Contrib.social

Email OTP Plugin setup form displayed twice.

Open on Drupal.org β†’
Created on 7 July 2025, 3 months ago

Problem/Motivation

Drupal 10.5.1
Using TFA 8.x-1.11 and the TFA Email OTP Plugin 1.0.0-Beta1

When a user is configuring TFA the Email OPT setup page is displayed more than once.

Steps to reproduce

  1. TFA is setup with TOTP, Email OTP and recovery code plugins. TOTP is the default plugin.
  2. The user has registered, logs in for the first time and proceeds to setup TFA with just the Email OTP plugin.
  3. The Email OTP setup page is displayed and allows the use to tick/confirm "Receive authentication one-time code by email" and then "Save" or "Cancel".
  4. The expectation is that "Save" will save the configuration and the user can continue.
  5. The reality is that the SAME setup page is redisplayed now with a "Save" and a "Skip and Finish" button.
  6. Clicking either button seems to correctly setup the Email plugin and return to the TFA overview.

Note: I don't think there is anything wrong with the Email OPT plugin so I have posted this here as its the TFA module calling the plugin twice thats wrong.

Proposed resolution

I have stepped through the code and although far from certain as to what the intent is the issue seems to be in TfaSetupForm.php.

At line 217 the function "tfaFullSetupSteps" is called but this function gets the steps for the default TFA plugin and doesn't care what actual plugin is actually being setup.

So when using the Email OTP this function returns step/s for the TOTP plugin (assuming it is the default) and this seems to confuse things and make the TFA module show the EMail OTP setup page again.

My horrible, certainly wrong, hack was to comment out the call to tfaFullSetupSteps and replace with the following...
$steps = [$method];
This just returns the steps of the method passed into the calling function.
It seems to work for us but I'm sure its wrong really.

Remaining tasks

Please can someone who knows this code review what the intent of the "tfaFullSetupSteps" is and what it should be returning. Blindly returning steps from the default method doesn't seem right at all.

πŸ› Bug report
Status

Active

Version

1.11

Component

Code

Created by

πŸ‡¬πŸ‡§United Kingdom arcaic Milton Keynes

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @arcaic
  • Comment 3 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom arcaic Milton Keynes
  • Comment 3 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    On a cursory read this appears it may be a duplicate of
    πŸ› Full Setup not working on 8.x-1.7 Active / πŸ› One setup step remaining, two QR Code Scans required Active .

    Can you confirm those issues are not related?

    Additionally:

    D.O. has migrated away from patch files.

    In order for tests to run we require all submissions to be in the form of a Merge Request.

    More details may be found at: https://www.drupal.org/docs/develop/git/using-gitlab-to-contribute-to-dr... β†’

  • Comment about 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    No response received.

    Presuming this to be a duplicate as noted in #3

  • Status changed to Closed: duplicate 15 days ago
  • Comment 15 days ago β†’
    πŸ‡¬πŸ‡§United Kingdom Rob230

    I'm not sure whether those other issues are related or not. But the fixes on those issues is not a good one, if anything it's worse.

    After confirming that you want to use email OTP by checking the checkbox "Receive authentication one-time code by email" and clicking "Save", you get redirected to a page which contains first a warning message saying you still need to set up TFA, followed by a status message saying "2 TFA setup steps remain" and a 2nd status message saying "TFA setup complete", and then a form for setting up the default method of OTP with authenticator app.

    This is extremely confusing to anyone trying to set up email OTP.

    The fix in the patch #2 does improve it, though it's still not perfect. It still shows the warning message about TFA not being set up (even though it just has been), but then it says that TFA has been successfully set up and shows the normal page that it should show.

    So that is an acceptable solution, though I'm not thrilled about it being described as a "V sketchy fix" haha.

    I think this needs some serious attention because the TFA set up process when having multiple validation plugins available is clearly broken and most end users have not been able to complete the process because they didn't understand the conflicting messaging.

  • Comment 15 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    I'm not sure whether those other issues are related or not. But the fixes on those issues is not a good one, if anything it's worse.

    You should likely comment on those issues as to why they are not a reasonable fix.

    Additionally be sure to validate that there are not multiple bugs present at the same time (which would be fixed in separate issues).

    though I'm not thrilled about it being described as a "V sketchy fix" haha.

    When a developer says that it generally is true. My experience is those type of fixes are a guide for context, however are usually not themself the solution.

    TFA set up process when having multiple validation plugins available is clearly broken and most end users have not been able to complete the process because they didn't understand the conflicting messaging.

    Unsure how many are unable to do so (as it took a very long time for anyone to even notice this bug existed and it seems to only occur if you don't setup the 'default' type first ) however I agree that there have been issues that continue to need to be solved.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024