  - theming: 2.0.1
  - twofactor_backupcodes: 1.14.0
  - twofactor_totp: 7.0.0
  - updatenotification: 1.15.0
  - user_status: 1.5.0
  - viewer: 1.9.0
  - weather_status: 1.5.0
  - workflowengine: 2.7.0
Disabled:
  - contactsinteraction: 1.5.0
  - encryption
  - files_external
  - nextcloudpi: 0.0.1
  - suspicious_login
  - user_ldap
rokyo249 commented 1 year ago

I have exactly the same issue here on Nextcloud version 27.0.2_1.6.43 (as an app on TrueNAS from Charts) and TOTP version 9.0.0:

  1. The app is enabled by admin.
  2. User logs in and tries to enable TOTP in their settings.
  3. The QR code is shown and can be added to 2FA app (Google Authenticator in this case)
  4. The spinner beside "Enable TOTP" never stops spinning
  5. When the user logs out, 2FA is not enabled
  6. When the user logs back in, the checkbox beside "Enable TOTP" is unchecked

Tested with several users, none of them working.

ChristophWurst commented 1 year ago

The spinner beside "Enable TOTP" never stops spinning

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/logging_configuration.html

there's most likely an error in nextcloud.log

rokyo249 commented 1 year ago

The log shows:

{"reqId":"auBdqzS7xstdZ2OKk4C8","level":0,"time":"2023-09-06T07:11:47+00:00","remoteAddr":"10.0.81.111","user":"c4f7f426-f9ab-103c-9483-9fa59eb6e605","app":"user_ldap","method":"POST","url":"/apps/twofactor_totp/settings/enable","message":"Calling LDAP function ldap_explode_dn with parameters [\"c4f7f426-f9ab-103c-9483-9fa59eb6e605\",0]","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0","version":"27.0.2.1","data":{"app":"user_ldap"}}

immediately after the user clicks the "Enable TOTP" checkbox. Log level is on DEBUG.

Sounds like this is an issue with us using LDAP?

ChristophWurst commented 1 year ago

"level":0

it's just a debug notice, not an error

rokyo249 commented 1 year ago

Yes, there is no other message in the log. But 2FA doesn't activate and the thing never stops spinning. Or is the log-level in NextCloud not "0 and above" and I have to set the log-level higher than 0?

ChristophWurst commented 1 year ago

Log level is fine. 0 means it will log everything.

I suggest to inspect the XHRs of the browser instead. There is a request sent when TOTP is enabled. See if that succeeds and what it returns.

rokyo249 commented 1 year ago

Hmm, the response looks fine but there is something weird: The username is an UUID, while Nextcloud and our LDAP use firstname.lastname as UID.... could be that usernames are not correctly mapped in NC and that is an issue?

ChristophWurst commented 1 year ago

could be

rokyo249 commented 1 year ago

Really weird, an additional message I got now suggests that the user isn't logged in, even though he clearly is when clicking the checkbox:

