Current password being marked invalid when trying to add 2FA device

Question

Current password being marked invalid when trying to add 2FA device

delaine-eb opened this issue 4 years ago · comments

We updated to version 1.3.0 (and tried 1.3.4) so that admins could manage 2FA devices for other users. When attempting to create a new 2FA device, I realized I was getting an invalid password error even though I copied the password I used a few seconds before to successfully log into wagtail.

Steps to Reproduce

Deploy version 1.3.0 or 1.3.4 (haven't checked the version between but I assume those versions have this same issue)
Add a new device and use the password you use to log into wagtail. See that there is an invalid password error

Michiel Bijland · Answer 1 · Fri Dec 13 2019 05:22:41 GMT+0800 (China Standard Time)

@delaine-eb please remove the screenshot you are leaking information about your username in qr code.

Could you try to replicate this issue using the sandbox environment, as i'm having no trouble adding multiple devices to sandbox and live environment.

delaine-eb · Answer 2 · Fri Dec 13 2019 05:29:33 GMT+0800 (China Standard Time)

@delaine-eb please remove the screenshot you are leaking information about your username in qr code.

Could you try to replicate this issue using the sandbox environment, as i'm having no trouble adding multiple devices to sandbox and live environment.

How would I utilize the sandbox environment? @MichielBijland

Michiel Bijland · Answer 3 · Fri Dec 13 2019 05:33:05 GMT+0800 (China Standard Time)

You have to clone this repo and follow these instructions:
https://wagtail-2fa.readthedocs.io/en/stable/#sandbox

delaine-eb · Answer 4 · Fri Dec 13 2019 05:46:57 GMT+0800 (China Standard Time)

OK, I can try it in sandbox. I tried it in the live environment, if I'm understanding what you mean by that correctly. I installed version 1.3.0 and then tried version 1.3.4 and got that error with both versions, as did one of my co-workers.

delaine-eb · Answer 5 · Fri Dec 13 2019 06:08:24 GMT+0800 (China Standard Time)

@MichielBijland I did some more investigation and we are using an LDAP integration. We're not using the django.contrib.auth.backends.ModelBackend, we're using the django_auth_ldap.backend.LDAPBackend. I suspect that the the new password check isn't compatible with the fact that we're using LDAP credentials. Could we configure this library with a constant that allows users of the library to decide whether to show that additional password check or not?

Michiel Bijland · Answer 6 · Sat Dec 14 2019 06:50:23 GMT+0800 (China Standard Time)

@delaine-eb This is correct we are using user.check_password function we should use https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L61

This way it won't depend on user model but on authentication backends.

Michiel Bijland · Answer 7 · Tue Feb 11 2020 02:01:29 GMT+0800 (China Standard Time)

Released in 1.4.0