Comments (13)
I'll dig away - I am wondering if it's somehow something to do with infrastructure that is more complex in prod/staging vs local and demo. I am pretty positive it's going to come down to "my" error somewhere - I'll report back if/when I figure it out! Cheers for the input thus far, even knowing it's not something obvious is good to know.
from twofactorauth.
Hey, just to confirm this does indeed fall under "user error" - no surprises there. A change in our code meant that in actual fact 2 codes were being generated in some environments with the "wrong" one being returned to the user thus never being able to be verified.
Thanks for the suggestions, apologies for the time wasting!
from twofactorauth.
To confirm, you generate a secret successfully, store it in your app of choice but then cannot confirm that the codes that come out of that secret with the same code?
The most basic step is have you verified that the time is correct on all your servers?
from twofactorauth.
Hi @willpower232 thanks for the reply.
I generate the code successfully yes, it's the comparison to the users 6 digits that is failing on some servers.
I am thinking down the lines of time thing - though the servers all appear to report the same time, same timezone etc.
from twofactorauth.
I don't think timezone should matter, it would be whether the time down to the seconds is correct.
I'd hope you would get an exception or something if a dependency were missing. I guess you could compare the output of php -i
from each server to be sure the environments were appropriately similar.
from twofactorauth.
A diff between the outputs of php -i. I don't THINK I see anything obvious:
diff
from twofactorauth.
Just thinking, if it was a server time thing - would it be expected that users with existing secrets have no issues? Wouldn't their codes be different from what the server is expecting?
from twofactorauth.
The diff looks fine although they have different image libraries so that might be annoying if you're generating QR codes. Although it could be mcrypt related maybe?
I guess the users devices need to have accurate time as well.
If one users secret works on a server and another users does not then the other users device time must be wrong or they entered the secret incorrectly.
from twofactorauth.
Sadly already ruled out the QR code side by using the generated code rather than the QR code.
also ruled out user device based on it being my device working against some environments and not others.
I guess I'll keep at it - probably something stupid that is escaping me.
from twofactorauth.
You can see that in spite of mcrypt, it still uses random_bytes where possible
TwoFactorAuth/lib/TwoFactorAuth.php
Lines 333 to 335 in e76f31e
You could ensure that the function is available on both servers to narrow it down.
from twofactorauth.
Yeah, I had put some debugging around that before I started swapping out providers - they were all using CSRNGProvider() by default
from twofactorauth.
Hmm definitely a mystery. I guess you could also verify that the secret being passed to the library was absolutely identical although if it was different then that would be even weirder.
from twofactorauth.
No worries, glad you figured it out! Thanks for letting us know
from twofactorauth.
Related Issues (20)
- QR Code Expiring HOT 2
- Security Risk: using `QRServerProvider` as default provider HOT 15
- CodeIgniter 4 Integration HOT 2
- QR Code doesn't work with Dashlane HOT 12
- Incompatible with endroid/qr-code > 5.0.0 HOT 6
- Use SensitiveParameter class HOT 12
- Slimming down the lib further HOT 6
- getQRCodeImage(): Return value must be of type string, bool returned HOT 2
- minimal version HOT 2
- Fatal error: Uncaught Error: Class 'RobThree\Auth\Providers\Rng\CSRNGProvider' not found HOT 2
- Fatal error: Uncaught Error: Call to undefined function RobThree\Auth\Providers\Time\socket_create() HOT 4
- 2fa HOT 1
- Google / MS Authenticator HOT 10
- endroid/qr-code compatibility issue HOT 1
- How i can generate Backup 2fa after user has been activated 2fa HOT 5
- Deprecation warning in PHP8 HOT 6
- Version mismatch HOT 6
- Account name in MS Authenticator HOT 18
- How to migrate to new server HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from twofactorauth.