Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Bug in 2FA Force

    Support
    2fa security
    3
    7
    165
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      savity last edited by girish

      Looks like there is not really a "Enforce" for 2FA.

      ae9f81c0-825f-45a0-8d81-52ba6f3600c4-grafik.png
      First Login from the User
      19801fc7-d1eb-435c-850d-79e79b1f1061-grafik.png
      After this just open the URL
      https://cloudronserver.server/#/apps
      15527742-a840-47cc-8563-225c95389f80-grafik.png
      Now you can see the dashboard and login etc

      subven girish 2 Replies Last reply Reply Quote 0
      • girish
        girish Staff last edited by

        This is fixed in https://git.cloudron.io/cloudron/dashboard/-/commit/b3cdcb2adb4666f274ed23f2ab05428563531dc8

        1 Reply Last reply Reply Quote 2
        • subven
          subven @savity last edited by

          According to the docs, all users should be logged out after activating mandatory 2FA. Haven't testet it.

          So you're saying the problem is that users are not logged out immediately?

          S 1 Reply Last reply Reply Quote 0
          • girish
            girish Staff @savity last edited by

            @savity said in Bug in 2FA Force:

            After this just open the URL

            Do you mean without setting up 2FA , you can open that URL for that user and just access the dashboard? What happens if you F5/refresh?

            Also, the mandatory 2FA is implemented at client side/browser level and there are no server side checks.

            S 1 Reply Last reply Reply Quote 0
            • S
              savity @girish last edited by

              @girish Yeah so for me Enforce 2FA means you have to setup 2FA bevore even beeing able to see anything else.

              And by browsing to /apps you can see all installed apps and also browser through everything and authenticated yourself.

              1 Reply Last reply Reply Quote 0
              • S
                savity @subven last edited by

                @subven yeah so configure 2FA if not logout the user. It would be even better to have a own mask after first logon to setup 2FA nad then be able to see the dashboard.

                now you can just browse the urls

                girish 1 Reply Last reply Reply Quote 0
                • girish
                  girish Staff @savity last edited by

                  @savity I could reproduce this. This is indeed a bug, it is supposed to redirect to https://my.domain.com/#/profile?setup2fa for all the views and not just when logging in. Investigating.

                  1 Reply Last reply Reply Quote 2
                  • girish
                    girish Staff last edited by

                    This is fixed in https://git.cloudron.io/cloudron/dashboard/-/commit/b3cdcb2adb4666f274ed23f2ab05428563531dc8

                    1 Reply Last reply Reply Quote 2
                    • Topic has been marked as a question  girish girish 
                    • Topic has been marked as solved  girish girish 
                    • First post
                      Last post
                    Powered by NodeBB