Invalid QR code on Edge during first login of a user

[fonias1986]

Steps to reproduce

Expected behaviour

During the first login of a user the MFA is enforced and there is a QR Code for scanning. The user should be able to scan the code in the OTP Auth app and reproduce codes for login

Actual behaviour

The problem is that if you scan the QR Code during the first login it says that is invalid code. Before at 22.1 was working fine. I tested a lot of Authenticator apps and all the same error (invalid QR code). If i disabled the MFA for this user, the user can login normally and through his security settings if he enables MFA the created QR code is working. The problem is with the QR code during the very first login!

Server configuration

Operating system: Linux 5.4.0-65-generic x86_64

Web server: Nginx

Database: Mysql

PHP version: 7.3.27

Version: 22.2.0

Updated from an older version or fresh install: Updated

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your server installation folder

The content of config/config.php:

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or

Insert your config.php content here
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

Client configuration

Browser:

Operating system:

Logs

Web server error log

Insert your webserver log here

Server log (data/nextcloud.log)

Insert your server log here

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log

[ChristophWurst]

I think this is a regression of nextcloud/server#28725, similar to nextcloud/twofactor_nextcloud_notification#551

[mojansch]

I think this is a regression of nextcloud/server#28725, similar to nickv-nextcloud/twofactor_nextcloud_notification#551

@ChristophWurst Are you sure, because for me the real QR code does show, but only if the user hasn't generated backup codes before. If a user has generated codes the QR code only says "undefined".

[ChristophWurst]

I'm trying to allocate time to look into this, but failed to find this time so far.

[CanadianBacon754]

Same problem here:

Upgraded to 22.2.0. New user logs in for first time, prompted to scan QR Code. Tried scanning QR Code with multiple authenticator apps and they fail to recognize the QR code.

Existing users with TOTP setup still work...

[fonias1986]

Upgraded today to 22.2.1 and the problem remains...

[ChristophWurst]

The ticket is still open. So yeah, this is not fixed.

[Der-K-2000]

I can confirm the issue. One of my new clients is seeing the same failure on 22.2.1 after the first login.

[fonias1986]

The ticket is still open. So yeah, this is not fixed.

Christoph since this is a major issue which affect organisations with a lot of users, do you plan to look it soon? i know that maybe you are busy with other thinks but it seems this cannot work with us anymore for security issues

thanks in advance

[ChristophWurst]

As I said, I'll look into it. The most probable cause for this regression is linked. Feel free to debug it in the meantime and share your findings with us.

[fonias1986]

From what i found is that at the first login the created QR code for TOTP is invalid... ( the scanned barcode did not include a valid account)

[CanadianBacon754]

Upgraded to 22.2.2 and problem still remains.

On a side the note, the QR code looks smaller / squished to me, which is different than what I’m used to seeing. Anyone else agree with this statement?

EDIT
I've now realized the QR Code looks different because it's invalid / not generated properly. Still learning over hear :)

[ChristophWurst]

From what i found is that at the first login the created QR code for TOTP is invalid

Could you check the HTTP response of the request that checks the code? What HTTP status does it return? What's does the response body say?

[fonias1986]

From what i found is that at the first login the created QR code for TOTP is invalid

Could you check the HTTP response of the request that checks the code? What HTTP status does it return? What's does the response body say?

I am using ios app. how can i debug the app? the only way to setup Wireshark in my router. is there any other way to check the response from mobile OTP Auth app?

[ChristophWurst]

Log in from your desktop browser instead and open the browser console. That will allow you to inspect.

[fonias1986]

Log in from your desktop browser instead and open the browser console. That will allow you to inspect.

already did this. no response while i scan the barcode through the browser

[ChristophWurst]

But how can the code be invalid then? There must be a request that sends your input to the server.

[Der-K-2000]

But how can the code be invalid then? There must be a request that sends your input to the server.

Maybe there is a misunderstanding. The issue appears BEFORE you interact with the server. BEFORE you verify the 2FA-Code for the first time. The QR-Code itself is broken and the TOTP-App (like Google Authenticator etc.) says after the scan, that there is a problem.

[ChristophWurst]

Right. I'm mixing things up with #1153.

[pohutukawa]

The code also seemed very small to me. So I've scanned it with a trusty QR scanner (ZXing) on my phone.

The code's content is undefined (literally). So I suppose there is a JS problem involved reading something that's supposed to be included in the code, but it isn't available. Maybe a change in a JSON structure from a response?

Anyway, I hope that bit of info might help to track down the root cause of the problem.

[ChristophWurst]

It must happen somewhere around

twofactor_totp/src/components/LoginSetup.vue

Lines 66 to 73 in 7d769b3

	({ secret, qrUrl }) => {
	Logger.info('TOTP secret received')
	this.secret = secret
	this.qrUrl = qrUrl
	this.loading = false
	}

.

