Error asking me to log out when using multiple devices, pressing back logs me in anyway

[Bubka]

Discussed in #401

^{Originally posted by hugalafutro October 13, 2024}
Hi, I use 2FAuth on mobile, tablet, several vm's and physical pc's on linux and windows, as a webpage or app via vivaldi (chromium based browser).

Most often regardless where I try to login with whichever method I get this msg:

• on this screen I just press Back Home, and poof, I'm logged in suddenly
• once loggged in the sign out doesn't work in the app window, even though I enabled Notification permission, is there a way to make the sign out pop up "in-page" as opposed to a system popup?

Is this a bug or an error with my install?

edit: some logs

192.168.128.1 - - [13/Oct/2024:09:49:01 +0000] "POST /user/login HTTP/1.1" 400 68 "[https://2fa.[REDACTED].net/login"](https://2fa.[REDACTED].net/login%22) "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
192.168.128.1 - - [13/Oct/2024:09:49:21 +0000] "GET /api/v1/user HTTP/1.1" 200 821 "https://2fa.[REDACTED].net/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
192.168.128.1 - - [13/Oct/2024:09:49:21 +0000] "GET /api/v1/twofaccounts HTTP/1.1" 200 5397 "[https://2fa.[REDACTED].net/error"](https://2fa.[REDACTED].net/error%22) "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
192.168.128.1 - - [13/Oct/2024:09:49:22 +0000] "GET /api/v1/groups HTTP/1.1" 200 107 "https://2fa.[REDACTED].net/error" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"

^{Originally posted by **muhammedtur** October 15, 2024}

I encountered the same problem in older versions. The issue was resolved in version 5.2.0, but now I'm facing the same issue again. After logging in, if I close the browser tab/window and then reopen 2FA after the auto-lock time ends, I encounter this problem.

[hugalafutro]

Hmm, this is somewhat of a security issue is it not? It completely bypasses device passkey / password. I was able to log in with just e-mail :/

I haven't used 2fauth in about 3-4 days. Needed a token today. Opened the chrome 2fauth app on phone, entered email. immediately got the screen from my OP with the big exclamation mark in a circle. I pressed Back Home and was logged in with all tokens accessible. As the email address gets autosuggested by keyboard pretty much only thing protecting my 2fa tokens on phone atm is my phone's lock screen, and on desktop nothing?

[Bubka]

Thanks for the warning @hugalafutro, indeed in some situations this was causing the session expiration to be bypassed on the server side. I just released v5.3.2 to fix the issue. This auto-lock feature is quite tricky as there are many different situations that can lead to it being triggered, I hope the fix will cover them all. Any feedback will be appreciated. Thx again

[hugalafutro]

I updated and will report any further issues. Obviously I might be missing something on account of not being a programmer, but can't you just force the server to log off all sessions without user interaction if it doesn't detect any http access in 15 minutes or such?

Thanks for looking at the issue!

[Bubka]

but can't you just force the server to log off all sessions without user interaction if it doesn't detect any http access in 15 minutes or such?

Without any user interaction, no. At least not without something like a worker or a scheduling task on server side, which 2FAuth doesn't have. There must be a request from the front-end to start evaluating the user (in)activity. Bypassing could occur on some routes where this evaluation was not triggered, this is what I fixed.

[Proxinf]

Unfortunately I also encounter the "Server Error" error to make it work I have to restart the Docker container.
Updated version 5.3.2

[Bubka]

The fix I pushed requires the route cache to be cleared. If not, it could result in a 500 error. Normally the cache is cleared when the container is restarted thanks to the entrypoint script.

I'm not sure I understand your current situation: You encountered the error, but not since you restarted the container, or the error is still there even after restarting the container?

If the error is still there, please set APP_DEBUG=true in order to have the call stack in the response body, this will make debugging easier.

[Proxinf]

I tried to install again on another machine... nothing, I still get the same error :(

&

&

I have to restart the container from portainer... and it comes back online.

&

[hugalafutro]

I haven't encountered the issue since. I got an email form each login as a new device that is the only thing I noticed.