Ability to migrate recovery codes

Created on 13 January 2025, 3 months ago

Problem/Motivation

Currently the module doesn't import recovery codes.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Feature request
Status

Active

Version

1.0

Component

Code

Created by

🇫🇷France jibus

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @jibus
  • 🇮🇳India bhanu951

    Coming to accepted codes I think we can not utlize migrated data as in Drupal 7 Accepted codes are stored using this logic

    
     $hash = hash('sha1', drupal_get_hash_salt() . $code);
    
    

    As the Accepted code is stored in the form of SHA1 + salt hash . It is highly impossible to reverse the hash and get the original OTP . So It is not possible to verify against the codes used in D7 in D10. I am not sure how to proceed here.

    Related Discussions
    https://www.drupal.org/project/tfa/issues/3328128#comment-15431448 💬 Migration from Drupal 7 to Drupal 9 Active

  • 🇫🇷France jibus

    Hello @bhanu951

    Yes, recovery codes !

    Indeed, I see that this handle by the module. Weird, during my tests, recovery codes wasn't migrated.

    I am gonna close the thread for now and continue my tests.

    Sorry for that.

  • 🇫🇷France jibus

    Re-open.

    After checking the TFA User Settings migration process, it appears that the 'tfa_basic_recovery_code' plugin is migrated.

    But the recovery codes are not.

    This results in the user's TFA configuration contains the tfa_recovery_code plugin.

    As a result, when the user logs in, he can use a recovery code plugin but since theses codes are not migrated the form cannot be displayed (the page reloads).

    The recovery codes are in the 'tfa_recovery_code' table.

    I don't know if we can migrate them. If not, the following code should be remove :

        // Check to see if the user has recovery codes enabled. If so, add it
        // to the plugins array.
        if (isset($decoded_data->plugins[1]) && ($decoded_data->plugins[1] == 'tfa_basic_recovery_code')) {
          $data_plugins['tfa_recovery_code'] = 'tfa_recovery_code';
        }
  • 🇮🇳India bhanu951

    I didn't get what you mean. Can you share screenshot?

    Recovery codes are migrated and are present in users_data table.

    If data is migrated properly you will get page to provide TFA code instead of message to setup TFA.

  • 🇮🇳India bhanu951

    Hi @jibus can you share me sample data from Drupal 7 tfa_recovery_code table?

    I don't have sample data or working Drupal 7 site to test the migration for recovery codes.

    I wrote a draft version, need to test it.
    You can share me 5-6 (or as many as you wish) sample data to process,

  • 🇫🇷France jibus

    Hi @bhanu951, of course

  • 🇮🇳India bhanu951

    Can you share actual schema data with all the fields data.

    Are they grouped by uid or something?

  • 🇫🇷France jibus

    I am sorry, please find the extract of the table.

  • 🇮🇳India bhanu951

    Hi @jibus, I have pushed the changes, can you test it and let me know if it works ?

    As I don't have your Drupal 7 private key I am unable to test decryption.

    If the code doesn't work please share me your Drupal 7 private key and values of the backup codes from the site over slack.
    So, I can test the decryption.

  • 🇮🇳India bhanu951

    @jibus, I have made few more changes, now the migration of recovery codes would work properly.

  • 🇫🇷France jibus

    @bhanu951, sorry for the delay.

    What's the command to import recovery code ?

    migrate:import tfa_migration_recovery_code --update

    ?

    Tried with tfa_migration_totp_seed && tfa_migration_user_settings. Got same results.

    I copied the code from your merge request.

  • 🇮🇳India bhanu951

    > What's the command to import recovery code ?

    drush mim tfa_migration_recovery_code

    Is the command to migrate recovery codes.

Production build 0.71.5 2024