There should still be a request to /apps/twofactor_totp/settings/enable that fetches the new secret. Something must go wrong there.

[CanadianBacon754]

I just upgraded to 22.2.3 and this is now working. I've tested this in Firefox and Chrome and the code generates properly, but does not generate properly in Edge (Version 95.0.1020.53).

Checking the dev tools in Edge, I see the following error:

Refused to execute script from 'https://WEBSITE.com/login/selectchallenge?redirect_url=/core/js/oc.js?v%3D79d760e5' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. (main.js).

When I look at the dev tools in Chrome / Firefox, this message does not appear.

[fonias1986]

I can confirm that is working with 22.2.3 in Firefox and Google Chrome, but is not working with Edge and Safari on Mobile. I dont know why :)

I just upgraded to 22.2.3 and this is now working. I've tested this in Firefox and Chrome and the code generates properly, but does not generate properly in Edge (Version 95.0.1020.53).

Checking the dev tools in Edge, I see the following error:

Refused to execute script from 'https://WEBSITE.com/login/selectchallenge?redirect_url=/core/js/oc.js?v%3D79d760e5' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. (main.js).

When I look at the dev tools in Chrome / Firefox, this message does not appear.

[ChristophWurst]

^ someone please inspect what this request returns for you. I can not reproduce.

[ChristophWurst]

Refused to execute script from 'https://WEBSITE.com/login/selectchallenge?redirect_url=/core/js/oc.js?v%3D79d760e5' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. (main.js).

When I look at the dev tools in Chrome / Firefox, this message does not appear.

Check again. Is it possible that for you some scripts are not loadable? /core/js/oc.js is a valid script. It should be loaded without error.

[fonias1986]

^ someone please inspect what this request returns for you. I can not reproduce.

In Chrome:

{state: 1, secret: "BCARNCFBFTQBM3QB",…}
qrUrl: "otpauth://totp/Local%20Cloud%3Apellakos4%40cloud.pellakos.com?secret=BCARNCFBFTQBM3QB&issuer=Local%20Cloud"
secret: "BCARNCFBFTQBM3QB"
state: 1
Code: 200

In Edge:

No response
Code: 302

[ChristophWurst]

First insight is that the generated URL is simply wrong. https://nextcloud.local/login/setupchallenge/index.php/apps/twofactor_totp/settings/enable on Edge vs https://localhost/apps/twofactor_totp/settings/enable on Firefox.

[fonias1986]

First insight is that the generated URL is simply wrong. https://nextcloud.local/login/setupchallenge/index.php/apps/twofactor_totp/settings/enable on Edge vs https://localhost/apps/twofactor_totp/settings/enable on Firefox.

any clue why this is happening?

[ChristophWurst]

GET /core/js/oc.js fails. This request loads configuration parameters into the Nextcloud page. I'll try to debug.

[ChristophWurst]

This is a regression of nextcloud/server#28725

[ChristophWurst]

https://github.com/nextcloud/server/blob/e272ac258ae3a14dd27335e03c7eab1fae355b7b/lib/private/TemplateLayout.php#L234-L239 explains why this only shows with Edge. Edge does not support CSPv3 and therefore we have to load config via a fake script, for the other browsers we can directly inject the js config.

[ChristophWurst]

I just tested with Edge through Sauce Labs and can proof that the issue is gone with nextcloud/server#29752.

Nevertheless I would highly appreciate if someone could test this patch on their production system. You find instructions at https://docs.nextcloud.com/server/latest/admin_manual/issues/applying_patch.html#getting-a-patch-from-a-github-pull-request. Patch your Nextcloud server and the issue should be gone 🙏

[fonias1986]

I just tested with Edge through Sauce Labs and can proof that the issue is gone with nextcloud/server#29752.

Nevertheless I would highly appreciate if someone could test this patch on their production system. You find instructions at https://docs.nextcloud.com/server/latest/admin_manual/issues/applying_patch.html#getting-a-patch-from-a-github-pull-request. Patch your Nextcloud server and the issue should be gone 🙏

I can confirm that is working now with Edge. i Patched my server and is working 📦
Thanks a lot @ChristophWurst

[andreapx]

I'm having this issue but with all the browser (tried with Firefox and Chrome) and on ios and Android.
My server is running V23.
I can see this address:
<script nonce="" defer="" src="/apps/twofactor_totp/js/main-login-setup.js?v=99cc2523-0"></script>0
For a user the "Your new TOTP secret is:" field is empty.
For another the code there is and it works, but the QR code still is invalid.

[ChristophWurst]

Open a new ticket.

[andreapx]

Open a new ticket.

Done: #1172