Defect #36814

Can't login in after upgrading to rev. 21486

Added by ChunChang Lo 9 months ago. Updated 17 days ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Resolution:Cant reproduce Affected version:

Description

Hello,

I previously enabled 2fa with Google Authenticator and it worked smoothly.
After upgrading to rev.21486 I can no longer log in with the ga generated code.
The error message is "Invalid or outdated code".
How can I get rid of this?
Is there a way to disable 2fa without logging into Redmine?

thanks.

2022-03-21_20-22-07.png - code shown in GA not accepted by 2fa enabling page (24.9 KB) ChunChang Lo, 2022-03-21 13:23

2022-03-24_11-28-40.png (30.5 KB) ChunChang Lo, 2022-03-24 04:30

2fa.PNG (18.3 KB) Jangwon Han, 2022-11-19 20:58

2fa2.PNG (22.8 KB) Jangwon Han, 2022-11-19 21:19

History

#1 Updated by Go MAEDA 9 months ago

I cannot reproduce the issue for now.

You can forcefully disable two-factor authentication if you can access the console of your Redmine server. Please follow the steps below:

Go go the installation directory of Redmine and start a Rails console.

cd path/to/redmine
bin/rails c -e production

Enter the following lines in the Rails console. The example below disables two-factor authentication for the user 'jsmith'.

user = User.find_by(login: 'jsmith')
require 'redmine/twofa/base'
twofa = Redmine::Twofa::Base.new(user)
twofa.destroy_pairing_without_verify!
exit

#2 Updated by ChunChang Lo 9 months ago

Hello,

The code snippet works.

After disabling 2fa authentication for my account, it ask me to set it up again.
(I enabled this option for administrators when I tried to translate label_required_administrators, see #36606).

After I scanned the QR code in Google Authenticator and enter code shown in GA, it won't accept the code.
So, it seems that I need to disable this setting too.

Thanks in advance.

code shown in GA not accepted by 2fa enabling page

#3 Updated by ChunChang Lo 9 months ago

Hi,

I figured it out.

$ mysql -u myredmineuser -p
Enter password: myredminepassword
MariaDB [(none)]> use redmine
MariaDB [redmine]> update settings set value = 0 where name = 'twofa';

I can login to my Redmine site again. :)

It is very strange that the 2fa setting page won't accept any code from Google Authenticator & Authy.

#4 Updated by Go MAEDA 9 months ago

ChunChang Lo wrote:

It is very strange that the 2fa setting page won't accept any code from Google Authenticator & Authy.

Are the clocks of your devices correct?

#5 Updated by ChunChang Lo 9 months ago

Go MAEDA wrote:

Are the clocks of your devices correct?

yes, the system time (iphone & pc) is the same. (ntp to the same timezone, Taipei UTC+8).

just tried again, and both google authenticator & authy are failed (the 2fa settings page doesn't accept codes from the app).

the error message is the same as '2022-03-21_20-22-07.png'.

BTW, the redmine server uses UTC & all admin accounts uses Taipei UTC+8 in the account's preferences.

#6 Updated by ChunChang Lo 9 months ago

Strangely, 2fa can be enabled again after updating to rev.21497.

#7 Updated by Go MAEDA 5 months ago

  • Status changed from New to Closed
  • Resolution set to Cant reproduce

#8 Updated by Jan Catrysse 5 months ago

It seems I have the same issue, I am on 4.2.3-stable.

I never had any issues, and now it seems people cannot longer activate 2FA: Code is invalid or outdated.

I observe it DOES work when 2FA is optional and users are using the account settings. If 2FA is required, and users get the forced 2FA prompt, it doesn't work.

I also notice, it does seem to work on my test environment (other servers, same Redmine version). ROTP gem is 6.2.0, other gems are the same version.
Both servers are on CEST and time synced. (Could DST play a role? We activated most accounts before summer time)

Could someone point me in a direction?

#9 Updated by Jan Catrysse 5 months ago

Correction:
The behavior on production seems to be the same for manual or forced 2FA activation.

This morning, multiple users were unable to activate 2FA, and now it only blocks from time to time.
This resembles a time sync issue... but all devices / servers are synchronized perfectly. Timezone is CEST (Belgium)

I tried again on my test environment, same behavior. The code is not working from time to time... but independently of the moment I use the code (beginning, middle or end of the 30 second timeframe)

Could this be a Google Authenticator issue?

#10 Updated by Jangwon Han 17 days ago

Looks like reusing the 2fa scheme is causing the issue.
I made a change like below to resolve the issue. (redmine/app/controllers/application_controller.rb)

Please make sure that you reboot your redmine server after the change.

Thanks.

#11 Updated by Jangwon Han 17 days ago

Also available in: Atom PDF