login error with NC 21.0.2

[jknockaert]

Since upgrading to NC 21.0.2 logging in with webauthn fails.

[michib]

Works on my installation. I can't provide any support if you skip any useful information and ignore the bug template i set up. Feel free to reopen after supplying some more information about the issue.

[mike2307]

I can confirm the exact same issue on my side. After the upgrade to version 21.0.2 (docker) the 2FA login with this extension fails. I have to fall back to TOTP to be able to login.
What additional information is needed to get this fixed?

[michib]

@mike2307 Any help is greatly appreciated. If you could provide the information asked the by bug_report template, it could help to find the issue. Thank you!

[mike2307]

Describe the bug
After upgrading the nextcloud docker image to version 21.0.2, the 2FA login with twofactor_webauthn fails.

To Reproduce
Steps to reproduce the behavior:

1. Go to the login page
2. Login normally with username and password
3. Select "Webauthn Device" as 2FA method (in case there are more configured)
4. Wait for Firefox notification
5. Put finger on 2FA device
6. See how the process repeats again at step 4.
7. After a couple of retries, the message "Too many requests" will appear

Expected behavior
2FA login shall be successful after putting finger on device.

Screenshots
n/a

Environment (feel free to add relevant information)

• Twofactor_Webauthn Version: 0.2.9
• Nextcloud Version: 21.0.2
• PHP Version: see https://github.com/nextcloud/docker/
• Database with Version: mariadb 10.5.10
• Browser with Version: Firefox 88.0.1
• OS: Fedora 34

Webauthn Devices

• Yubikey 5 Nano

Nextcloud error log
172.18.0.2 - - [24/May/2021:20:16:17 +0000] "GET /login/challenge/twofactor_webauthn HTTP/1.1" 200 8026 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"
172.18.0.2 - - [24/May/2021:20:16:19 +0000] "POST /login/challenge/twofactor_webauthn HTTP/1.1" 303 772 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"
172.18.0.2 - - [24/May/2021:20:16:19 +0000] "GET /login/challenge/twofactor_webauthn HTTP/1.1" 200 8046 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"
172.18.0.2 - - [24/May/2021:20:16:22 +0000] "POST /login/challenge/twofactor_webauthn HTTP/1.1" 303 772 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"
172.18.0.2 - - [24/May/2021:20:16:22 +0000] "GET /login/challenge/twofactor_webauthn HTTP/1.1" 200 8074 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"
172.18.0.2 - - [24/May/2021:20:16:24 +0000] "POST /login/challenge/twofactor_webauthn HTTP/1.1" 303 772 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"
172.18.0.2 - - [24/May/2021:20:16:24 +0000] "GET /login/challenge/twofactor_webauthn HTTP/1.1" 200 8073 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"
172.18.0.2 - - [24/May/2021:20:16:26 +0000] "POST /login/challenge/twofactor_webauthn HTTP/1.1" 303 772 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"
172.18.0.2 - - [24/May/2021:20:16:26 +0000] "GET /login/challenge/twofactor_webauthn HTTP/1.1" 200 8049 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"
172.18.0.2 - - [24/May/2021:20:16:28 +0000] "POST /login/challenge/twofactor_webauthn HTTP/1.1" 303 772 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"
172.18.0.2 - - [24/May/2021:20:16:28 +0000] "GET /login/challenge/twofactor_webauthn HTTP/1.1" 200 8066 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"
172.18.0.2 - - [24/May/2021:20:16:30 +0000] "POST /login/challenge/twofactor_webauthn HTTP/1.1" 429 20034 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"
172.18.0.2 - - [24/May/2021:20:16:31 +0000] "GET /apps/firstrunwizard/js/about.js?v=e1355675-0 HTTP/1.1" 200 834 "-" "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"

Browser error log
n/a

Additional context
n/a

[shieldwed]

To Reproduce
Same as above but:
4. same issue occurs with Chromium (where in an additional step a PIN is entry is required)
6. The POST request to login/challenge/twofactor_webauthn returns 303 see other with the same document as Location again

Environment (feel free to add relevant information)

• Twofactor_Webauthn Version: 0.2.9
• Nextcloud Version: 21.0.2
• PHP Version: 7.4.19
• Database with Version: mariadb 10.5.10
• Browser with Version: Firefox 88.0.1 / Chromium 90.0.4430.212
• OS: Arch Linux

