Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum
Apps | Demo | Docs | Install

Bug in 2FA Force

Scheduled Pinned Locked Moved Solved Support
2fasecurity
7 Posts 3 Posters 223 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S Offline
    S Offline
    savity
    wrote on last edited by girish
    #1

    Looks like there is not really a "Enforce" for 2FA.

    ae9f81c0-825f-45a0-8d81-52ba6f3600c4-grafik.png
    First Login from the User
    19801fc7-d1eb-435c-850d-79e79b1f1061-grafik.png
    After this just open the URL
    https://cloudronserver.server/#/apps
    15527742-a840-47cc-8563-225c95389f80-grafik.png
    Now you can see the dashboard and login etc

    subvenS girishG 2 Replies Last reply
    0
  • girishG Do not disturb
    girishG Do not disturb
    girish Staff
    wrote on last edited by
    #0

    This is fixed in https://git.cloudron.io/cloudron/dashboard/-/commit/b3cdcb2adb4666f274ed23f2ab05428563531dc8

    1 Reply Last reply
    2
  • subvenS Offline
    subvenS Offline
    subven
    replied to savity on last edited by
    #2

    According to the docs, all users should be logged out after activating mandatory 2FA. Haven't testet it.

    So you're saying the problem is that users are not logged out immediately?

    S 1 Reply Last reply
    0
  • girishG Do not disturb
    girishG Do not disturb
    girish Staff
    replied to savity on last edited by
    #3

    @savity said in Bug in 2FA Force:

    After this just open the URL

    Do you mean without setting up 2FA , you can open that URL for that user and just access the dashboard? What happens if you F5/refresh?

    Also, the mandatory 2FA is implemented at client side/browser level and there are no server side checks.

    S 1 Reply Last reply
    0
  • S Offline
    S Offline
    savity
    replied to girish on last edited by
    #4

    @girish Yeah so for me Enforce 2FA means you have to setup 2FA bevore even beeing able to see anything else.

    And by browsing to /apps you can see all installed apps and also browser through everything and authenticated yourself.

    1 Reply Last reply
    0
  • S Offline
    S Offline
    savity
    replied to subven on last edited by
    #5

    @subven yeah so configure 2FA if not logout the user. It would be even better to have a own mask after first logon to setup 2FA nad then be able to see the dashboard.

    now you can just browse the urls

    girishG 1 Reply Last reply
    0
  • girishG Do not disturb
    girishG Do not disturb
    girish Staff
    replied to savity on last edited by
    #6

    @savity I could reproduce this. This is indeed a bug, it is supposed to redirect to https://my.domain.com/#/profile?setup2fa for all the views and not just when logging in. Investigating.

    1 Reply Last reply
    2
  • girishG Do not disturb
    girishG Do not disturb
    girish Staff
    wrote on last edited by
    #7

    This is fixed in https://git.cloudron.io/cloudron/dashboard/-/commit/b3cdcb2adb4666f274ed23f2ab05428563531dc8

    1 Reply Last reply
    2
  • girishG girish marked this topic as a question on
  • girishG girish has marked this topic as solved on

  • Login
  • Don't have an account? Register
  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login
  • Don't have an account? Register
  • Login or register to search.