search

nextcloud / twofactor_totp

🔑 Second factor TOTP (RFC 6238) provider for Nextcloud
https://apps.nextcloud.com/apps/twofactor_totp
GNU Affero General Public License v3.0
286 stars 58 forks source link

Error logged if wrong TOTP code is input upon login #1545

Open 197788 opened 2 months ago

197788 commented 2 months ago

Steps to reproduce:

  1. Start with clean nextcloud.log.
  2. Have two-factor totp enabled.
  3. Enter your username, then password. When you get the prompt to input your totp code, deliberately enter a wrong totp code (to force trigger the error message).
  4. Now your log will have an error message.

Expected behaviour

Tell us what should happen:

This should probably just be logged as info or debug level, not warning or error level. It messes up the nice green check mark that says "All checks passed."

Actual behaviour

Tell us what happens instead

The error is logged as a warning level event.

Server configuration

Operating system: Debian

Web server: Nginx

Database: Postgresql

PHP version: 8.3

Version: (see admin page) 29.0.3

Updated from an older version or fresh install: Updated from 29.0.2

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your server installation folder

Enabled:
  - activity: 2.21.1
  - admin_audit: 1.19.0
  - apporder: 0.15.0
  - auto_groups: 1.5.3
  - bookmarks: 14.2.2
  - circles: 29.0.0-dev
  - cloud_federation_api: 1.12.0
  - comments: 1.19.0
  - contactsinteraction: 1.10.0
  - dashboard: 7.9.0
  - dav: 1.30.1
  - federatedfilesharing: 1.19.0
  - federation: 1.19.0
  - files: 2.1.0
  - files_accesscontrol: 1.19.1
  - files_downloadlimit: 2.0.0
  - files_pdfviewer: 2.10.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - firstrunwizard: 2.18.0
  - groupfolders: 17.0.1
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - nextcloud_announcements: 1.18.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - password_policy: 1.19.0
  - passwords: 2024.7.20
  - photos: 2.5.0
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - recommendations: 2.1.0
  - related_resources: 1.4.0
  - root_cache_cleaner: 0.1.7
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sharebymail: 1.19.0
  - side_menu: 3.13.1
  - support: 1.12.0
  - survey_client: 1.17.0
  - systemtags: 1.19.0
  - text: 3.10.1
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - twofactor_totp: 11.0.0-dev
  - updatenotification: 1.19.1
  - user_backend_sql_raw: 2.0.1
  - user_status: 1.9.0
  - viewer: 2.3.0
  - workflowengine: 2.11.0
Disabled:
  - bruteforcesettings: 2.9.0 (installed 2.8.0)
  - encryption: 2.17.0
  - files_external: 1.21.0
  - suspicious_login: 7.0.0
  - user_ldap: 1.20.0
  - weather_status: 1.9.0 (installed 1.3.0)

The content of config/config.php:

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or

Insert your config.php content here
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