Webauthn Devices

• YubiKey 5 Nano

Nextcloud error log
No related messages even in debug level

Browser error log
no messages hinting any issue with webauthn (there is a challenge message before the login attempt, though)

Additional context
My nextcloud installation is running the official nextcloud docker image https://hub.docker.com/_/nextcloud/ 21-fpm-alpine

[5pr1nz]

Perhaps this might help, too:

{"reqId":"redacted","level":1,"time":"2021-05-24","remoteAddr":"redacted","user":"john.doe","app":"no app in context","method":"POST","url":"/index.php/login/challenge/twofactor_webauthn","message":"Deprecated event type for OCP\\Authentication\\TwoFactorAuth\\IProvider::failed: Symfony\\Component\\EventDispatcher\\GenericEvent is used","userAgent":"Mozilla/5.0","version":"21.0.2.1"}

[michib]

Thank you all. I hope i find some time tomorrow to look into the issue, the provided information is a great starting point.
I'm a little bit confused that it works on my test and also production instances of nextcloud. Sorry for the inconvenience resulting in this bug.

[aryasenna]

Hi, chiming in also to confirm this bug on v 21.0.2
Actually, I got more log in nextlcloud actual log.

[index] Error: Doctrine\DBAL\Exception\UniqueConstraintViolationException: An exception occurred while executing a query: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '7' for key 'PRIMARY' at <<closure>>

 0. /var/www/cloud/3rdparty/doctrine/dbal/src/Connection.php line 1728
    Doctrine\DBAL\Driver\API\MySQL\ExceptionConverter->convert(Doctrine\DBAL\Driver\PDO\Exception {}, Doctrine\DBAL\Query {})
 1. /var/www/cloud/3rdparty/doctrine/dbal/src/Connection.php line 1667
    Doctrine\DBAL\Connection->handleDriverException(Doctrine\DBAL\Driver\PDO\Exception {}, Doctrine\DBAL\Query {})
 2. /var/www/cloud/3rdparty/doctrine/dbal/src/Connection.php line 1146
    Doctrine\DBAL\Connection->convertExceptionDuringQuery(Doctrine\DBAL\Driver\PDO\Exception {}, "INSERT INTO `oc ... )", ["Yubikey","<my username>", ... 7], [2,2,2,2,1])
 3. /var/www/cloud/lib/private/DB/Connection.php line 257
    Doctrine\DBAL\Connection->executeStatement("INSERT INTO `oc ... )", ["Yubikey","<my username here>", ... 7], [2,2,2,2,1])
 4. /var/www/cloud/3rdparty/doctrine/dbal/src/Query/QueryBuilder.php line 213
    OC\DB\Connection->executeStatement("INSERT INTO `oc ... )", {dcValue1: "Yubi ... 7}, {dcValue1: 2,dcV ... 1})
 5. /var/www/cloud/lib/private/DB/QueryBuilder/QueryBuilder.php line 287
    Doctrine\DBAL\Query\QueryBuilder->execute()
 6. /var/www/cloud/lib/public/AppFramework/Db/QBMapper.php line 135
    OC\DB\QueryBuilder\QueryBuilder->execute()
 7. /var/www/cloud/lib/public/AppFramework/Db/QBMapper.php line 159
    OCP\AppFramework\Db\QBMapper->insert(OC\Authenticatio ... 7})
 8. /var/www/cloud/lib/private/Authentication/WebAuthn/CredentialRepository.php line 89
    OCP\AppFramework\Db\QBMapper->insertOrUpdate(OC\Authenticatio ... 7})
 9. /var/www/cloud/lib/private/Authentication/WebAuthn/CredentialRepository.php line 93
    OC\Authentication\WebAuthn\CredentialRepository->saveAndReturnCredentialSource(Webauthn\PublicKeyCredentialSource {}, "default")
10. /var/www/cloud/3rdparty/web-auth/webauthn-lib/src/AuthenticatorAssertionResponseValidator.php line 206
    OC\Authentication\WebAuthn\CredentialRepository->saveCredentialSource(Webauthn\PublicKeyCredentialSource {})
11. /var/www/cloud/lib/private/Authentication/WebAuthn/Manager.php line 235
    Webauthn\AuthenticatorAssertionResponseValidator->check(null, Webauthn\Authent ... {}, Webauthn\PublicK ... {}, GuzzleHttp\Psr7\ServerRequest {}, "<my username>")
12. /var/www/cloud/core/Controller/WebAuthnController.php line 107
    OC\Authentication\WebAuthn\Manager->finishAuthentication(Webauthn\PublicK ... {}, "{\"id\":\"YHDTt ... }", "<my username>")
13. /var/www/cloud/lib/private/AppFramework/Http/Dispatcher.php line 218
    OC\Core\Controller\WebAuthnController->finishAuthentication("{\"id\":\"YHDTt ... }")
14. /var/www/cloud/lib/private/AppFramework/Http/Dispatcher.php line 127
    OC\AppFramework\Http\Dispatcher->executeController(OC\Core\Controller\WebAuthnController {}, "finishAuthentication")
15. /var/www/cloud/lib/private/AppFramework/App.php line 157
    OC\AppFramework\Http\Dispatcher->dispatch(OC\Core\Controller\WebAuthnController {}, "finishAuthentication")
16. /var/www/cloud/lib/private/Route/Router.php line 302
    OC\AppFramework\App::main("OC\\Core\\Contr ... r", "finishAuthentication", OC\AppFramework\ ... {}, {_route: "core.W ... "})
17. /var/www/cloud/lib/base.php line 993
    OC\Route\Router->match("/login/webauthn/finish")
18. /var/www/cloud/index.php line 37
    OC::handleRequest()

