Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MFA not working with APP_BASE set to something #59

Open
droscy opened this issue Aug 9, 2024 · 4 comments
Open

MFA not working with APP_BASE set to something #59

droscy opened this issue Aug 9, 2024 · 4 comments
Assignees
@speatzle
Labels
bug Something isn't working

Comments

@droscy
Copy link

droscy commented Aug 9, 2024

Describe the bug:
Hello, I'm trying to access my self-hosted installation of passbolt with go-passbolt-cli and I'm always receiving the following error whatever method I set in --mfaMode

Error: Logging in: Getting CSRF Token: Error API JSON Response Status: Message: MFA authentication is required., Body: {"mfa_providers":["totp"],"providers":{"totp":"https:\/\/server.domain.com:12345\/passbolt\/mfa\/verify\/totp.json"}}

My passbolt is started with APP_BASE set to /passbolt and if I comment out APP_BASE the MFA works correctly.

To Reproduce:
Just start passbolt with APP_BASE environment variable set to /passbolt, for example with docker

services:
  passbolt:
    container_name: passbolt
    image: passbolt/passbolt:4.9.0-1-ce
    restart: unless-stopped
    environment:
      APP_BASE: "/passbolt"
	  [...]

Output when using --debug (you should censor this):

If I masked too much in the below output please let me know.

[go-passbolt] Request URL: https://server.domain.com:12345/passbolt/auth/login.json?api-version=v2
[go-passbolt] Raw Request: {"gpg_auth":{"keyid":"*****"}}
[go-passbolt] Raw Response: {"header":{"id":"01df63b6-8135-42c1-ad9d-3aeef933a011","status":"error","servertime":1723212746,"action":"a3c19ad2-8920-5395-86d0-8567cb34f382","message":"The authentication failed.","url":"\/passbolt\/auth\/login.json?api-version=v2","code":200},"body":null}
[go-passbolt] Got Encrypted Auth Token: -----BEGIN\+PGP\+MESSAGE-----%0A*****%0A-----END\+PGP\+MESSAGE-----%0A
[go-passbolt] Decrypted Auth Token: gpgauthv1.3.0|36|*****|gpgauthv1.3.0
[go-passbolt] Request URL: https://server.domain.com:12345/passbolt/auth/login.json?api-version=v2
[go-passbolt] Raw Request: {"gpg_auth":{"keyid":"*****","user_token_result":"gpgauthv1.3.0|36|*****|gpgauthv1.3.0"}}
[go-passbolt] Raw Response: {"header":{"id":"*****","status":"success","servertime":1723212746,"action":"a3c19ad2-8920-5395-86d0-8567cb34f382","message":"You are successfully logged in.","url":"\/passbolt\/auth\/login.json?api-version=v2","code":200},"body":{"id":"USERID","role_id":"*****","username":"*****","active":true,"deleted":false,"disabled":null,"created":"2023-12-27T14:26:58+00:00","modified":"2024-08-09T14:09:32+00:00","groups_users":[],"profile":{"id":"22095967-fdc5-4ab4-bf02-f9bc8483d24e","user_id":"USERID","first_name":"***","last_name":"***","created":"2023-12-27T14:26:58+00:00","modified":"2024-08-09T14:09:32+00:00","avatar":{"id":"83d06e59-7e14-48b6-af44-140f47dea655","profile_id":"22095967-fdc5-4ab4-bf02-f9bc8483d24e","created":"2023-12-28T08:48:48+00:00","modified":"2024-08-09T14:09:32+00:00","url":{"medium":"https:\/\/server.domain.com:12345\/passbolt\/avatars\/view\/83d06e59-7e14-48b6-af44-140f47dea655\/medium.jpg","small":"https:\/\/server.domain.com:12345\/passbolt\/avatars\/view\/83d06e59-7e14-48b6-af44-140f47dea655\/small.jpg"}}},"gpgkey":{"id":"1da1f556-a521-4356-ba8c-fcb8bebe7430","user_id":"USERID","armored_key":"-----BEGIN PGP PUBLIC KEY BLOCK-----*****-----END PGP PUBLIC KEY BLOCK-----\n","bits":3072,"uid":"NAME \u003C*****\u003E","key_id":"*****","fingerprint":"*****","type":"RSA","expires":null,"key_created":"2023-12-27T14:28:40+00:00","deleted":false,"created":"2023-12-27T14:29:38+00:00","modified":"2023-12-27T14:29:38+00:00"},"role":{"id":"*****","name":"admin","description":"Organization administrator","created":"2012-07-04T13:39:25+00:00","modified":"2012-07-04T13:39:25+00:00"},"last_logged_in":null}}
[go-passbolt] Got Cookies: [passbolt_session=aj2t0ra8of9cvdr9uqjameo1ff; Path=/passbolt/; HttpOnly; Secure; SameSite=Lax]
[go-passbolt] Request URL: https://server.domain.com:12345/passbolt/users/me.json?api-version=v2
[go-passbolt] Raw Response: {"header":{"id":"e3038eac-14c9-42ac-844a-cb04a6ce6058","status":"error","servertime":1723212746,"action":"af9aa2c6-7355-514d-a4a0-3e74de4c0fdb","message":"MFA authentication is required.","url":"\/passbolt\/mfa\/verify\/error.json","code":403},"body":{"mfa_providers":["totp"],"providers":{"totp":"https:\/\/server.domain.com:12345\/passbolt\/mfa\/verify\/totp.json"}}}
Error: Logging in: Getting CSRF Token: Error API JSON Response Status: Message: MFA authentication is required., Body: {"mfa_providers":["totp"],"providers":{"totp":"https:\/\/server.domain.com:12345\/passbolt\/mfa\/verify\/totp.json"}}

