Issue when upgrading TOTP from v0.4.3 to v0.4.4 #46
Comments
|
To be more precise the app stays enabled but the user is required to untick and tick again the "Activate TOTP" checkbox on the Personal settings page and reverify the authentication code. If the user does not perform this action login over two-factor auth does not work anymore. |
pako81
changed the title
pako81
changed the title
|
@pako81 thanks for reporting. Since 0.4.4, verification has become mandatory to prevent possible lockout scenario. To achieve that we added a new boolean column ("verified") to the database. To activation "verified" column should be true. In the database migration from v0.4.3 to v0.4.4 the column is created with false initial value for existing rows. That is why your issue is happening. |
|
@karakayasemi thanks for your feedback, I was not aware of the change in the DB structure since v0.4.4. So I guess that updating the boolean column like
right after the upgrade would make it work normally. And indeed I have tested this out and it seems users can log in without the need to reverify the code. Not sure however if recommended to manually hack the DB this way.. |
|
@PVince81 please clarify how to resolve this issue for next version. |
|
@karakayasemi if we decided to make this field "verified" set to true, is there a way for the admin over the UI to force reverification is they choose so ? Goal would be mostly to prevent such upgrade experience. Do i understand it correctly that in past version the verification wasn't guaranteed so setting it to true on upgrade would be wrong and a potential security flaw ? I see two possible solutions:
or
|
|
Talked with @DeepDiver1975 and he suggested to go the release notes route now. |
|
As far as I can see, setting this value to "true" only works right after the upgrade. For already updated servers, setting this value true can cause a lockout for users in verification step. In the already updated servers, every user should recreate totp. |
|
Hmmm... I can see how admins might miss doing this on time... Can it be done manually before the upgrade ? Is the config value used by the old version ? |
|
No, the column "verified" was newly added. We could write a migration to set this value true for existing rows. Now the admins should set true for existing rows right after the update because we did not. |
|
Even if we did now the app is already released, so whatever logic we put in will only be effective when migrating from v0.4.3 to v0.4.5, because changing the setting in v0.4.4 to v0.4.5 would still require all users to reverify. It looks like we could have this proposed automatic switch when migrating from v0.4.3 to v0.4.5+ and release notes for people already on v0.4.4 that say "sorry, you'll need all clients to reverify now" |
|
moving to backlog, need to schedule some time to look at this... |
|
Ok, maybe an occ command that an admin could run if they choose to automatically set the verification to true for existing users ? By default users would need to reverify but the release notes should state that an admin might want to run this command. The command should allow to set for all users Thoughts ? @karakayasemi @pako81 |
|
also cc @pmaier1 as the above was already change of behavior |
|
@PVince81 It sounds good to me. In addition, we can add an optional timestamp argument for Since admins know when they upgraded the app, they can specify upgrade timestamp and the command only affects rows created before updating. |
|
@karakayasemi sounds great. Glad to hear there's also a timestamp in there. Is this something you'd have time to work on ? |
|
I can work on it this weekend. If it is okay, you can assign it to me. |
|
Awesome, thanks |
Upgrading TOTP from v0.4.3 to v0.4.4 result in the app to be automatically disabled. Users will need to reactivate it and re-enroll any device. Tested on 10.0.7.
@DeepDiver1975 FYI
The text was updated successfully, but these errors were encountered: