Contrib.social

ParagonIE\ConstantTime\Encoding dependency not installed from TFA

Open on Drupal.org β†’
Created on 8 January 2025, about 2 months ago

Problem/Motivation

We were experiencing the following error on our D10.3.10 site with TFA on 8.x-1.9 (full stack trace to follow in image at bottom):

Error: Class "ParagonIE\ConstantTime\Encoding" not found in Drupal\tfa\Plugin\TfaValidation\TfaTotpValidation->validate() (line 316 of modules/contrib/tfa/src/Plugin/TfaValidation/TfaTotpValidation.php).

Steps to reproduce

The error seems to occur at login on a system set up as per above. It appears to users that have already set up TFA or go to try to set it up when logging in; users who ignore the set up (if TFA is configured that way) get into the system fine. If struggling tp reproduce, please see my point below about how this issue may have gone undetected for some time and see if the dependency is installed elsewhere on your system.

Proposed resolution

We fixed it by requiring 'paragonie/constant_time_encoding' on the whole Drupal project, but really it seems to me from reading through the main issue I found vaguely related to the error πŸ› Class 'Base32\Base32' not found - switch library to paragonie/constant_time_encoding Fixed and the other related issues sprouting from/to it (principally TFA issue #2866841 β†’ and Google Authenticator issue #2880601 β†’ ) that said dependency should be brought into the codebase just by TFA itself. Hence, I added it to the composer.json and raised a merge request on #2922287, which I will repeat here because that issue is long closed and as a non-maintainer, I can't reopen it. I've tested the fix locally and it works, though I accept there may be some reason currently nebulous to me why it was excluded in the first place or some other better solution - please do let me know if so.

Finally, I did and still do wonder why nobody else has reported the problem we had, that I could find anyway, especially seeing as that closed issue is so many years old now. My only guess so far is that all other projects in similar circumstances already have something else in their codebase pulling in the dependency. Any other ideas? Apologies if I've missed something glaringly obvious and many thanks in advance for any assistance or further info.

Full error:

πŸ› Bug report
Status

Needs review

Version

1.9

Component

Code

Created by

seeduardo

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @seeduardo
  • Comment about 2 months ago β†’
    seeduardo
  • Merge request !110Add ParagonIE Encoding dependency to composer.json. β†’ (Open) created by seeduardo
  • Pipeline finished with Failed
    about 2 months ago
    Total: 320s
    #389621
  • Comment about 2 months ago β†’
    seeduardo
  • Comment about 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    Finally, I did and still do wonder why nobody else has reported the problem we had, that I could find anyway, especially seeing as that closed issue is so many years old now

    christian-riesen/otp >= 2.4.0 Requires it as a dependency, likely anyone installing TFA after the change was committed obtained the latest version which pulled the dependency.

  • Comment about 2 months ago β†’
    seeduardo

    Ok many thanks for that @cmlara, makes sense - though what doesn't is that without the change I suggested (ie// adding in the ParagonIE dependency here directly), we get the abovementioned error in our system, where christian-riesen/otp ISN'T pulling in the ParagonIE dependency and we have to require it in our project-wide composer.json to proceed past login. Is it just because of the specific version number I stipulated? Is that what you mean by 'compatible'? Or something else? I'd be happy to give this more time if I can but any clues where/how to look most certainly welcome.

  • Comment about 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    Is it just because of the specific version number I stipulated? Is that what you mean by 'compatible'?

    Correct. The version chosen needs to not prevent us from installing the newer versions of the otp package.

  • Pipeline finished with Failed
    about 2 months ago
    Total: 407s
    #392102
  • Comment about 2 months ago β†’
    seeduardo

    Ok thanks. To clarify further to anyone else trying to follow this too, I'll try to explain further below, where for ease of reading OTP = christian-riesen/otp and CTE = paragonie/constant_time_encoding:

    I think what @cmlara was trying to tell me is that even though TFA on the 8.x-1.x branch is currently pulling in OTP version 2.1, from version 2.4 OTP itself requires the same package my change was about, namely CTE. However, I was trying to get TFA to use version 3.0 of CTE, whereas OTP only specifies to use version 1.0 or 2.0, not any other. Even though version 3.0 of CTE solved the original problem for me and didn't cause any clashes right now, it would prevent the use of OTP from version 2.4 onwards in the future - so I simply downgraded the version of CTE required by TFA to 2.0 and updated the merge request, then retested - all was well with that on my end and I therefore hope that's right overall.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024