Bug 409212 - Support login with 2FA-enabled account
Summary: Support login with 2FA-enabled account
Status: RESOLVED FIXED
Alias: None
Product: Ruqola
Classification: Applications
Component: backend (show other bugs)
Version: unspecified
Platform: Other Linux
: NOR normal
Target Milestone: ---
Assignee: Laurent Montel
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-26 14:54 UTC by Christian Dywan
Modified: 2019-06-28 12:07 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Dywan 2019-06-26 14:54:44 UTC
When trying to login with a 2FA-enabled account, Ruqola appears to login but never connects to the server and just displays empty lists.

I'm reproducing this by using chat.suse.de, which is a company-internal instance. 2FA is required by policy in this context.

- The login dialog should have a field providing an opportunity to type a 2FA code from an authenticating device/ app or a backup code.
- The "totp-required" error needs to be handled (currently only 403 is handled).
- Furthermore the login message needs to be constructed appropriately when a code is provided.
Comment 1 Christian Dywan 2019-06-26 15:05:14 UTC
https://phabricator.kde.org/differential/diff/60694/
Comment 2 Laurent Montel 2019-06-27 04:50:34 UTC
Hi,
could you use https://phabricator.kde.org/ + arc (https://community.kde.org/Infrastructure/Phabricator). So we can speak about your patch.
Thanks.
Comment 3 Laurent Montel 2019-06-28 12:07:46 UTC
Git commit 8052497b10011fe0e5bdc7285125f96c33e047ec by Laurent Montel.
Committed on 28/06/2019 at 12:06.
Pushed by mlaurent into branch 'arcpatch-D22111'.

Patch from Christian Dywan

Support TOTP login with 2FA-enabled accounts

Summary:
The docs for the [[ https://rocket.chat/docs/developer-guides/realtime-api/method-calls/login/ | Rocket.Chat realtime API ]] Ruqola is using unfortunately don't include handling of 2FA-enabled accounts. Login actually seems to succeed because only a `403` error code is handled when in fact `totp-required` is returned as a response. It's worth noting codes can apparently be both numeric and strings.
A peek at [[ https://github.com/RocketChat/Rocket.Chat.iOS/blob/ba49216daa50097745f15855238ef8f4d6519bcf/Rocket.Chat/Managers/Model/AuthManager/AuthManagerSocket.swift#L152 | the iOS client ]] revealed how a login message needs to be constructed. Unlike [[ https://rocket.chat/docs/developer-guides/rest-api/authentication/login/#example-call---when-two-factor2fa-authentication-is-enabled | the login method ]] of the REST API endpoint the code isn't just added to the top-level.

On the UI side of things, an additional Code input needs to be shown in the login page.

Reviewers: mlaurent

Subscribers: mlaurent

Differential Revision: https://phabricator.kde.org/D22111

A  +21   -0    autotests/data/method/loginCode.ref
M  +9    -1    autotests/rocketchatmessagetest.cpp
M  +1    -0    autotests/rocketchatmessagetest.h
M  +24   -0    src/apps/qml/Login.qml
M  +2    -0    src/apps/qml/LoginPage.qml
M  +10   -2    src/ruqolacore/ddpapi/ddpclient.cpp
M  +1    -0    src/ruqolacore/ddpapi/ddpclient.h
M  +10   -0    src/ruqolacore/rocketchataccount.cpp
M  +5    -0    src/ruqolacore/rocketchataccount.h
M  +14   -0    src/ruqolacore/rocketchataccountsettings.cpp
M  +5    -0    src/ruqolacore/rocketchataccountsettings.h
M  +15   -3    src/ruqolacore/rocketchatmessage.cpp
M  +1    -1    src/ruqolacore/rocketchatmessage.h

https://commits.kde.org/ruqola/8052497b10011fe0e5bdc7285125f96c33e047ec