Bug in 2FA Force

savity

Looks like there is not really a "Enforce" for 2FA.

First Login from the User

After this just open the URL
https://cloudronserver.server/#/apps

Now you can see the dashboard and login etc

girish

This is fixed in https://git.cloudron.io/cloudron/dashboard/-/commit/b3cdcb2adb4666f274ed23f2ab05428563531dc8

subven

According to the docs , all users should be logged out after activating mandatory 2FA. Haven't testet it.

So you're saying the problem is that users are not logged out immediately?

girish

@savity said in Bug in 2FA Force:

After this just open the URL

Do you mean without setting up 2FA , you can open that URL for that user and just access the dashboard? What happens if you F5/refresh?

Also, the mandatory 2FA is implemented at client side/browser level and there are no server side checks.

savity

@girish Yeah so for me Enforce 2FA means you have to setup 2FA bevore even beeing able to see anything else.

And by browsing to /apps you can see all installed apps and also browser through everything and authenticated yourself.

savity

@subven yeah so configure 2FA if not logout the user. It would be even better to have a own mask after first logon to setup 2FA nad then be able to see the dashboard.

now you can just browse the urls

girish

@savity I could reproduce this. This is indeed a bug, it is supposed to redirect to https://my.domain.com/#/profile?setup2fa for all the views and not just when logging in. Investigating.

girish

This is fixed in https://git.cloudron.io/cloudron/dashboard/-/commit/b3cdcb2adb4666f274ed23f2ab05428563531dc8