{ "system": { "passwordsalt": "REMOVED SENSITIVE VALUE", "secret": "REMOVED SENSITIVE VALUE", "trusteddomains": [ "localhost", "REMOVED SENSITIVE VALUE" ], "datadirectory": "REMOVED SENSITIVE VALUE", "dbtype": "pgsql", "version": "29.0.3.4", "overwrite.cli.url": "https:\/\/REMOVED SENSITIVE VALUE", "htaccess.RewriteBase": "\/", "dbname": "REMOVED SENSITIVE VALUE", "dbhost": "REMOVED SENSITIVE VALUE", "dbtableprefix": "oc", "dbuser": "REMOVED SENSITIVE VALUE", "dbpassword": "REMOVED SENSITIVE VALUE", "installed": true, "instanceid": "REMOVED SENSITIVE VALUE", "logtimezone": "America\/Phoenix", "user_backend_sql_raw": { "dsn": "pgsql:host=localhost;dbname=mail_server", "db_user": "mail_admin", "db_password": "REMOVED SENSITIVE VALUE", "queries": { "get_password_hash_for_user": "SELECT password_hash FROM users_fqda WHERE fqda = :username", "user_exists": "SELECT EXISTS(SELECT 1 FROM users_fqda WHERE fqda = :username)", "get_users": "SELECT fqda FROM users_fqda WHERE (fqda ILIKE :search) OR (display_name ILIKE :search)", "set_password_hash_for_user": "UPDATE users SET password_hash = :new_password_hash WHERE local = split_part(:username, '@', 1) AND domain = split_part(:username, '@', 2)", "delete_user": "DELETE FROM users WHERE local = split_part(:username, '@', 1) AND domain = split_part(:username, '@', 2)", "get_display_name": "SELECT display_name FROM users WHERE local = split_part(:username, '@', 1) AND domain = split_part(:username, '@', 2)", "set_display_name": "UPDATE users SET display_name = :new_display_name WHERE local = split_part(:username, '@', 1) AND domain = split_part(:username, '@', 2)", "count_users": "SELECT COUNT (*) FROM users", "create_user": "INSERT INTO users (local, domain, password_hash) VALUES (split_part(:username, '@', 1), split_part(:username, '@', 2), :password_hash)" }, "hash_algorithm_for_new_passwords": "argon2id" }, "app_install_overwrite": { "1": "initialcheck", "2": "user_backend_sql_raw", "3": "apporder", "4": "occweb" }, "maintenance": false, "theme": "", "loglevel": "2", "filelocking.enabled": "true", "memcache.locking": "\OC\Memcache\Redis", "memcache.distributed": "\OC\Memcache\Redis", "memcache.local": "\OC\Memcache\Redis", "redis": { "host": "REMOVED SENSITIVE VALUE", "port": "0", "timeout": "1.5", "read_timeout": "1.5", "dbindex": "0" }, "updater.release.channel": "stable", "maintenance_window_start": 1, "default_phone_region": "US", "mail_smtpmode": "smtp", "mail_from_address": "REMOVED SENSITIVE VALUE", "mail_domain": "REMOVED SENSITIVE VALUE", "twofactor_enforced": "true", "twofactor_enforced_groups": [], "twofactor_enforced_excluded_groups": [], "mail_sendmailmode": "smtp", "mail_smtphost": "REMOVED SENSITIVE VALUE", "mail_smtpport": "587", "mail_smtpauth": 1, "mail_smtpname": "REMOVED SENSITIVE VALUE", "mail_smtppassword": "REMOVED SENSITIVE VALUE" } }

Client configuration

Browser: Librewolf

Operating system: Archlinux

Logs

Web server error log
Insert your webserver log here

N/A

Server log (data/nextcloud.log)
Insert your server log here

{"reqId":"So7i5FhYUxWWgXZUr2Da","level":2,"time":"2024-07-10T13:17:14-07:00","remoteAddr":"REMOVED SENSITIVE VALUE","user":"REMOVED SENSITIVE VALUE@REMOVED SENSITIVE VALUE","app":"core","method":"POST","url":"/login/challenge/totp","message":"Two-factor challenge failed: REMOVED SENSITIVE VALUE@REMOVED SENSITIVE VALUE (Remote IP: 68.84.198.85)","userAgent":"Mozilla/5.0 (Windows NT 10.0; rv:127.0) Gecko/20100101 Firefox/127.0","version":"29.0.3.4","data":{"app":"core"}}

Browser log
Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log

N/A

197788 commented 2 months ago

I realize that this was reported as issue #1528, This is IMO a more clear explanation of how to trigger the error message.

197788 commented 1 month ago

For the record, this error still occurs in Nextcloud 29.0.4.

  • Enter your username, then password. When you get the prompt to input your totp code, deliberately enter a wrong totp code (to force trigger the error message).

  • Now your log will have an error message.

I think this should show up as Info or Debug message, not an Error.