Security issue: twofactor_totp disabled during upgrade w/o any explicit warning

[oddmean]

Steps to reproduce

1. Have a running 13.0.5.2 instance w/ twofactor_totp enabled and used by X for security reasons
   1.5 Log in as X being prompted for TOTP and entering it
2. Upgrade to 14.0.0 Beta 2 via web-updater
   2.5 See no warnings about 'twofactor_totp' (be lazy enough to wathch through the detailed log)
3. Log into X account w/ just password and be surprised
4. Check if 'twofactor_totp' is enabled and see it disabled
5. Check if 'twofactor_totp' is an official app and see it IS but it's incomopatible with current server version running
6. Check X's mailbox for any precautions or warnings sent from X's NC instance
7. Think about some basic concepts of InfoSec

[nextcloud-bot]

GitMate.io thinks possibly related issues are #4200 (E-Mail notification "sharebymail" function), #1716 (Notification E-Mail all 30 mins), #6204 (e-mail notifications for activities are not received ), #8523 (Resharing a password protected folder by e-mail leads to an error and incorrect notifications), and #3596 (Email notifications for pending upgrades).

[oddmean]

Should I downgrade to have my security-related inconvenience back?

[rullzer]

@oddmean there is bug that prevents the app from showing. But it actually is available for 14 see: https://apps.nextcloud.com/apps/twofactor_totp

Beta3 on thursday will have this all fixed and sorted out.

[oddmean]

@rullzer thank you! But there maybe should be some flag for security related aps causing them not being disabled automatically and|or causing upgrade procedure to show EVIL WARNINGS everywhere.

[rullzer]

@oddmean we actually improved for 14 the 2FA state. (before they were stateless). This should make sure that after 14 all your states of your providers is stored in the DB as well. Protecting your account even if an app got somehow disabled.

[oddmean]

@rullzer nevertheless isn't it strange when the essential security concept (2FA) is just missed in a security/privacy aimed software's workflow. Maybe some flag (even a binary one) should be added as an app's property (esprcially for official ones) to stop instances' admins just before they do potentially really wrong things w/o any knowledge of what they really do ("It's just a new version of NC! Let me find out all those cool new features myself and then look at changelog" So I am too).

[oddmean]

I've installed twofactor_totp 1.5.0 but nothing still works as expected. I've tried to login via Firefox's "Private window", Firefox started in a new LXC nonprivileged container, Chromium. All the same: it's enough to enter the correct password fnd no prompting for OTP.

[rullzer]

@oddmean yes noticed this as well recently. Fixed with #10578 and will also land in beta3

[oddmean]

Thank you, @rullzer . Hope #10578 is not just a crutch. Awaiting for thursday's release. BTW is there a way to restrict an account from logging in via NC's website frontend keeping account's applications working (w/ dedicated passwords per each)?

[rullzer]

Beta3 is released.
Please check it out.

[oddmean]

Works like a charm, thank you!