Unable to use 2FA

[dnwjn]

Bug description

We're unable to use 2FA. The first issue is that it seems that after the validity expires (we use the default of 43200), the users are not able to log in anymore, because the 2FA code doesn't work, nor does a recovery code.

Secondly, we're also unable to set up 2FA now. For our own user we removed all 2FA related data from the user in the database. Then, after logging in, we had to set up 2FA again. However, when scanning the QR and entering the code, we get an error:

Unfortunately, this is currently unusable, forcing us to disable the package.

Weirdly enough, this is only happening in our production environment, not local.

Steps to reproduce

1. Reset all 2FA related user data from the user in the database, if any
2. Log in
3. Try to set up the 2FA

Environment and versions

Environment
Laravel Version: 10.48.25
PHP Version: 8.2.27
Environment: production

Statamic
Addons: 4
Sites: 3
Stache Watcher: Enabled (auto)
Static Caching: Disabled
Version: 5.41.0 PRO

Statamic Addons
mitydigital/statamic-two-factor: 2.3.0
statamic/eloquent-driver: 4.18.0
stoffelio/statamic-404-logger: 1.1.0
superinteractive/statamic-super-link: 1.0.1

Cache
Config: CACHED
Events: CACHED
Routes: CACHED
Views: CACHED

Drivers
Broadcasting: log
Cache: redis
Database: mysql
Logs: stack / single
Mail: smtp
Queue: redis
Session: redis

Statamic Eloquent Driver
Asset Containers: file
Assets: eloquent
Blueprints: file
Collection Trees: file
Collections: file
Entries: eloquent
Forms: eloquent
Global Sets: eloquent
Global Variables: file
Navigation Trees: file
Navigations: eloquent
Revisions: eloquent
Sites: file
Taxonomies: file
Terms: eloquent
Tokens: file

Additional details

No response

[martyf]

Can you please provide a repo of the issue, or provide much more detailed instructions on how to reproduce this?

If it is only happening on production, yet works locally, could it be something is misconfigured on your server?

[dnwjn]

Can you please provide a repo of the issue, or provide much more detailed instructions on how to reproduce this?

If it is only happening on production, yet works locally, could it be something is misconfigured on your server?

Unfortunately I cannot provide a repo as it's a client project.

Do you have any idea what kind of misconfiguration could affect this? The package used to work, and we can't recall anything that may have affected this.

Edit: I completely understand your need for more detailed steps, but I'm afraid that is all I can give you. In the meantime, we will debug the source code in the production environment to see if we can log anything interesting.

[martyf]

To me it sounds like an issue with the key - if it isn't accepting codes, they rely on the key.

If you are able to find steps to replicate it, please let me know. It's just hard to fix something that we can't replicate.

[dnwjn]

@martyf It seems to fail here:

statamic-two-factor/src/Actions/ConfirmTwoFactorAuthentication.php

Line 20 in 8209e89

! $this->provider->verify(decrypt($user->two_factor_secret), $code)) {

When diving deeper, it takes you here: https://github.com/antonioribeiro/google2fa/blob/4e1f0e88c799e6893a02259403063afb64b58249/src/Google2FA.php#L82

When dumping both values that are compared inside hash_equals, the values differ each time:

{"totp":"679485","key":"091484"}
{"totp":"355366","key":"091484"}
{"totp":"701592","key":"091484"}

From here I don't know how to continue, as it seems to go wrong in the Google 2FA package.

[martyf]

I still feel this is an issue with your server configuration. The related package is stable, and is also the same package that Laravel Fortify uses: if there were a more widespread issue, I'd expect others to have the issue too and not just with this package, but Fortify too.

Can you confirm that it works as expected locally, with a database?

On your server where you're having problems, can you try something for me please. When trying to use a code (where they are regularly failing) can you try a fresh code (i.e. 30 second expiry left), a mid-code (i.e. 15 seconds left) and a nearly-expired code (i.e. 2 seconds left).

I wonder if there's a time sync issue perhaps?

[martyf]

Just checking in @dnwjn to see if you had any update to this issue?

[dnwjn]

Just checking in @dnwjn to see if you had any update to this issue?

I haven't had the time yet to test your theory, I should be able to get back to you later this week!

[dnwjn]

@martyf So here's the weird thing. We left it disabled for a few days, until someone had time to work on it again. That was me today. I started with enabling it again and setting it up, but this time it worked. No changes have been made, no updates have been done, but it just works. I've tested with different timings as you suggested, but all of them worked without any issues.

As I don't have any other leads right now on where to look, and since I don't have any errors, I think we can close this. If it does happen again in the future I will start with the timings, and continue debugging from there.

[martyf]

Thanks for the update... if you encounter this again, be curious to see if those sorts of tweaks and debugging can give any insight in to what is happening.

I'll close off this ticket now.