Panic while enrolling in MFA #14144
Labels
issue/needs-feedback
For bugs, we need more details. For features, the feature must be described in more detail
Comments
|
Could you find the log before these like |
|
The panic is occuring here: gitea/routers/user/setting/security_twofa.go Line 192 in d551152 The error implies that Why might this occur? Well it shouldn't be possible to get to this page without that twofaSecret being set within the session as it will be set in So as @lunny suggests, could you check the preceding logs for a If there is not a log line like that then we need to think again but we can't proceed further without knowing if that occurs. |
zeripath
added
the
issue/needs-feedback
|
Apologies for the delay, Christmas and all. I searched the log and found the error log as I had sent originally, but there was no line containing Unable to save changes to session. Frustratingly, after coming back to it today I was able to add the factor successfully. Unfortunately nothing really changed, I started the server under the same conditions as before (in the foreground via CLI) after it had been running since as a system service (same as before). I will close this as I can't reproduce this, and thank you for helping thus far. I will re-open if I manage to encounter it again with a full log. |
|
I just hit this issue also with 1.13.1. For me, the issue only occurs when |
|
@ashmckenzie we need the logs if we're going to progress this at all as stated #14144 (comment) |
|
@zeripath this is what I see in the logs with debugging enabled: After a bit of trial and error, I discovered when https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/ is installed and the 'Scams' toggle is enabled, this results in the 500 being produced:
When I disable the 'Scams' toggle, everything works as expected.
I don't see anything in the logs saying |
|
I cloned this repo, checkout out Poking around with diff --git a/routers/user/setting/security_twofa.go b/routers/user/setting/security_twofa.go
index 4ee698e15..1f8790c80 100644
--- a/routers/user/setting/security_twofa.go
+++ b/routers/user/setting/security_twofa.go
@@ -18,6 +18,7 @@ import (
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
+ "github.com/davecgh/go-spew/spew"
"github.com/pquerna/otp"
"github.com/pquerna/otp/totp"
)
@@ -131,6 +132,9 @@ func twofaGenerateSecretAndQr(ctx *context.Context) bool {
return false
}
+ secret := ctx.Session.Get("twofaSecret")
+ spew.Dump(secret)
+
// Here we're just going to try to release the session early
if err := ctx.Session.Release(); err != nil {
// we'll tolerate errors here as they *should* get saved elsewhere
@@ -189,7 +193,10 @@ func EnrollTwoFactorPost(ctx *context.Context, form auth.TwoFactorAuthForm) {
return
}
- secret := ctx.Session.Get("twofaSecret").(string)
+ secretRaw := ctx.Session.Get("twofaSecret")
+ spew.Dump(secretRaw)
+ secret := secretRaw.(string)
+
if !totp.Validate(form.Passcode, secret) {
if !twofaGenerateSecretAndQr(ctx) {
return
So But is not available in |
|
I missed the malwarebytes thing - Is there anyway we can not fall foul of this? |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
gitea web -c /etc/gitea/app.ini WORK_DIRECTORY=/var/lib/gitea[x]):Description
When attempting to enroll in MFA in a fresh install of Gitea, an HTTP 500 error is shown and the above log is emitted.
This appears to be #13149, however that was resolved on it's own. Since it's no longer isolated I figured I should post again.
Edit: This is using the Authy app for TOTP.
The text was updated successfully, but these errors were encountered: