Newly generated secrets failing to verify codes about twofactorauth HOT 13 CLOSED

I'll dig away - I am wondering if it's somehow something to do with infrastructure that is more complex in prod/staging vs local and demo. I am pretty positive it's going to come down to "my" error somewhere - I'll report back if/when I figure it out! Cheers for the input thus far, even knowing it's not something obvious is good to know.

from twofactorauth.

Hey, just to confirm this does indeed fall under "user error" - no surprises there. A change in our code meant that in actual fact 2 codes were being generated in some environments with the "wrong" one being returned to the user thus never being able to be verified.

Thanks for the suggestions, apologies for the time wasting!

from twofactorauth.

To confirm, you generate a secret successfully, store it in your app of choice but then cannot confirm that the codes that come out of that secret with the same code?

The most basic step is have you verified that the time is correct on all your servers?

from twofactorauth.

Hi @willpower232 thanks for the reply.
I generate the code successfully yes, it's the comparison to the users 6 digits that is failing on some servers.
I am thinking down the lines of time thing - though the servers all appear to report the same time, same timezone etc.

from twofactorauth.

I don't think timezone should matter, it would be whether the time down to the seconds is correct.

I'd hope you would get an exception or something if a dependency were missing. I guess you could compare the output of php -i from each server to be sure the environments were appropriately similar.

from twofactorauth.

A diff between the outputs of php -i. I don't THINK I see anything obvious:
diff

from twofactorauth.

Just thinking, if it was a server time thing - would it be expected that users with existing secrets have no issues? Wouldn't their codes be different from what the server is expecting?

from twofactorauth.

The diff looks fine although they have different image libraries so that might be annoying if you're generating QR codes. Although it could be mcrypt related maybe?

I guess the users devices need to have accurate time as well.

If one users secret works on a server and another users does not then the other users device time must be wrong or they entered the secret incorrectly.

from twofactorauth.

Sadly already ruled out the QR code side by using the generated code rather than the QR code.
also ruled out user device based on it being my device working against some environments and not others.
I guess I'll keep at it - probably something stupid that is escaping me.

from twofactorauth.

You can see that in spite of mcrypt, it still uses random_bytes where possible

You could ensure that the function is available on both servers to narrow it down.

from twofactorauth.

Yeah, I had put some debugging around that before I started swapping out providers - they were all using CSRNGProvider() by default

from twofactorauth.

Hmm definitely a mystery. I guess you could also verify that the secret being passed to the library was absolutely identical although if it was different then that would be even weirder.

from twofactorauth.

No worries, glad you figured it out! Thanks for letting us know

from twofactorauth.