Contrib.social

One setup step remaining, two QR Code Scans required

Open on Drupal.org β†’
Created on 6 October 2024, 3 months ago

Conversation on Slack in #contrib-tfa: https://drupal.slack.com/archives/C7SR7TWMS/p1728082318265809

I have TFA working with Google Auth on my D10 dev site, however when I scan the QR code and enter the verification code, it is successful:

Status message
Application code verified. One setup step remaining.
TFA setup complete.

The page is reloaded and focus is placed back in the verification code box, but won't accept the current TOTP code.

Clicking "Skip and Finish" takes me back to /user/{id}/security/tfa and shows that TFA is setup and working. I can then log out and back in, using TFA and it all works. So yes it works, but that UI won't work on prod. Every user would be super confused.

Disabling TFA and going through the process again, it turns out it wants me to scan the QR, enter the auth code, then scan the QR again and enter a second auth code, leaving me with two identically named Google Authenticator entries with unique codes.

That process gives me the expected:

Status message
TFA setup complete.

Summary: TFA is making me scan the QR code twice, add two Auth code accounts, to consider setup complete.

πŸ› Bug report
Status

Active

Version

1.8

Component

User interface

Created by

πŸ‡ΊπŸ‡ΈUnited States cmarcera

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @cmarcera
  • Comment 3 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    Updated issue with reproduction steps.

    It appears this only occurs when setting up a plugin that is not the 'default' plugin type.

    Need to review code to determine what the original intended logic was before evaluating resolutions.

  • Comment about 1 month ago β†’
    πŸ‡©πŸ‡ͺGermany lmoeni

    I came across this issue while using multiple plugin types. I can confirm that this only occurs for the plugin types that are not the default plugin type.
    The user does not get redirected to the overview but instead also has a "Skip and finish" button. When the user clicks on that button, the status message: "Setup of TFA Email one-time password (EOTP) canceled." appears, which suggests that the setup did not happen but it did.

    I removed most of the tfaNextSetupStep() function in a patch, which solved this problem for me. I could not find any further issues without the removed code.

  • Comment about 1 month ago β†’
    πŸ‡΅πŸ‡ΉPortugal tmiguelv

    Hi!

    I found out that the form plugin was not updating when the form was rebuilding.
    I've created a little patch that updates the plugin before the form renders again.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024