Ability to migrate recovery codes

Coming to accepted codes I think we can not utlize migrated data as in Drupal 7 Accepted codes are stored using this logic

 $hash = hash('sha1', drupal_get_hash_salt() . $code);

As the Accepted code is stored in the form of SHA1 + salt hash . It is highly impossible to reverse the hash and get the original OTP . So It is not possible to verify against the codes used in D7 in D10. I am not sure how to proceed here.

Related Discussions
https://www.drupal.org/project/tfa/issues/3328128#comment-15431448 💬 Migration from Drupal 7 to Drupal 9 Active

Hello @bhanu951

Yes, recovery codes !

Indeed, I see that this handle by the module. Weird, during my tests, recovery codes wasn't migrated.

I am gonna close the thread for now and continue my tests.

Sorry for that.

Re-open.

After checking the TFA User Settings migration process, it appears that the 'tfa_basic_recovery_code' plugin is migrated.

But the recovery codes are not.

This results in the user's TFA configuration contains the tfa_recovery_code plugin.

As a result, when the user logs in, he can use a recovery code plugin but since theses codes are not migrated the form cannot be displayed (the page reloads).

The recovery codes are in the 'tfa_recovery_code' table.

I don't know if we can migrate them. If not, the following code should be remove :

    // Check to see if the user has recovery codes enabled. If so, add it
    // to the plugins array.
    if (isset($decoded_data->plugins[1]) && ($decoded_data->plugins[1] == 'tfa_basic_recovery_code')) {
      $data_plugins['tfa_recovery_code'] = 'tfa_recovery_code';
    }

I didn't get what you mean. Can you share screenshot?

Recovery codes are migrated and are present in users_data table.

If data is migrated properly you will get page to provide TFA code instead of message to setup TFA.

Hi @jibus can you share me sample data from Drupal 7 tfa_recovery_code table?

I don't have sample data or working Drupal 7 site to test the migration for recovery codes.

I wrote a draft version, need to test it.
You can share me 5-6 (or as many as you wish) sample data to process,

Hi @bhanu951, of course

Can you share actual schema data with all the fields data.

Are they grouped by uid or something?

I am sorry, please find the extract of the table.

Hi @jibus, I have pushed the changes, can you test it and let me know if it works ?

As I don't have your Drupal 7 private key I am unable to test decryption.

If the code doesn't work please share me your Drupal 7 private key and values of the backup codes from the site over slack.
So, I can test the decryption.

@jibus, I have made few more changes, now the migration of recovery codes would work properly.

@bhanu951, sorry for the delay.

What's the command to import recovery code ?

migrate:import tfa_migration_recovery_code --update

?

Tried with tfa_migration_totp_seed && tfa_migration_user_settings. Got same results.

I copied the code from your merge request.

> What's the command to import recovery code ?

drush mim tfa_migration_recovery_code

Is the command to migrate recovery codes.