POST /login/webauthn/finish
from XX.XX.XX.XX at 2021-05-28T21:41:08+00:00

[son1c]

I got a similar issue on my docker installation and on a fresh test setup as I describe here nextcloud/server#27079

But i think the problem is in nextcloud, because the build-in FIDO2 Support doesn’t work to

[osm-frasch]

I got a similar issue on my docker installation and on a fresh test setup as I describe here nextcloud/server#27079

But i think the problem is in nextcloud, because the build-in FIDO2 Support doesn’t work to

I see it the same way. I can also confirm this, as I also use the built-in FIDO2 support. I have also tested this with Firefox/Chromium and Chrome.

[michib]

I can confirm that the issue now also occurs on my freshly setup test environment. I also get the 303.

@aryasenna I'm not sure if you have the same issue, but i will look into it.

[aryasenna]

@michib thanks for checking.
Do you not have the same logs on your NC? This is also affecting NC core component, it would appear:
nextcloud/server#27079

Also In my Javascript console, I get 500 error, not 303.

[d4g]

This is especially frustrating as I cannot disable MFA for a user easily. If a user uses MFA and I disable MFA enforcement, they still cannot use MFA to login.

[michib]

This bug should be fixed with release 0.2.10.

@aryasenna It was the same issue, i just didn't see the same logs in my test setup. But it was the reason for the bug and hopefully its fixed right now.

@d4g I'm not quite sure how your comment adds valuable information for helping to solve the issue. I have the impression its target is to build up pressure? But because that wouldn't be nice, hopefully i just got a wrong impression ;-)

[mike2307]

Confirmed to be working! :)
Thanks a lot.

[isdnfan]

Just tested successfully using latest docker NC 21.0.2 (version from 04.06.2021) and Two-Factor Webauthn 0.2.10

[osm-frasch]

Just tested successfully using latest docker NC 21.0.2 (version from 04.06.2021) and Two-Factor Webauthn 0.2.10

This is about the build-in FIDO2 support. Not the app

[isdnfan]

Just tested successfully using latest docker NC 21.0.2 (version from 04.06.2021) and Two-Factor Webauthn 0.2.10

This is about the build-in FIDO2 support. Not the app

I'm sorry for mixing the issues, but looks both are fixed with 0.2.10 (or NC update).

[aryasenna]

@osm-frasch No it is not. This issue is exactly about the twofactor-webauthn app. Please check the github repository name. 😅

The built-in passwordless webauthn is still broken. See:
nextcloud/server#27079

[osm-frasch]

@osm-frasch No it is not. This issue is exactly about the twofactor-webauthn app. Please check the github repository name. sweat_smile

The built-in passwordless webauthn is still broken. See:
nextcloud/server#27079

aaah i see ...this no longer functioning FIDO2 makes me all confused ;-)