2FA is enabled even if User fails to verify with TOTP code

[scottsignal]

ISSUE TYPE

• Bug Report

COMPONENT NAME

setup2FA

CLOUDSTACK VERSION

4.19.0.1

CONFIGURATION

N/A

OS / ENVIRONMENT

Ubuntu 22.04
Single-node Management Server
MySQL 5.7

SUMMARY

2FA is enabled on a user even if user fails to verify TOTP auth code to enable

STEPS TO REPRODUCE

Create a user that is set to enable in 2FA upon login
Choose either Google Authenticator or Other TOTP and click Setup
Enter the wrong Token on accident and you are kicked back to login.
Try logging in again and you are presented with a 2FA screen, however, you were never successfully enrolled so TOTP codes do not work.

EXPECTED RESULTS

Account isn't enrolled in 2FA until they verify with a code from their TOTP application

ACTUAL RESULTS

Account is enrolled in 2FA without a valid TOTP

[harikrishna-patnala]

There is a similar issue fixed with the PR #7972 this is fixed in 4.18.2 version

and I've tested it with both 4.19.01 and 4.19.1 environment and it is working fine

1. Create a new user "user1"
2. Enabled "mandate.user.2fa"
3. Tried log in with user "user1"
4. Prompted to setup 2FA during the login
5. Selected "Google Authenticator"
6. Entered wrong passcode in the verification box and logged out after that
7. Tried login again with user "user1"
8. Selected "Google Authenticator", this time entered right passcode and I logged in and 2FA is enabled.

May I know which version of CS environment you are testing ? if it is prior 4.18.2 version then you can upgrade your environment and test it again please.

[scottsignal]

I am reproducing this on 4.19.0.1. This was a fresh install on 4.19 that was upgraded to 4.19.0.1. We have another environment I will try and reproduce it there.

[scottsignal]

So I managed to reproduce this once and then never again in the other instance. I will keep looking at this, however, I would like to back up to how I discovered this in the first place. I can reproduce another test case in both instances that may help. In your test case above replace step number six after clicking the setup button and accidentally press the back button or exit your browser. I can reproduce every time this way.

[harikrishna-patnala]

@scottsignal agreed to your point that clicking on back button is considering as the verification is already done. We need to fix this in UI.

[shwstppr]

@scottsignal cc @harikrishna-patnala @borisstoyanov @kiranchavala @vladimirpetrov I've tested this with 4.19.1.3 and could not reproduce it. It must have been solved by ef74221