Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TOTP 7.0.0 unable to activate, unable to create backupcodes, spinner never stops #1325

Open
Knubbel opened this issue Feb 13, 2023 · 16 comments

Comments

@Knubbel
Copy link

Knubbel commented Feb 13, 2023

Steps to reproduce

  1. try to enable TOTP via UI

Expected behaviour

the QR code should be shown, the spinner should stop quickly

Actual behaviour

the spinner never stops rotating
it is impossible to create backup codes (the spinner here also goes on indefinitely)
It is impossible to log in when supposedly TOTP is active (for this specific user)

Log error:

OCA\TwoFactorTOTP\Exception\NoTotpSecretFoundException: 
/var/www/nextcloud/apps/twofactor_totp/lib/Provider/TotpProvider.php - line 105:
OCA\TwoFactorTOTP\Service\Totp->validateSecret()
/var/www/nextcloud/lib/private/Authentication/TwoFactorAuth/Manager.php - line 268:
OCA\TwoFactorTOTP\Provider\TotpProvider->verifyChallenge("*** sensiti ... *")
/var/www/nextcloud/core/Controller/TwoFactorChallengeController.php - line 182:
OC\Authentication\TwoFactorAuth\Manager->verifyChallenge("*** sensiti ... *")
/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 225:
OC\Core\Controller\TwoFactorChallengeController->solveChallenge("*** sensiti ... *")
/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 133:
OC\AppFramework\Http\Dispatcher->executeController()
/var/www/nextcloud/lib/private/AppFramework/App.php - line 172:
OC\AppFramework\Http\Dispatcher->dispatch()
/var/www/nextcloud/lib/private/Route/Router.php - line 298:
OC\AppFramework\App::main()
/var/www/nextcloud/lib/base.php - line 1047:
OC\Route\Router->match()
/var/www/nextcloud/index.php - line 36:
OC::handleRequest()

Server configuration

Operating system:

Web server:

Database:

PHP version:

Version: (see admin page)

Updated from an older version or fresh install:

List of activated apps:

Enabled:
  - activity: 2.17.0
  - admin_audit: 1.15.0
  - audioplayer: 3.3.1
  - bruteforcesettings: 2.5.0
  - calendar: 4.2.3
  - camerarawpreviews: 0.8.1
  - circles: 25.0.0
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contacts: 5.1.0
  - dashboard: 7.5.0
  - dav: 1.24.0
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.1
  - files_downloadactivity: 1.15.0
  - files_pdfviewer: 2.6.0
  - files_photospheres: 1.25.2
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - firstrunwizard: 2.14.0
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - maps: 0.2.4
  - metadata: 0.17.0
  - news: 20.0.1
  - nextcloud_announcements: 1.14.0
  - notes: 4.6.0
  - notifications: 2.13.1
  - notify_push: 0.5.2
  - oauth2: 1.13.0
  - password_policy: 1.15.0
  - photos: 2.0.1
  - previewgenerator: 99.99.99
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - recommendations: 1.4.0
  - related_resources: 1.0.3
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - spreed: 15.0.3
  - support: 1.8.0
  - survey_client: 1.13.0
  - systemtags: 1.15.0
  - tasks: 0.14.5
  - text: 3.6.0
  - theming: 2.0.1
  - twofactor_backupcodes: 1.14.0
  - twofactor_totp: 7.0.0
  - updatenotification: 1.15.0
  - user_status: 1.5.0
  - viewer: 1.9.0
  - weather_status: 1.5.0
  - workflowengine: 2.7.0
Disabled:
  - contactsinteraction: 1.5.0
  - encryption
  - files_external
  - nextcloudpi: 0.0.1
  - suspicious_login
  - user_ldap
@sswirski
Copy link

sswirski commented Sep 6, 2023

I have exactly the same issue here on Nextcloud version 27.0.2_1.6.43 (as an app on TrueNAS from Charts) and TOTP version 9.0.0:

  1. The app is enabled by admin.
  2. User logs in and tries to enable TOTP in their settings.
  3. The QR code is shown and can be added to 2FA app (Google Authenticator in this case)
  4. The spinner beside "Enable TOTP" never stops spinning
  5. When the user logs out, 2FA is not enabled
  6. When the user logs back in, the checkbox beside "Enable TOTP" is unchecked

Tested with several users, none of them working.

@ChristophWurst
Copy link
Member

The spinner beside "Enable TOTP" never stops spinning

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/logging_configuration.html

there's most likely an error in nextcloud.log

@sswirski
Copy link

sswirski commented Sep 6, 2023

The log shows:

{"reqId":"auBdqzS7xstdZ2OKk4C8","level":0,"time":"2023-09-06T07:11:47+00:00","remoteAddr":"10.0.81.111","user":"c4f7f426-f9ab-103c-9483-9fa59eb6e605","app":"user_ldap","method":"POST","url":"/apps/twofactor_totp/settings/enable","message":"Calling LDAP function ldap_explode_dn with parameters [\"c4f7f426-f9ab-103c-9483-9fa59eb6e605\",0]","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0","version":"27.0.2.1","data":{"app":"user_ldap"}}

immediately after the user clicks the "Enable TOTP" checkbox. Log level is on DEBUG.

Sounds like this is an issue with us using LDAP?

@ChristophWurst
Copy link
Member

"level":0

it's just a debug notice, not an error

@sswirski
Copy link

sswirski commented Sep 6, 2023

Yes, there is no other message in the log. But 2FA doesn't activate and the thing never stops spinning. Or is the log-level in NextCloud not "0 and above" and I have to set the log-level higher than 0?

@ChristophWurst
Copy link
Member

Log level is fine. 0 means it will log everything.

I suggest to inspect the XHRs of the browser instead. There is a request sent when TOTP is enabled. See if that succeeds and what it returns.

@sswirski
Copy link

sswirski commented Sep 6, 2023

Hmm, the response looks fine but there is something weird: The username is an UUID, while Nextcloud and our LDAP use firstname.lastname as UID.... could be that usernames are not correctly mapped in NC and that is an issue?

@ChristophWurst
Copy link
Member

could be

@sswirski
Copy link

sswirski commented Sep 7, 2023

Really weird, an additional message I got now suggests that the user isn't logged in, even though he clearly is when clicking the checkbox:

{"reqId":"44AXro7NRFw9PHz4YsI9","level":0,"time":"2023-09-06T13:45:07+00:00","remoteAddr":"10.0.81.111","user":"--","app":"no app in context","method":"POST","url":"/apps/twofactor_totp/settings/enable","message":"Current user is not logged in","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0","version":"27.0.2.1","exception":{"Exception":"OC\\AppFramework\\Middleware\\Security\\Exceptions\\NotLoggedInException","Message":"Current user is not logged in","Code":401,"Trace":[{"file":"/var/www/html/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php","line":96,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\Security\\SecurityMiddleware","type":"->","args":[["OCA\\TwoFactorTOTP\\Controller\\SettingsController"],"enable"]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":129,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\MiddlewareDispatcher","type":"->","args":[["OCA\\TwoFactorTOTP\\Controller\\SettingsController"],"enable"]},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":183,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\TwoFactorTOTP\\Controller\\SettingsController"],"enable"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\TwoFactorTOTP\\Controller\\SettingsController","enable",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["twofactor_totp.settings.enable"]]},{"file":"/var/www/html/lib/base.php","line":1071,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/apps/twofactor_totp/settings/enable"]},{"file":"/var/www/html/index.php","line":36,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php","Line":161,"message":"Current user is not logged in","exception":{},"CustomMessage":"Current user is not logged in"}}
{"reqId":"YkhIq5nfzVkSKJfOmINp","level":0,"time":"2023-09-06T13:45:07+00:00","remoteAddr":"10.0.81.111","user":"--","app":"user_ldap","method":"GET","url":"/login?redirect_url=/apps/twofactor_totp/settings/enable","message":"Calling LDAP function ldap_explode_dn with parameters [\"c4f7f426-f9ab-103c-9483-9fa59eb6e331\",0]","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0","version":"27.0.2.1","data":{"app":"user_ldap"}}
{"reqId":"dnZ9Q44x2guG1CgrtRHt","level":0,"time":"2023-09-06T13:45:11+00:00","remoteAddr":"10.0.81.111","user":"c4f7f426-f9ab-103c-9483-9fa59eb6e331","app":"user_ldap","method":"GET","url":"/apps/twofactor_totp/settings/enable","message":"Calling LDAP function ldap_explode_dn with parameters [\"c4f7f426-f9ab-103c-9483-9fa59eb6e331\",0]","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0","version":"27.0.2.1","data":{"app":"user_ldap"}}

I highly suspect that this has to do with LDAP and incorrect mapping. I'll setup a fresh Nextcloud and pull users again from LDAP to check.

@sswirski
Copy link

Hmm, it wasn't LDAP. I installed Nextcloud fresh and pulled users from LDAP again with the correct UIDs and it still doesn't work. The spinner keeps spinning, a QR code is generated and can be added to Google Authenticator but if I log out or leave the settings page, 2FA remains disabled.

When clicking the checkbox, only one request is shown in Web Developer Tools -> Network -> XHR: a POST to https://10.0.81.100:9001/apps/twofactor_totp/settings/enable with the response of:

09:22:30.658 XHRPOSThttps://10.0.81.100:9001/apps/twofactor_totp/settings/enable
[HTTP/2 200 OK 103ms]
1
{"state":1,"secret":"xxxxxxxxxxxxxx","qrUrl":"otpauth:\/\/totp\/Nextcloud%3Auser.name%4010.0.81.100%3A9001?secret=xxxxxxxxxxxxxx&issuer=Nextcloud"}

@digitigrafo

This comment was marked as spam.

@buhanovserg
Copy link

Hello!
The problem is related to php, it works with the old php 8.0, I install php 8.1 and above does not work.

@gitwittidbit
Copy link

gitwittidbit commented May 9, 2024

Hello! The problem is related to php, it works with the old php 8.0, I install php 8.1 and above does not work.

That could well be. I'm on NC 28 with PHP 8.1

Existing TOTP works. But I disabled it for one user and can't reactivate it now.

Any solution in sight?

@ghislain-provost
Copy link

I ran into the same problem. There was 5 min difference between my phone time and my server time. whenever I synced my debian server time using NTP, the 2FA start working again with PHP8.2 and Nextcloud 29.0.3.

@buhanovserg
Copy link

buhanovserg commented Jul 19, 2024

Здравствуйте! Проблема связана с php, работает со старым php 8.0, устанавливаю php 8.1 и выше не работает.

Это вполне может быть. Я на NC 28 с PHP 8.1

Существующий TOTP работает. Но я отключил его для одного пользователя и не могу теперь его повторно активировать.

Видно ли какое-нибудь решение?

System time changes for proper operation of 2FA Two-factor Authentication!!!

January 14, 2024, time 19 hours 12 minutes

date 202401141912

@buhanovserg
Copy link

Я столкнулся с той же проблемой. Разница между временем на моем телефоне и временем на сервере составляла 5 минут. Всякий раз, когда я синхронизировал время на своем сервере Debian с помощью NTP, 2FA снова начинал работать с PHP8.2 и Nextcloud 29.0.3.

Try changing the system time for 2FA Two-Factor Authentication to work correctly!!!

January 14, 2024, time 19 hours 12 minutes

date 202401141912

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants