[Bug 32066] New: User can get stuck on login screen
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 Bug ID: 32066 Summary: User can get stuck on login screen Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: jonathan.druart+koha@gmail.com QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org Depends on: 30588 To recreate: 1. Set the syspref TwoFactorAuthentication (enforce or enabled) 2. Configure 2FA for a patron 3. Logout 4. Authenticate but don't enter the 2FA code 5. Switch off the syspref (disabled) => Patron is stuck on the login screen (actually can access Same can happens when the patron needs to setup 2FA. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30588 [Bug 30588] Add the option to require 2FA setup on first staff login -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 Jonathan Druart <jonathan.druart+koha@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 --- Comment #1 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- This change should fix the problem. diff --git a/C4/Auth.pm b/C4/Auth.pm index b6933e4cc60..8bd13e88e1f 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1784,11 +1784,13 @@ sub check_cookie_auth { $session->param('desk_id'), $session->param('desk_name'), $session->param('register_id'), $session->param('register_name') ); - return ( "additional-auth-needed", $session ) - if $session->param('waiting-for-2FA'); + if ( C4::Context->preference('TwoFactorAuthentication') ne 'disabled' ) { + return ( "additional-auth-needed", $session ) + if $session->param('waiting-for-2FA'); . - return ( "setup-additional-auth-needed", $session ) - if $session->param('waiting-for-2FA-setup'); + return ( "setup-additional-auth-needed", $session ) + if $session->param('waiting-for-2FA-setup'); + } . return ( "ok", $session ); } else { -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 --- Comment #2 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Jonathan Druart from comment #1)
This change should fix the problem.
diff --git a/C4/Auth.pm b/C4/Auth.pm index b6933e4cc60..8bd13e88e1f 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1784,11 +1784,13 @@ sub check_cookie_auth { $session->param('desk_id'), $session->param('desk_name'), $session->param('register_id'), $session->param('register_name') ); - return ( "additional-auth-needed", $session ) - if $session->param('waiting-for-2FA'); + if ( C4::Context->preference('TwoFactorAuthentication') ne 'disabled' ) { + return ( "additional-auth-needed", $session ) + if $session->param('waiting-for-2FA'); . - return ( "setup-additional-auth-needed", $session ) - if $session->param('waiting-for-2FA-setup'); + return ( "setup-additional-auth-needed", $session ) + if $session->param('waiting-for-2FA-setup'); + } . return ( "ok", $session ); } else {
Note that this diff contains a few strange dots that block applying it directly. No problem. I will have a look now. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Small patch -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 --- Comment #3 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 143066 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=143066&action=edit Bug 32066: Check 2FA pref in check_cookie_auth Test plan: Without this patch: 1. Set the syspref TwoFactorAuthentication (enforce or enabled) 2. Configure 2FA for a patron 3. Logout 4. Authenticate but don't enter the 2FA code 5. Switch off the syspref (disabled) [via another browser or so] 6. Patron is stuck on the [original] login screen. [Only removing the session cookie would resolve it.] With this patch: 1. Follow the steps above again. But note that you can refresh your browser window to get in now. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|User can get stuck on login |2FA: User can get stuck on |screen |login screen -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|2FA: User can get stuck on |2FA: User could get stuck |login screen |on login screen when | |disabling pref -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|2FA: User could get stuck |2FA: User could get stuck |on login screen when |temporarily on login screen |disabling pref |when disabling pref -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |jonathan.druart+koha@gmail. |ity.org |com -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 --- Comment #4 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- I will still have a look at unit testing now. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #143066|0 |1 is obsolete| | --- Comment #5 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 143067 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=143067&action=edit Bug 32066: Check 2FA pref in check_cookie_auth Test plan: Without this patch: 1. Set the syspref TwoFactorAuthentication (enforce or enabled) 2. Configure 2FA for a patron 3. Logout 4. Authenticate but don't enter the 2FA code 5. Switch off the syspref (disabled) [via another browser or so] 6. Patron is stuck on the [original] login screen. [Only removing the session cookie would resolve it.] With this patch: 1. Follow the steps above again. But note that you can refresh your browser window to get in now. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 --- Comment #6 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Jonathan Druart from comment #1)
- return ( "setup-additional-auth-needed", $session ) - if $session->param('waiting-for-2FA-setup'); + return ( "setup-additional-auth-needed", $session ) + if $session->param('waiting-for-2FA-setup'); + }
I am still thinking about this second case btw. Not sure yet. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 --- Comment #7 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Marcel de Rooy from comment #6)
(In reply to Jonathan Druart from comment #1)
- return ( "setup-additional-auth-needed", $session ) - if $session->param('waiting-for-2FA-setup'); + return ( "setup-additional-auth-needed", $session ) + if $session->param('waiting-for-2FA-setup'); + }
I am still thinking about this second case btw. Not sure yet.
