cloudstack icon indicating copy to clipboard operation
cloudstack copied to clipboard
verified publisher icon apache

2FA is enabled even if User fails to verify with TOTP code

Open scottsignal opened this issue 1 year ago • 1 comments

ISSUE TYPE
  • Bug Report
COMPONENT NAME
setup2FA
CLOUDSTACK VERSION
4.19.0.1
CONFIGURATION

N/A

OS / ENVIRONMENT

Ubuntu 22.04 Single-node Management Server MySQL 5.7

SUMMARY

2FA is enabled on a user even if user fails to verify TOTP auth code to enable

STEPS TO REPRODUCE

Create a user that is set to enable in 2FA upon login Choose either Google Authenticator or Other TOTP and click Setup Enter the wrong Token on accident and you are kicked back to login. Try logging in again and you are presented with a 2FA screen, however, you were never successfully enrolled so TOTP codes do not work.
EXPECTED RESULTS
Account isn't enrolled in 2FA until they verify with a code from their TOTP application
ACTUAL RESULTS
Account is enrolled in 2FA without a valid TOTP

scottsignal avatar Jun 28 '24 03:06 scottsignal

There is a similar issue fixed with the PR https://github.com/apache/cloudstack/pull/7972 this is fixed in 4.18.2 version

and I've tested it with both 4.19.01 and 4.19.1 environment and it is working fine

  1. Create a new user "user1"
  2. Enabled "mandate.user.2fa"
  3. Tried log in with user "user1"
  4. Prompted to setup 2FA during the login
  5. Selected "Google Authenticator"
  6. Entered wrong passcode in the verification box and logged out after that
  7. Tried login again with user "user1"
  8. Selected "Google Authenticator", this time entered right passcode and I logged in and 2FA is enabled.

May I know which version of CS environment you are testing ? if it is prior 4.18.2 version then you can upgrade your environment and test it again please.

harikrishna-patnala avatar Jul 01 '24 07:07 harikrishna-patnala

I am reproducing this on 4.19.0.1. This was a fresh install on 4.19 that was upgraded to 4.19.0.1. We have another environment I will try and reproduce it there.

scottsignal avatar Jul 03 '24 13:07 scottsignal

So I managed to reproduce this once and then never again in the other instance. I will keep looking at this, however, I would like to back up to how I discovered this in the first place. I can reproduce another test case in both instances that may help. In your test case above replace step number six after clicking the setup button and accidentally press the back button or exit your browser. I can reproduce every time this way.

scottsignal avatar Jul 04 '24 00:07 scottsignal

@scottsignal agreed to your point that clicking on back button is considering as the verification is already done. We need to fix this in UI.

harikrishna-patnala avatar Jul 09 '24 10:07 harikrishna-patnala

@scottsignal cc @harikrishna-patnala @borisstoyanov @kiranchavala @vladimirpetrov I've tested this with 4.19.1.3 and could not reproduce it. It must have been solved by https://github.com/apache/cloudstack/commit/ef742210b5d05c064253eb6b0bcf76d282572a33

shwstppr avatar Jan 22 '25 12:01 shwstppr

@scottsignal , closing based on @shwstppr 's findings, please reopen or create a new issue if this perists after upgrading to 4.19.1 or above

DaanHoogland avatar Jan 22 '25 13:01 DaanHoogland

@DaanHoogland I'm reopening this for now. I think I missed the reproduction by clicking back button in browser on setup page. I'll check this tomorrow and will either try to create a fix or close it if needed.

shwstppr avatar Jan 22 '25 17:01 shwstppr

@shwstppr I definitely was experiencing [ef74221] when I opened this Issue. I can confirm that is fixed, however, can still reproduce the 2nd issue (back button) that was discovered. I can still reproduce it clicking the back button issue on 4.1.3. I can reproduce it in both Edge/Chrome.

Just a note on this. You have to select the provider (Google Authenticator or Other TOTP Authenticators), and click the Setup button to reproduce.

scottsignal avatar Jan 22 '25 17:01 scottsignal

fixed by #10247

DaanHoogland avatar Jan 30 '25 14:01 DaanHoogland