entering correct second factor number (2FA pin) after first one was incorrect fails: "User Not Specified: You must select/enter a user."
Categories
(bugzilla.mozilla.org :: User Interface, defect)
Tracking
()
People
(Reporter: aryx, Assigned: dkl)
Details
Attachments
(1 file)
Entering a correct two factor authentication number (2FA pin) after the first one was incorrect fails: "You must select/enter a user."
Steps to reproduce:
0. Have bugzilla.mozilla.org account with two-factor authentication enabled.
- Open https://bugzilla.mozilla.org/home
- If logged in: log out.
- Click at "Log In".
- Enter correct username and password and submit.
- The screen to enter the 2FA token should be shown. Enter an incorrect number.
- The site will instruct you to go back with the 'Back' button of the browser. Do so.
- Enter the correct 2FA token.
Actual result:
Failure message shown: "User Not Specified: You must select/enter a user."
Expected result:
Logged in. This worked in the past.
| Assignee | ||
Comment 1•3 years ago
|
||
Verified locally. Taking a look at this now.
| Assignee | ||
Comment 2•3 years ago
|
||
After messing around with this locally, I have observed that the reason for the issue is that the mfa_verification_token cookie that we are setting for CSRF protection (bug 1798673) is being cleared when the form is submitted with the incorrect MFA code. When you click back to enter another code, the cookie is not being set again like it is on the initial form load. So when you then enter the correct code, the cookie is not present, the token is not retrieved from the database which has the users information. Thus the error.
Trying some solutions, if I do not clear the cookie right away and leave it in place if the incorrect code is entered, when the user hits back and enters the right one, everything works fine. I then clear the cookie after successful login.
I can't obviously put the token back into the form and not use cookies as that negates the fix in bug 1798673. By leaving the same cookie value for each MFA prompt page until the correct one is entered, is there a chance that the value could be stolen and used by an attacker or does the fact that the cookie is only valid for the BMO domain still protect that. Also the token is short lived so it is cleared after an hour.
Can we think of any negatives of not clearing the cookie and reusing it until the correct code is entered? Or should we think of something else that will still work when the user hits the back button?
I think it would be better to change the error message so it's displayed in-page (as a message at the top of the 2FA request page); removing the need to instruct the user to use browser navigation, and allowing Bugzilla to issue a new CSRF token.
Comment 4•2 years ago
|
||
| Assignee | ||
Comment 5•2 years ago
|
||
Description
•