Open Closed

Authenticator App - 2FA issue #6297


User avatar
0
balessi75 created

ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme

Hi, We found that that the 2FA option for using an Authenticator App is being presented to the user when logging in even if they have not setup 2FA on their account.

We recently upgraded to 7.4.2 which includes the Authenticator feature and when a user sets it up, it works perfectly.

What we noticed, however, is that if a user never sets it up, and simply saves something on their 'My Account' area (not related to 2fa or authenticator) the new 2fa option is now presented to the user when logging in - even though they never set it up and can't use it.

Please advise. Any workarounds are greatly appreciated.

Thanks


8 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    I will check it.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    I could not reproduce the problem.

    Can you share more detail setps?

  • User Avatar
    0
    balessi75 created

    With a Blazor Server project using the Lepton Theme, do the following...

    1. Add a user
    2. Login as the new user
    3. Under My Account > Personal Info, verify the user's email
    4. 2FA is now an option for the user under My Account > Personal Info.
    5. While logged in as the user, enable 2fFA under My Account > Two factor authentication
    6. Log out
    7. Login and the user has both Email and Authenticator listed in the 2FA provider dropdown, even though Authenticator app access was never setup.

    It seems that any save in the My Account > Personal Info tab unconditionally triggers the Authenticator app to be a valid 2fa provider for the user.

    I reproduced this with a newly created 7.4.2 Blazor Server project with the Lepton Theme.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Ok, I will check it.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    I could reproduce the problem and will fix it in the next patch version.

    Temporary solution:

    [ExposeServices(typeof(IAccountAppService))]
    public class MyAccountAppService : AccountAppService
    {
        public MyAccountAppService(IdentityUserManager userManager, IAccountEmailer accountEmailer, IAccountPhoneService phoneService, IIdentityRoleRepository roleRepository, IdentitySecurityLogManager identitySecurityLogManager, Volo.Abp.BlobStoring.IBlobContainer<AccountProfilePictureContainer> accountProfilePictureContainer, ISettingManager settingManager, IOptions<IdentityOptions> identityOptions, IIdentitySecurityLogRepository securityLogRepository, IImageCompressor imageCompressor, IOptions<AbpProfilePictureOptions> profilePictureOptions, IApplicationInfoAccessor applicationInfoAccessor, IdentityUserTwoFactorChecker identityUserTwoFactorChecker) : base(userManager, accountEmailer, phoneService, roleRepository, identitySecurityLogManager, accountProfilePictureContainer, settingManager, identityOptions, securityLogRepository, imageCompressor, profilePictureOptions, applicationInfoAccessor, identityUserTwoFactorChecker)
        {
        }
    
        public override async Task<List<string>> GetTwoFactorProvidersAsync(GetTwoFactorProvidersInput input)
        {
            var providers = await base.GetTwoFactorProvidersAsync(input);
    
            if(providers.Any())
            {
                var user = await UserManager.GetByIdAsync(input.UserId);
                if(!user.HasAuthenticator())
                {
                    providers.RemoveAll(x => x == TwoFactorProviderConsts.Authenticator);
                }
            }
    
            return providers;
        }
    }
    
  • User Avatar
    0
    balessi75 created

    Thanks @liangshiwei,

    I appreciate the quick response. I'll test and let you know how things look.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    ok

  • User Avatar
    0
    balessi75 created

    Thangs again @liangshiwei,

    Your temporary solution works perfectly!

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09