{"reqId":"44AXro7NRFw9PHz4YsI9","level":0,"time":"2023-09-06T13:45:07+00:00","remoteAddr":"10.0.81.111","user":"--","app":"no app in context","method":"POST","url":"/apps/twofactor_totp/settings/enable","message":"Current user is not logged in","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0","version":"27.0.2.1","exception":{"Exception":"OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotLoggedInException","Message":"Current user is not logged in","Code":401,"Trace":[{"file":"/var/www/html/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php","line":96,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware","type":"->","args":[["OCA\\TwoFactorTOTP\\Controller\\SettingsController"],"enable"]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":129,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\MiddlewareDispatcher","type":"->","args":[["OCA\\TwoFactorTOTP\\Controller\\SettingsController"],"enable"]},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":183,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\TwoFactorTOTP\\Controller\\SettingsController"],"enable"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\TwoFactorTOTP\\Controller\\SettingsController","enable",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["twofactor_totp.settings.enable"]]},{"file":"/var/www/html/lib/base.php","line":1071,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/apps/twofactor_totp/settings/enable"]},{"file":"/var/www/html/index.php","line":36,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php","Line":161,"message":"Current user is not logged in","exception":{},"CustomMessage":"Current user is not logged in"}}
{"reqId":"YkhIq5nfzVkSKJfOmINp","level":0,"time":"2023-09-06T13:45:07+00:00","remoteAddr":"10.0.81.111","user":"--","app":"user_ldap","method":"GET","url":"/login?redirect_url=/apps/twofactor_totp/settings/enable","message":"Calling LDAP function ldap_explode_dn with parameters [\"c4f7f426-f9ab-103c-9483-9fa59eb6e331\",0]","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0","version":"27.0.2.1","data":{"app":"user_ldap"}}
{"reqId":"dnZ9Q44x2guG1CgrtRHt","level":0,"time":"2023-09-06T13:45:11+00:00","remoteAddr":"10.0.81.111","user":"c4f7f426-f9ab-103c-9483-9fa59eb6e331","app":"user_ldap","method":"GET","url":"/apps/twofactor_totp/settings/enable","message":"Calling LDAP function ldap_explode_dn with parameters [\"c4f7f426-f9ab-103c-9483-9fa59eb6e331\",0]","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0","version":"27.0.2.1","data":{"app":"user_ldap"}}

I highly suspect that this has to do with LDAP and incorrect mapping. I'll setup a fresh Nextcloud and pull users again from LDAP to check.

rokyo249 commented 12 months ago

Hmm, it wasn't LDAP. I installed Nextcloud fresh and pulled users from LDAP again with the correct UIDs and it still doesn't work. The spinner keeps spinning, a QR code is generated and can be added to Google Authenticator but if I log out or leave the settings page, 2FA remains disabled.

When clicking the checkbox, only one request is shown in Web Developer Tools -> Network -> XHR: a POST to https://10.0.81.100:9001/apps/twofactor_totp/settings/enable with the response of:

09:22:30.658 XHRPOSThttps://10.0.81.100:9001/apps/twofactor_totp/settings/enable
[HTTP/2 200 OK 103ms]
1
{"state":1,"secret":"xxxxxxxxxxxxxx","qrUrl":"otpauth:\/\/totp\/Nextcloud%3Auser.name%4010.0.81.100%3A9001?secret=xxxxxxxxxxxxxx&issuer=Nextcloud"}
digitigrafo commented 10 months ago

news?

buhanovserg commented 7 months ago

Hello! The problem is related to php, it works with the old php 8.0, I install php 8.1 and above does not work.

gitwittidbit commented 4 months ago

Hello! The problem is related to php, it works with the old php 8.0, I install php 8.1 and above does not work.

That could well be. I'm on NC 28 with PHP 8.1

Existing TOTP works. But I disabled it for one user and can't reactivate it now.

Any solution in sight?

ghislain-provost commented 1 month ago

I ran into the same problem. There was 5 min difference between my phone time and my server time. whenever I synced my debian server time using NTP, the 2FA start working again with PHP8.2 and Nextcloud 29.0.3.

buhanovserg commented 1 month ago

Здравствуйте! Проблема связана с php, работает со старым php 8.0, устанавливаю php 8.1 и выше не работает.

Это вполне может быть. Я на NC 28 с PHP 8.1

Существующий TOTP работает. Но я отключил его для одного пользователя и не могу теперь его повторно активировать.

Видно ли какое-нибудь решение?

System time changes for proper operation of 2FA Two-factor Authentication!!!

January 14, 2024, time 19 hours 12 minutes

date 202401141912

buhanovserg commented 1 month ago

Я столкнулся с той же проблемой. Разница между временем на моем телефоне и временем на сервере составляла 5 минут. Всякий раз, когда я синхронизировал время на своем сервере Debian с помощью NTP, 2FA снова начинал работать с PHP8.2 и Nextcloud 29.0.3.

Try changing the system time for 2FA Two-Factor Authentication to work correctly!!!

January 14, 2024, time 19 hours 12 minutes

date 202401141912