Passbolt Server Version (please complete the following information):

  • Edition: Community Edition
  • Version 4.9.0-1-ce

go-passbolt-cli Version (please complete the following information):

  • OS: Debian 12 bookworm
  • Version 0.3.1

Additional context
None
@droscy droscy added the bug Something isn't working label Aug 9, 2024
@speatzle
Copy link
Collaborator

speatzle commented Aug 9, 2024

Hi, i have potentially found the issue.
go-passbolt (the library which go-passbolt-cli is built on) checks if MFA is Required by checking if the URL the Server returns on a API Error is equal to /mfa/verify/error.json, changing the Base Path apparently also changes this URL to /passbolt/mfa/verify/error.json according to your logs.

go-passbolt uses the URL instead of the Message for MFA detection because the Message changes based on the Servers default language and used to break MFA on non english installations.

The Problem is here: https://github.com/passbolt/go-passbolt/blob/e13f484bcbacb8830afe9aa7ad4fb77ee3efbaed/api/api.go#L65
I think the Problem can be solved by simply matching this as a suffix instead of the entire URL.

For now you could temporary disable MFA on the Account you are using for go-passbolt-cli.

@speatzle speatzle mentioned this issue Aug 9, 2024
Merged
@speatzle
Copy link
Collaborator

speatzle commented Aug 9, 2024

I have the fix implemented and login is still work with my Passbolt instance.
Unfortunatly a github actions change broke the tests and i am short on time today.
I hope i can do a release with the fix the in next few days if time permits.

If you are able to compile yourself, testing the fix would be appreciated.
You can do so by cloning go-passbolt on the fix_mfa_detection branch and cloning go-passbolt-cli on the main branch, uncomment the Replace line at the end of go-passbolt-cli's go.mod file and running go build.

@droscy
Copy link
Author

droscy commented Aug 10, 2024

Hello @speatzle, many thanks for the fix. I have no knowledge of go and I don't have a build environment ready, but I'll try to build myself in order to test.

@droscy
Copy link
Author

droscy commented Aug 11, 2024

I confirm the fix works, many thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@speatzle speatzle

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@droscy @speatzle