Contrib.social

ParagonIE\ConstantTime\Encoding dependency not installed from TFA

Open on Drupal.org β†’
Created on 8 January 2025, 1 day ago

Problem/Motivation

We were experiencing the following error on our D10.3.10 site with TFA on 8.x-1.9 (full stack trace to follow in image at bottom):

Error: Class "ParagonIE\ConstantTime\Encoding" not found in Drupal\tfa\Plugin\TfaValidation\TfaTotpValidation->validate() (line 316 of modules/contrib/tfa/src/Plugin/TfaValidation/TfaTotpValidation.php).

Steps to reproduce

The error seems to occur at login on a system set up as per above. It appears to users that have already set up TFA or go to try to set it up when logging in; users who ignore the set up (if TFA is configured that way) get into the system fine. If struggling tp reproduce, please see my point below about how this issue may have gone undetected for some time and see if the dependency is installed elsewhere on your system.

Proposed resolution

We fixed it by requiring 'paragonie/constant_time_encoding' on the whole Drupal project, but really it seems to me from reading through the main issue I found vaguely related to the error πŸ› Class 'Base32\Base32' not found - switch library to paragonie/constant_time_encoding Fixed and the other related issues sprouting from/to it (principally TFA issue #2866841 β†’ and Google Authenticator issue #2880601 β†’ ) that said dependency should be brought into the codebase just by TFA itself. Hence, I added it to the composer.json and raised a merge request on #2922287, which I will repeat here because that issue is long closed and as a non-maintainer, I can't reopen it. I've tested the fix locally and it works, though I accept there may be some reason currently nebulous to me why it was excluded in the first place or some other better solution - please do let me know if so.

Finally, I did and still do wonder why nobody else has reported the problem we had, that I could find anyway, especially seeing as that closed issue is so many years old now. My only guess so far is that all other projects in similar circumstances already have something else in their codebase pulling in the dependency. Any other ideas? Apologies if I've missed something glaringly obvious and many thanks in advance for any assistance or further info.

Full error:

πŸ› Bug report
Status

Needs review

Version

1.9

Component

Code

Created by

seeduardo

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @seeduardo
  • Comment 1 day ago β†’
    seeduardo
  • Merge request !110Add ParagonIE Encoding dependency to composer.json. β†’ (Open) created by seeduardo
  • Pipeline finished with Failed
    1 day ago
    Total: 320s
    #389621
  • Comment 1 day ago β†’
    seeduardo
  • Comment about 15 hours ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    Finally, I did and still do wonder why nobody else has reported the problem we had, that I could find anyway, especially seeing as that closed issue is so many years old now

    christian-riesen/otp >= 2.4.0 Requires it as a dependency, likely anyone installing TFA after the change was committed obtained the latest version which pulled the dependency.

  • Comment about 2 hours ago β†’
    seeduardo

    Ok many thanks for that @cmlara, makes sense - though what doesn't is that without the change I suggested (ie// adding in the ParagonIE dependency here directly), we get the abovementioned error in our system, where christian-riesen/otp ISN'T pulling in the ParagonIE dependency and we have to require it in our project-wide composer.json to proceed past login. Is it just because of the specific version number I stipulated? Is that what you mean by 'compatible'? Or something else? I'd be happy to give this more time if I can but any clues where/how to look most certainly welcome.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024