View Issue Details

IDProjectCategoryView StatusLast Update
15265Bug reports[All Projects] Pluginspublic2019-09-18 18:00
ReporterPPRI Assigned Tocdorin  
PrioritynoneSeverityminor 
Status assignedResolutionopen 
Product Version3.17.x 
Target VersionFixed in Version 
Summary15265: 2FA is not working on Limesurvey CE with a downloaded plug-in
Description

I am using both Limesurvey Professional(Hosted Service by Limesurvey) and Limesurvey CE( installed on our server). 2FA is working fine on Limesurvey Professional but it's not working as expected on Limesurvery CE after installing 2FA plug-in download version 1.0.1, which was released on 2019-05-22.

Steps To Reproduce

After downloading a 2FA plug-in, I coped a whole upzipped folder under the plugins folder on my instance. 2FA Personal settings --> Register 2FA now --> barcode scanned --> confirmationKey typed in -> Click 'Create 2FA binding. After this, no responding at all.

I tried Google Authenticator and Duo but same, both no response after clicking Create 2FA binding.

TagsNo tags attached.
Complete LimeSurvey version number (& build)Version 3.17.16+190906
I will donate to the project if issue is resolvedNo
BrowserGoogle Chrome
Database & DB-Version359
Server OS (if known)Windows Server 2016
Webserver software & version (if known)IIS 10
PHP Version7.3.9

Activities

cdorin

cdorin

2019-09-12 12:05

manager   ~53560

Using master now + Ubuntu 18.04 . Could not reproduce it.

Did you do it for superadmin? or another user?

Perhaps someone with a Windows server can also try it.

I will ping @markusfluer here.

PPRI

PPRI

2019-09-12 23:11

reporter   ~53562

I tried it as a superadmin.

jljansen

jljansen

2019-09-13 15:10

reporter   ~53567

I've tested it on Limesurvey version 3.17.13+190824 (ubuntu 16.04, Apache & MariaDB) with plugin version 1.0.1.

"Register 2FA Now" gives the layover. Both tested with google authenticator en authy in combination with the qr code. If I enter the codes (generated by the apps) it's posted to
domainexample.com/index.php/plugins/direct?plugin=TwoFactorAdminLogin&function=directCallConfirmKey
with the response:
For admin user: {"success":false,"message":"The confirmation key is not correct.","data":[]}
For regular user: {"success":false,"message":"No permission for this","data":[]}

Happy to help you further test this but no idea how to further debug.

PPRI

PPRI

2019-09-13 17:18

reporter   ~53568

In my case, after clicking 'Create 2FA binding', the circling icon shows up in a second and stop then nothing happens. It doesn't matter with a correct or wrong key value. It seems like not communicating at all with the App to verify the conformation key.

jljansen

jljansen

2019-09-15 20:54

reporter   ~53574

@PPRI
I also do not see anything in the browser. But via the inspector you can see your request and the server response. It gives a http 200 json response with the above messages.
So in chrome or firefox press F12 to load inspector. Click on the network tab than submit your security code. You'll see your request in response in the network tab!

PPRI

PPRI

2019-09-18 18:00

reporter   ~53644

It seems like 2FA is not working with Limesurvey Version 3.17.16. 2FA was working on Limesurvey Professional hosting service when it had a previous version. Now it has been upgraded to 3.1.7.16 and it is NOT working on it either.

Issue History

Date Modified Username Field Change
2019-09-10 23:46 PPRI New Issue
2019-09-11 18:02 cdorin Assigned To => cdorin
2019-09-11 18:02 cdorin Status new => assigned
2019-09-12 12:05 cdorin Note Added: 53560
2019-09-12 23:11 PPRI Note Added: 53562
2019-09-13 15:10 jljansen Note Added: 53567
2019-09-13 17:18 PPRI Note Added: 53568
2019-09-15 20:54 jljansen Note Added: 53574
2019-09-18 18:00 PPRI Note Added: 53644