Password hash not recognized when using 2fa #490

New Issue

Open

opened 2023-03-04 09:08:25 +00:00 by meaz · 4 comments

meaz commented

2023-03-04 09:08:25 +00:00

Your setup

From source

Extra details

Debian stable

Version

3.5.0-0-g07ccfafd9-develop

PostgreSQL version

What were you trying to do?

I'm trying to set up 2fa, so I go to: https://myinstance.org/settings/mfa

I create recovery codes. Then, I can set up 2fa.

When done, I'm being asked to verify everything, so I have to enter code and password. I press Confirm.

For information, I'm using LDAP.

What did you expect to happen?

When I click on Confirm, it all should be set.

What actually happened?

I get a message Incorrect code or password. Try again. even though my password is right, as I'm able to log in myinstance.org without any problem.

Logs

In firefox console I see this:

XHR POST https://myinstance.org/api/pleroma/accounts/mfa/confirm/totp
[HTTP/1.1 422 Unprocessable Entity 118ms]

I've added:

  multi_factor_authentication: [
    totp: [
      # digits 6 or 8
      digits: 6,
      period: 30
    ],
    backup_codes: [
      number: 5,
      length: 16
    ]
  ],

in akkoma/config.exs as shown here https://akkoma.dev/AkkomaGang/akkoma/src/branch/develop/config/config.exs

But it doesn't change anything.

In journalct I see that:

request_id=POE2EA3JIEfmq90AAHKC [error] Password hash not recognized

though my password is right, as I'm able to log in myinstance.org without any problem.

Severity

I cannot use it as easily as I'd like

Have you searched for this issue?

I have double-checked and have not found this issue mentioned anywhere.

### Your setup From source ### Extra details Debian stable ### Version 3.5.0-0-g07ccfafd9-develop ### PostgreSQL version 13 ### What were you trying to do? I'm trying to set up 2fa, so I go to: https://myinstance.org/settings/mfa I create recovery codes. Then, I can set up 2fa. When done, I'm being asked to verify everything, so I have to enter code and password. I press Confirm. For information, I'm using LDAP. ### What did you expect to happen? When I click on Confirm, it all should be set. ### What actually happened? I get a message `Incorrect code or password. Try again.` even though my password is right, as I'm able to log in myinstance.org without any problem. ### Logs In firefox console I see this: ```shell XHR POST https://myinstance.org/api/pleroma/accounts/mfa/confirm/totp [HTTP/1.1 422 Unprocessable Entity 118ms] ``` I've added: ``` multi_factor_authentication: [ totp: [ # digits 6 or 8 digits: 6, period: 30 ], backup_codes: [ number: 5, length: 16 ] ], ``` in `akkoma/config.exs` as shown here https://akkoma.dev/AkkomaGang/akkoma/src/branch/develop/config/config.exs But it doesn't change anything. In `journalct` I see that: ```shell request_id=POE2EA3JIEfmq90AAHKC [error] Password hash not recognized ``` though my password is right, as I'm able to log in myinstance.org without any problem. ### Severity I cannot use it as easily as I'd like ### Have you searched for this issue? - [x] I have double-checked and have not found this issue mentioned anywhere.

meaz added the

bug

label 2023-03-04 09:08:25 +00:00

tjw commented

2024-04-18 16:04:25 +00:00

I'm having this same issue and it's one of the key reasons I'm not encouraging people to join my instance.

Oneric commented

2024-04-19 15:46:51 +00:00

Member

@tjw are you also using LDAP and if not which authentication method do you use?

tjw commented

2024-04-19 16:49:17 +00:00

@tjw are you also using LDAP and if not which authentication method do you use?

I'm just using the default (PleromaAuthenticator)

> @tjw are you also using LDAP and if not which authentication method do you use? I'm just using the default (`PleromaAuthenticator`)

Oneric commented

2024-04-19 17:51:05 +00:00

Member

Works for me on current develop. There were no direct changes since 3.12.2, though we did bump various deps since.

In either event, without more details it’s impossible to do anything. First make sure both backend and frontend are updated to latests stable or develop. The try again an collect info; please include

logs from the server
response from the failed API request
Open the network request tab (e.g. in Firefox Ctrl+Shift+E) before trying to set up 2FA and search/filter for mfa.
Save the request and response content of all hits (in case we need it later). For now only include the request and response for the failing api/pleroma/accounts/mfa/confirm/totp API but make sure to filter out your password in the request data. Since it’s time bound keeping the TOTP code should be fine, but if you want, feel free to censor it as long as you retain the same length and only replace digits with other digits.
The decoded QR code but censor its secret parameter (pls preserve the length)
Check the decoded QR code’s secret matches the key show in the frontend
which TOTP program do you use?

Works for me on current develop. There were no direct changes since 3.12.2, though we did bump various deps since. In either event, without more details it’s impossible to do anything. First make sure _both_ backend _and_ frontend are updated to latests stable or develop. The try again an collect info; please include - logs from the server - response from the failed API request Open the network request tab (e.g. in Firefox `Ctrl+Shift+E`) _before_ trying to set up 2FA and search/filter for `mfa`. Save the request and response content of _all_ hits (in case we need it later). For now only include the request and response for the failing `api/pleroma/accounts/mfa/confirm/totp` API but make sure to filter out your password in the request data. Since it’s time bound keeping the TOTP code should be fine, but if you want, feel free to censor it as long as you retain the same length and only replace digits with other digits. - The decoded QR code but censor its `secret` parameter (pls preserve the length) - Check the decoded QR code’s secret matches the key show in the frontend - which TOTP program do you use?