[#5500] - Error Message if we try `save & close` for a User with YubiKey
- Closed
- 23 Dec 2014
- Medium
- Build: master
- # 5500
Steps to reproduce the issue
- Enable YubiKey Plugin
- Access the User Manager
- Assign a YubiKey to your User
-
save--> User successful saved -
save & close--> User successful saved and
Error
You did not enter a valid YubiKey secret code or the YubiCloud servers are unreachable at this time.
Same issue if we try to save & close a user that is allready set up with a YubiKey.
But the login works with that user and the YubiKey. So this error is a false alarm?
I hope @nikosdion can have a look into this.
Expected result
No Error messages appears
Actual result
The following error appears:
Error
You did not enter a valid YubiKey secret code or the YubiCloud servers are unreachable at this time.
System information (as much as possible)
Joomla 3.3.6 & last nigthly build
Additional comments
Also confirmed by @pe7er on the JBS Chat
Votes
Sounds like the error message is correct then and the yubicloud was temp
unavailable
On 23 Dec 2014 18:16, "Peter Martin" notifications@github.com wrote:
I was able to reproduce the error 10 minutes ago.
However, after I created a couple of new users & added a Yubikey for them
too, I did not get the error anymore...
This comment was created with the J!Tracker Application
https://github.com/joomla/jissues at issues.joomla.org/joomla-cms/5500
http://issues.joomla.org/tracker/joomla-cms/5500.—
Reply to this email directly or view it on GitHub
#5500 (comment).
As the second part of the message read, YubiCloud servers were unreachable at that time.
hmm 5 servers at the same time?
Sorry, when I was able to test it, I used "Save & Close" and when I could not reproduce it anymore I used "Save".
So I can reconfirm that only "Save & Close" will trigger the error.
At that same time, login with Yubikey works, so I suppose the YubiCloud servers were reachable.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/5500.
@zero-24 DNS and routing issues tend to hit all 5 servers at once. Plus, you don’t hit all five servers all the time. You only choose one in random and ask it to serve you. That’s how YubiCo requires us to implement it and it’s exactly why they have five public servers.
btw: "Save & New" also triggers the error, but only if under the user's account [Two Factor Authentication] the Authentication method is set to "Yubikey".
It does not matter if you just created a new Yubikey for a user (new or existing), or did not change the already configured Yubikey. Both result in the same error as zero-24 reported.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/5500.
I checked /plugins/twofactorauth/yubikey/yubikey.php and noticed two indentical error strings:
// Warn if the securitycode is empty
if (array_key_exists('securitycode', $data) && empty($data['securitycode']))
{
try
{
$app = JFactory::getApplication();
$app->enqueueMessage(JText::_('PLG_TWOFACTORAUTH_YUBIKEY_ERR_VALIDATIONFAILED'), 'error');
}
catch (Exception $exc)
{
// This only happens when we are in a CLI application. We cannot
// enqueue a message, so just do nothing.
}
return false;
}
// Validate the Yubikey OTP
$check = $this->validateYubikeyOTP($data['securitycode']);
if (!$check)
{
$app = JFactory::getApplication();
$app->enqueueMessage(JText::_('PLG_TWOFACTORAUTH_YUBIKEY_ERR_VALIDATIONFAILED'), 'error');
// Check failed. Do not change two factor authentication settings.
return false;
}
I have edited the error strings on my local site so see where the error is triggered (in the 1st or 2nd routine).
The error is triggered in the second loop:
// Validate the Yubikey OTP
$check = $this->validateYubikeyOTP($data['securitycode']);"
I have add some debug code:
This check fails with this message: Validate the response - We need an OK message reply::MISSING_PARAMETER
https://github.com/joomla/joomla-cms/blob/staging/plugins/twofactorauth/yubikey/yubikey.php#L363-367
The missing parameter maybe cause as we don't set it if it is allready linked e.g. on save & close or save & new after first successful save
I have done some more tests.
And yes. $data['securitycode'] is not set on these requests so the MISSING_PARAMETER issue by the YubiCloud Servers are expeced.
This check here: https://github.com/joomla/joomla-cms/blob/staging/plugins/twofactorauth/yubikey/yubikey.php#L179
Don't work as the array key securitycode don't exists. To be true the array key needs to be exist and empty. But it don't exists so the condition is not true.
if (empty($data['securitycode'])) does the trick.
So IIRC we can fix this only if we ship the securitycode every time. (needs to require it on all times we save the profil and i think this is not so user friendly. 
) or we check if a YubiKey is allready applyed to the user account and don't validate than again.
Have i miss something?
I wouldn't be so quick on modifying the empty check. If you do that someone can set up YubiKey 2FA without putting a YubiKey code in there. Also note that Google Authenticator also has the same code. The question is why does array_key_exists('securitycode', $data) return true. Give me some time.
| Status | New | ⇒ | Closed |
Please see and test #5505
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/5500.
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2014-12-23 21:51:52 |
| Labels |
Added:
?
|
||
I was able to reproduce the error 10 minutes ago.
However, after I created a couple of new users & added a Yubikey for them too, I did not get the error anymore...
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/5500.