Bug in 2FA Force

savity

Looks like there is not really a "Enforce" for 2FA.

First Login from the User

After this just open the URL
https://cloudronserver.server/#/apps

Now you can see the dashboard and login etc

girish

This is fixed in https://git.cloudron.io/cloudron/dashboard/-/commit/b3cdcb2adb4666f274ed23f2ab05428563531dc8

subven

According to the docs, all users should be logged out after activating mandatory 2FA. Haven't testet it.

So you're saying the problem is that users are not logged out immediately?

girish

@savity said in Bug in 2FA Force:

After this just open the URL

Do you mean without setting up 2FA , you can open that URL for that user and just access the dashboard? What happens if you F5/refresh?

Also, the mandatory 2FA is implemented at client side/browser level and there are no server side checks.

savity

@girish Yeah so for me Enforce 2FA means you have to setup 2FA bevore even beeing able to see anything else.

And by browsing to /apps you can see all installed apps and also browser through everything and authenticated yourself.

savity

@subven yeah so configure 2FA if not logout the user. It would be even better to have a own mask after first logon to setup 2FA nad then be able to see the dashboard.

now you can just browse the urls

girish

@savity I could reproduce this. This is indeed a bug, it is supposed to redirect to https://my.domain.com/#/profile?setup2fa for all the views and not just when logging in. Investigating.

girish

This is fixed in https://git.cloudron.io/cloudron/dashboard/-/commit/b3cdcb2adb4666f274ed23f2ab05428563531dc8