search

passbolt / go-passbolt-cli

A CLI tool to interact with Passbolt, a Open source Password Manager for Teams
https://passbolt.com
MIT License
66 stars 14 forks source link

MFA not working with APP_BASE set to something #59

Open droscy opened 3 months ago

droscy commented 3 months ago

Describe the bug: Hello, I'm trying to access my self-hosted installation of passbolt with go-passbolt-cli and I'm always receiving the following error whatever method I set in --mfaMode

Error: Logging in: Getting CSRF Token: Error API JSON Response Status: Message: MFA authentication is required., Body: {"mfa_providers":["totp"],"providers":{"totp":"https:\/\/server.domain.com:12345\/passbolt\/mfa\/verify\/totp.json"}}

My passbolt is started with APP_BASE set to /passbolt and if I comment out APP_BASE the MFA works correctly.

To Reproduce: Just start passbolt with APP_BASE environment variable set to /passbolt, for example with docker

services:
  passbolt:
    container_name: passbolt
    image: passbolt/passbolt:4.9.0-1-ce
    restart: unless-stopped
    environment:
      APP_BASE: "/passbolt"
      [...]

Output when using --debug (you should censor this):

If I masked too much in the below output please let me know.

[go-passbolt] Request URL: https://server.domain.com:12345/passbolt/auth/login.json?api-version=v2
[go-passbolt] Raw Request: {"gpg_auth":{"keyid":"*****"}}
[go-passbolt] Raw Response: {"header":{"id":"01df63b6-8135-42c1-ad9d-3aeef933a011","status":"error","servertime":1723212746,"action":"a3c19ad2-8920-5395-86d0-8567cb34f382","message":"The authentication failed.","url":"\/passbolt\/auth\/login.json?api-version=v2","code":200},"body":null}
[go-passbolt] Got Encrypted Auth Token: -----BEGIN\+PGP\+MESSAGE-----%0A*****%0A-----END\+PGP\+MESSAGE-----%0A
[go-passbolt] Decrypted Auth Token: gpgauthv1.3.0|36|*****|gpgauthv1.3.0
[go-passbolt] Request URL: https://server.domain.com:12345/passbolt/auth/login.json?api-version=v2
[go-passbolt] Raw Request: {"gpg_auth":{"keyid":"*****","user_token_result":"gpgauthv1.3.0|36|*****|gpgauthv1.3.0"}}
[go-passbolt] Raw Response: {"header":{"id":"*****","status":"success","servertime":1723212746,"action":"a3c19ad2-8920-5395-86d0-8567cb34f382","message":"You are successfully logged in.","url":"\/passbolt\/auth\/login.json?api-version=v2","code":200},"body":{"id":"USERID","role_id":"*****","username":"*****","active":true,"deleted":false,"disabled":null,"created":"2023-12-27T14:26:58+00:00","modified":"2024-08-09T14:09:32+00:00","groups_users":[],"profile":{"id":"22095967-fdc5-4ab4-bf02-f9bc8483d24e","user_id":"USERID","first_name":"***","last_name":"***","created":"2023-12-27T14:26:58+00:00","modified":"2024-08-09T14:09:32+00:00","avatar":{"id":"83d06e59-7e14-48b6-af44-140f47dea655","profile_id":"22095967-fdc5-4ab4-bf02-f9bc8483d24e","created":"2023-12-28T08:48:48+00:00","modified":"2024-08-09T14:09:32+00:00","url":{"medium":"https:\/\/server.domain.com:12345\/passbolt\/avatars\/view\/83d06e59-7e14-48b6-af44-140f47dea655\/medium.jpg","small":"https:\/\/server.domain.com:12345\/passbolt\/avatars\/view\/83d06e59-7e14-48b6-af44-140f47dea655\/small.jpg"}}},"gpgkey":{"id":"1da1f556-a521-4356-ba8c-fcb8bebe7430","user_id":"USERID","armored_key":"-----BEGIN PGP PUBLIC KEY BLOCK-----*****-----END PGP PUBLIC KEY BLOCK-----\n","bits":3072,"uid":"NAME \u003C*****\u003E","key_id":"*****","fingerprint":"*****","type":"RSA","expires":null,"key_created":"2023-12-27T14:28:40+00:00","deleted":false,"created":"2023-12-27T14:29:38+00:00","modified":"2023-12-27T14:29:38+00:00"},"role":{"id":"*****","name":"admin","description":"Organization administrator","created":"2012-07-04T13:39:25+00:00","modified":"2012-07-04T13:39:25+00:00"},"last_logged_in":null}}
[go-passbolt] Got Cookies: [passbolt_session=aj2t0ra8of9cvdr9uqjameo1ff; Path=/passbolt/; HttpOnly; Secure; SameSite=Lax]
[go-passbolt] Request URL: https://server.domain.com:12345/passbolt/users/me.json?api-version=v2
[go-passbolt] Raw Response: {"header":{"id":"e3038eac-14c9-42ac-844a-cb04a6ce6058","status":"error","servertime":1723212746,"action":"af9aa2c6-7355-514d-a4a0-3e74de4c0fdb","message":"MFA authentication is required.","url":"\/passbolt\/mfa\/verify\/error.json","code":403},"body":{"mfa_providers":["totp"],"providers":{"totp":"https:\/\/server.domain.com:12345\/passbolt\/mfa\/verify\/totp.json"}}}
Error: Logging in: Getting CSRF Token: Error API JSON Response Status: Message: MFA authentication is required., Body: {"mfa_providers":["totp"],"providers":{"totp":"https:\/\/server.domain.com:12345\/passbolt\/mfa\/verify\/totp.json"}}

Passbolt Server Version (please complete the following information):

go-passbolt-cli Version (please complete the following information):

Additional context None

speatzle commented 3 months ago

Hi, i have potentially found the issue. go-passbolt (the library which go-passbolt-cli is built on) checks if MFA is Required by checking if the URL the Server returns on a API Error is equal to /mfa/verify/error.json, changing the Base Path apparently also changes this URL to /passbolt/mfa/verify/error.json according to your logs.

go-passbolt uses the URL instead of the Message for MFA detection because the Message changes based on the Servers default language and used to break MFA on non english installations.

The Problem is here: https://github.com/passbolt/go-passbolt/blob/e13f484bcbacb8830afe9aa7ad4fb77ee3efbaed/api/api.go#L65 I think the Problem can be solved by simply matching this as a suffix instead of the entire URL.

For now you could temporary disable MFA on the Account you are using for go-passbolt-cli.

speatzle commented 3 months ago

I have the fix implemented and login is still work with my Passbolt instance. Unfortunatly a github actions change broke the tests and i am short on time today. I hope i can do a release with the fix the in next few days if time permits.

If you are able to compile yourself, testing the fix would be appreciated. You can do so by cloning go-passbolt on the fix_mfa_detection branch and cloning go-passbolt-cli on the main branch, uncomment the Replace line at the end of go-passbolt-cli's go.mod file and running go build.

droscy commented 3 months ago

Hello @speatzle, many thanks for the fix. I have no knowledge of go and I don't have a build environment ready, but I'll try to build myself in order to test.

droscy commented 3 months ago

I confirm the fix works, many thanks