Solved Bug in 2FA Force
-
Looks like there is not really a "Enforce" for 2FA.
First Login from the User
After this just open the URL
https://cloudronserver.server/#/apps
Now you can see the dashboard and login etc -
-
According to the docs, all users should be logged out after activating mandatory 2FA. Haven't testet it.
So you're saying the problem is that users are not logged out immediately?
-
@savity said in Bug in 2FA Force:
After this just open the URL
Do you mean without setting up 2FA , you can open that URL for that user and just access the dashboard? What happens if you F5/refresh?
Also, the mandatory 2FA is implemented at client side/browser level and there are no server side checks.
-
@girish Yeah so for me Enforce 2FA means you have to setup 2FA bevore even beeing able to see anything else.
And by browsing to /apps you can see all installed apps and also browser through everything and authenticated yourself.
-
@subven yeah so configure 2FA if not logout the user. It would be even better to have a own mask after first logon to setup 2FA nad then be able to see the dashboard.
now you can just browse the urls
-
@savity I could reproduce this. This is indeed a bug, it is supposed to redirect to
https://my.domain.com/#/profile?setup2fa
for all the views and not just when logging in. Investigating. -
-
girish
-
girish