Contrib.social

Incorrect Redirect link when TFA TOTP is set as default method

Open on Drupal.org →
Created on 20 August 2024, 3 months ago
Updated 21 August 2024, 3 months ago

When allowing TOTP and EOTP and setting the default method to TOTP but only setting up EOTP a redirect is improperly displayed.
When allowing TOTP and EOTP and setting the default method to EOTP but only setting EOTP the redirect is not displayed.
When allowing TOTP and EOTP and setting the default method to EOTP but only setting up TOTP the redirect is not displayed.

Steps to reproduce

Install drupal/tfa
Install drupal/real_aes
Install drupal/tfa_email_otp

setup encryption key and profile
enable method for TOTP for authenticator apps
enable method for email OTP
set the default authentication method to TOTP

sign in as user requiring tfa setup
setup email OTP but do not set up TOTP for authenticator apps
attempt to log in - the redirect link for "Try one of your other enabled validation methods.
TFA Time-based one-time password (TOTP)" will be present even though the user has not set up TOTP for authenticator apps.

Proposed resolution

Add logic to determine if the user has additional methods avaliable and show the link conditionally.

🐛 Bug report
Status

Postponed: needs info

Version

1.0

Component

Code

Created by

mike_mac

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @mike_mac
  • Comment 3 months ago
    🇦🇺Australia mingsong 🇦🇺

    Thanks for reporting.

    I can't reproduce this issue with a brand new installation of Drupal 10.3.2.

    One possible reason is that there is some leftover user data in your database, due to the user's TOTP was enabled before.

    The switching TFA method form is created and controlled by the TFA module, not this plugin.

    The code where the switching links are created is in line 269 /Form/EntryForm.php. See the source code below.

    https://git.drupalcode.org/project/tfa/-/blob/8.x-1.x/src/Form/EntryForm...

    If you still come across this issue with a brand new install, please create a PHPUnit test to reproduce this issue.

  • Status changed to Postponed: needs info 3 months ago
  • Comment 3 months ago
    🇦🇺Australia mingsong 🇦🇺
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024