The change actually seems to be unneeded. But it is hard to catch why checkauth allows the login if cookie_auth returned: [2022/11/03 10:20:14] [WARN] L853:setup-additional-auth-needed: at /usr/share/koha/C4/Auth.pm line 853. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 --- Comment #8 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Marcel de Rooy from comment #7)
(In reply to Marcel de Rooy from comment #6)
(In reply to Jonathan Druart from comment #1)
- return ( "setup-additional-auth-needed", $session ) - if $session->param('waiting-for-2FA-setup'); + return ( "setup-additional-auth-needed", $session ) + if $session->param('waiting-for-2FA-setup'); + }
I am still thinking about this second case btw. Not sure yet.
The change actually seems to be unneeded. But it is hard to catch why checkauth allows the login if cookie_auth returned: [2022/11/03 10:20:14] [WARN] L853:setup-additional-auth-needed: at /usr/share/koha/C4/Auth.pm line 853.
Hmm. What happens is that the q_userid and password are checked again with checkpw and are fine. So login is granted. It seems that checkauth might need more attention in responding to the setup-additional-auth-needed response of cookie_auth? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 --- Comment #9 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 143071 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=143071&action=edit Bug 32066: Add unit test to Auth.t Test plan: Run without next patch. Should fail. Run with next patch. Should pass. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #143067|0 |1 is obsolete| | --- Comment #10 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 143072 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=143072&action=edit Bug 32066: Check 2FA pref in check_cookie_auth Test plan: Without this patch: 1. Set the syspref TwoFactorAuthentication (enforce or enabled) 2. Configure 2FA for a patron 3. Logout 4. Authenticate but don't enter the 2FA code 5. Switch off the syspref (disabled) [via another browser or so] 6. Patron is stuck on the [original] login screen. [Only removing the session cookie would resolve it.] With this patch: 1. Follow the steps above again. But note that you can refresh your browser window to get in now. 2. Verify that Auth.t passes now too. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 --- Comment #11 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- See my earlier remarks about checkauth and the setup flag. But I agree with this patch. Further refinements might be possible on follow-up reports. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |kyle@bywatersolutions.com |y.org | CC| |kyle@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #143071|0 |1 is obsolete| | Attachment #143072|0 |1 is obsolete| | --- Comment #12 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 143263 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=143263&action=edit Bug 32066: Add unit test to Auth.t Test plan: Run without next patch. Should fail. Run with next patch. Should pass. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #143263|0 |1 is obsolete| | --- Comment #13 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 143264 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=143264&action=edit Bug 32066: Add unit test to Auth.t Test plan: Run without next patch. Should fail. Run with next patch. Should pass. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 --- Comment #14 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 143265 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=143265&action=edit Bug 32066: Check 2FA pref in check_cookie_auth Test plan: Without this patch: 1. Set the syspref TwoFactorAuthentication (enforce or enabled) 2. Configure 2FA for a patron 3. Logout 4. Authenticate but don't enter the 2FA code 5. Switch off the syspref (disabled) [via another browser or so] 6. Patron is stuck on the [original] login screen. [Only removing the session cookie would resolve it.] With this patch: 1. Follow the steps above again. But note that you can refresh your browser window to get in now. 2. Verify that Auth.t passes now too. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to master Version(s)| |22.11.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 --- Comment #15 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Pushed to master for 22.11. Nice work everyone, thanks! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32066 Bug 32066 depends on bug 30588, which changed state. Bug 30588 Summary: Add the option to require 2FA setup on first staff login https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30588 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to master |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org