mirror of
https://github.com/cypht-org/cypht.git
synced 2026-04-25 21:15:56 +03:00
[GH-ISSUE #227] 2FA should show code as well as QR image #188
Labels
No labels
2fa
I18N
PGP
Security
Security
account
advanced_search
advanced_search
announcement
api_login
authentication
awaiting feedback
blocker
bug
bug
bug
calendar
config
contacts
core
core
devops
docker
docs
duplicate
dynamic_login
enhancement
epic
feature
feeds
framework
github
github
gmail_contacts
good first issue
help wanted
history
history
imap
imap_folders
inline_message
installation
keyboard_shortcuts
keyboard_shortcuts
ldap_contacts
mobile
need-ssh-access
new module set
nux
pop3
profiles
pull-request
question
refactor
release
research
saved_searches
smtp
strategic
tags
tests
themes
website
wordpress
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/cypht#188
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @justinvoelker on GitHub (Oct 11, 2017).
Original GitHub issue: https://github.com/cypht-org/cypht/issues/227
Originally assigned to: @jasonmunro on GitHub.
When setting up two-factor authentication, the text-based code used to generate the TOTP should be shown as well as the QR code. There are some instances where the QR code cannot be used when setting up an authentication mechanism and the text of that code is used instead.
@jasonmunro commented on GitHub (Oct 12, 2017):
I can easily add the text used to generate the QR code, It's of the format:
otpauth://totp/app:username?secret=secret&issuer=app
WIll that work?
@jasonmunro commented on GitHub (Oct 12, 2017):
I'm guessing actually all you need here is the secret value. I will test a bit with that and see if it works
@justinvoelker commented on GitHub (Oct 12, 2017):
Right, just the secret code. When you setup an authentication app (such as
Google Authenticator) you are typically given the choice of either scanning
the QR code or typing in the secret.
Special note, Google Authenticator has special requirements of such
codes--I believe their length must be a power of 2 and there are some
lookalike characters that are not allowed.
@jasonmunro commented on GitHub (Oct 12, 2017):
Thanks for the feedback. I tried just using the secret from the URI used to generate the QR code and it's not working for some reason. Currently we do the following to generate the secret:
So it ends up being a bit long :) Can't explain why manual entry does not work however. I will keep testing.
@justinvoelker commented on GitHub (Oct 24, 2017):
Here's what I am finding. The QR on the page, when read, contains this information:
otpauth://totp/Cypht:justin?secret=XXSAZW...Y2FIII=&issuer=Cypht(I took out a ton of the remaining characters in the secret)If I plug that secret (including the = at the end) into my software, I get the exact same TOTP as I do when I scan the QR code. So, that secret, although long, is indeed what is needed. Perhaps there was another reason you were seeing it fail?
@jasonmunro commented on GitHub (Oct 25, 2017):
I must have been doing something wrong, thanks for the follow up. I will get this added to the UI. I'm also thinking I might add a "short_2fa_secret" option to the 2fa.ini file so you don't have to type in such a huge string. I don't want to change the way it works now since it will not be backwards compatible if I do, but a new option would preserve existing behavior and enable a mode that is a lot more friendly for manual entry :)
@justinvoelker commented on GitHub (Oct 25, 2017):
Certainly don't feel the need to add another option on my account. Honestly, it's probably a rare circumstance that a manual code is needed (nobody has needed one yet) and even more rare that the code couldn't be copy/pasted (which is what I'll be doing with it). I'm all for keeping it simple and just exposing the current code as-is.
@jasonmunro commented on GitHub (Oct 25, 2017):
Adding the shorter option was not difficult, so I went ahead and put it in place. You should now see the code below the QR image. Thanks again for the feedback. Let me know if you run into problems.
@justinvoelker commented on GitHub (Oct 27, 2017):
I'll give it a test in the new docker image. Can you trigger a build on docker hub? I don't want to push a nonsense repo update to the just to build the image.
Also, I guess for future updates, whenever you want the docker image updated just manually trigger a build. Unless, of course, you've updated options that I need to update on the docker image config file in which case you can either let me know or log an issue on that repo saying "missing setting X in entrypoint" at which point I can update the image.
Thanks again!
@justinvoelker commented on GitHub (Oct 27, 2017):
Another alternative, I guess, would be to incorporate the docker image into this repo (and update docker hub to point here) so that every time you push to this repo the image gets built.
Personally I like keeping them separate but I can see the appeal in combining them.
@jasonmunro commented on GitHub (Oct 27, 2017):
I like keeping it separate actually. I just sent you an E-mail with a curl command you can use to trigger a new build anytime without a dummy commit or asking me. Let me know if you have an issues with it!
@jasonmunro commented on GitHub (Oct 31, 2017):
Closing this because I believe it's resolved, if not feel free to re-open. Thanks!