First token after registration invalid

[Th3l5D]

Steps to reproduce

1. Create a new guest local account with TOTP forced
2. Setup TOTP on external application
3. Validate TOTP configuration on nextcloud with the token given by TOTP app
4. Rapidly signin with the new account and with the same token as the previous step (with the token of course still valid)

Expected behaviour

token is validated and user connection is done

Actual behaviour

token is considered as incorrect and we need to wait for a new token in order to validate the connection

Server configuration

Operating system: Debian 12

Web server: Apache

Database: Mysql

PHP version: PHP8

Version: (see admin page) 27.1.5

Updated from an older version or fresh install: from 27.1.x branch

List of activated apps:

given in private if needed

The content of config/config.php:

Not really revelant, given in private if needed

Client configuration

Browser: Last Firefox/last Brave

Operating system: Windows 10

Logs

Web server error log

given in private if needed

Server log (data/nextcloud.log)

given in private if needed

Browser log

Not really revelant, given in private if needed

[ChristophWurst]

compare server and phone clocks. are they in sync?

[Th3l5D]

Hey @ChristophWurst, Thanks for the answer, but unfortunately, I don't think it's the issue:

• Server has ntp configured
• Phone has ntp configured
• Happened for many (maybe all?) users.
• The issue happens only during the OTP configuration validation/first connection, all connections after this one are OK

[Th3l5D]

Hey again,

Do you know if this issue if validated? Do you need some extra info?

[ChristophWurst]

Rapidly signin with the new account and with the same token as the previous step (with the token of course still valid)

Overlooked this the other day. This is actually by design. The app has protection for replay attacks. A code can only be used once.

Ref https://github.com/nextcloud/twofactor_totp/pull/489

[Th3l5D]

OK, that explains everything, thanks for the information :)