2FA login error 500 #1250
Comments
|
I.m.h.o. it would be useful if there was not only the Error 500 but also an email to the admin, so one knows right away what had caused the problem (and maybe with instructions, like temporary moving the TfaTotp module folder out of modules) to gain back access? |
|
OK - I might found how to fix it and indirectly it seems to say, something just got corrupted here. Steps to fix:
I still would recommend more helpful error handling than just throwing some 500. To me, a corrupted keycode was not obvious at first. |
|
Another possibly easier way to fix something like this would be to create a new superuser via the API and login via that and then disable and re-enable 2FA for the affected user via Access > Users. |
|
@tbba I've followed this through the code and it looks to me like the way it could happen is if there's a change on the server with regard to its sodium encrypt/decrypt abilities. The server-side secret key for your TFA code is encrypted on the server. If there's a change as to whether or not encryption is or is not possible (with sodium) then it can no longer decrypt your secret key. Likewise, if the secret was saved prior to the server supporting encryption and the webhost added support for it, then it'd be a similar problem. Assuming I've got that right, this is kind of an unlikely scenario, but I will keep an eye out to see if it shows up for anyone else. While it could drop the TFA requirement when that happens, I think security wise it's probably better for it not to, even if it means some manual intervention will be required, like in your case. |
|
@ryancramerdesign Thanks for the insight into what happens there. My request was not to lower security, don't get me wrong. I thought, before throwing the error 500, send a mail to the admin, to let him know that the error 500 is not server related, but a dysfunctional TFA code. I was spending a day to check what was wrong with the server - the server log showed no entry - when the problem was just a key code. (There was a note in the PW logs though and I forgot that they are plain texts and visible with FTP without being logged in. Lesson learned.) (We can close this ?) - I will create a searchable topic in the forum now, just in case s.o. else has the problem. |
|
@tbba Hi Carl, I've found that adding sentry.io to my live PW sites can be very helpful in finding out about this kind of thing, especially if there happens to be an error with my SMTP setup or something preventing emails going out. I don't want this to sound like an ad for them, but it's pretty easy to integrate with PW as they have a PHP library available that's installable with composer and they offer a free tier. |
I cannot log in anymore to one of my websites (other PW sites with 2FA and comparable setup work).
ERROR 500
... Invalid base32 string (in /site/modules/TfaTotp/TwoFactorAuth/lib/TwoFactorAuth.php line 190)
Anyone else having this? Is this a rights problem maybe?
(btw. I could log in after removing the TfaTotp with FTP)
PW 3.0.166 / Firefox|Safari Mac TfaTotp 0.0.4
The text was updated successfully, but these errors were encountered: