Skip to content
GitLab
Closed
Issue created by Michael Collins@mjc1

Users with MFA/ TOTP enabled can't login to OAUTH (2.1.1)

Pleroma 2.1.1, built from source

Steps to reproduce:

  1. Launch Whalebird
  2. Add a new account (the account has TOTP enabled on it).
  3. Whalebird asks you for your Mastodon instance. Give it your Pleroma instance.
  4. Whalebird comes back and says it's compatible.
  5. Click Login.
  6. Your browser is redirected to an OAUTH login page.
  7. Enter your Username & Password
  8. OAUTH page refreshes and prompts you for your TOTP.
  9. Enter your TOTP.
  10. Receive an error message: {"errors":{"detail":"Internal server error"}}

Logs:

Sep  9 11:57:35 liewrap01 pleroma: request_id=FjMbnXoaC4U2UB0AEUvR [error] Internal server error: %Phoenix.Template.UndefinedError{assigns: %{auth: %Pleroma.Web.OAuth.Authorization{__meta__: #Ecto.Schema.Metadata<:loaded, "oauth_authorizations">, app: #Ecto.Association.NotLoaded<association :app is not loaded>, app_id: 128933, id: 169640, inserted_at: ~N[2020-09-09 11:56:59], scopes: ["read", "write", "follow"], token: "W41pBCk18UxaRsSR_7wKgRAkdrBzCk5PtkLp4nLQtfw", updated_at: ~N[2020-09-09 11:56:59], used: false, user: #Ecto.Association.NotLoaded<association :user is not loaded>, user_id: "9yxBmZlGssghzAPEzA", valid_until: ~N[2020-09-09 12:06:59.661128]}, conn: %Plug.Conn{adapter: {Plug.Cowboy.Conn, :...}, assigns: %{auth: %Pleroma.Web.OAuth.Authorization{__meta__: #Ecto.Schema.Metadata<:loaded, "oauth_authorizations">, app: #Ecto.Association.NotLoaded<association :app is not loaded>, app_id: 128933, id: 169640, inserted_at: ~N[2020-09-09 11:56:59], scopes: ["read", "write", "follow"], token: "W41pBCk18UxaRsSR_7wKgRAkdrBzCk5PtkLp4nLQtfw", updated_at: ~N[2020-09-09 11:56:59], used: false, user: #Ecto.Association.NotLoaded<association :user is not loaded>, user_id: "9yxBmZlGssghzAPEzA", valid_until: ~N[2020-09-09 12:06:59.661128]}, digest: "SHA-256=pV7H5LZV3xseY4HdiG1xcfmGN9jlcCI8ji0LhbL6H+A=", layout: {Pleroma.Web.LayoutView, "app.html"}, locale: "en", remote_ip_found: true}, before_send: [#Function<2.8858237/1 in Phoenix.Controller.fetch_flash/2>, #Function<0.105793137/1 in Plug.Session.before_send/2>, #Function<0.119468924/1 in Pleroma.Web.Endpoint.PipelineInstrumenter.call/2>, #Function<1.132129851/1 in Plug.Logger.call/2>], body_params: %{"_csrf_token" => "JQs4DmFoA3wZS0BjJX8lIzFYbAAsDREmPH_ZT0DKo9r1t8iQy0ZoeTFE", "mfa" => %{"challenge_type" => "totp", "code" => "703050", "mfa_token" => "P4aE4UWteL0IYjpdeNwPRk9_MLq9IfWPJD0Pc0Rqa8g", "redirect_uri" => "urn:ietf:wg:oauth:2.0:oob", "state" => ""}}, cookies: %{"__Host-pleroma_key" => "SFMyNTY.g3QAAAABbQAAAAd1c2VyX2lkbQAAABI5eXhCbVpsR3NzZ2h6QVBFekE.NiSuf5QhgDnuEOs4A2DMe8P44HRqAcSWsAufkEDI-xQ", "__cfduid" => "dfd5d63cc9632b28b8065804cca83a87e1599580793", "_pk_id.2.362e" => "6baef5c0e5aaf331.1599580803.8.1599652619.1599646739.", "_pk_ses.2.362e" => "1"}, halted: false, host: "nsfw.social", method: "POST", owner: #PID<0.29258.10>, params: %{"_csrf_token" => "JQs4DmFoA3wZS0BjJX8lIzFYbAAsDREmPH_ZT0DKo9r1t8iQy0ZoeTFE", "mfa" => %{"challenge_type" => "totp", "code" => "703050", "mfa_token" => "P4aE4UWteL0IYjpdeNwPRk9_MLq9IfWPJD0Pc0Rqa8g", "redirect_uri" => "urn:ietf:wg:oauth:2.0:oob", "state" => ""}}, path_info: ["oauth", "mfa", "verify"], path_params: %{}, port: 80, private: %{Pleroma.Web.Router => {[], %{}}, :phoenix_action => :verify, :phoenix_controller => Pleroma.Web.OAuth.MFAController, :phoenix_endpoint => Pleroma.Web.Endpoint, :phoenix_flash => %{}, :phoenix_layout => {Pleroma.Web.LayoutView, "app.html"}, :phoenix_router => Pleroma.Web.Router, :phoenix_template => "oob_authorization_created.html", :phoenix_view => Pleroma.Web.OAuth.MFAView, :plug_session => %{"user_id" => "9yxBmZlGssghzAPEzA"}, :plug_session_fetch => :done}, query_params: %{}, query_string: "", remote_ip: {67, 191, 205, 149}, req_cookies: %{"__Host-pleroma_key" => "SFMyNTY.g3QAAAABbQAAAAd1c2VyX2lkbQAAABI5eXhCbVpsR3NzZ2h6QVBFekE.NiSuf5QhgDnuEOs4A2DMe8P44HRqAcSWsAufkEDI-xQ", "__cfduid" => "dfd5d63cc9632b28b8065804cca83a87e1599580793", "_pk_id.2.362e" => "6baef5c0e5aaf331.1599580803.8.1599652619.1599646739.", "_pk_ses.2.362e" => "1"}, req_headers: [{"accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"}, {"accept-encoding", "gzip"}, {"accept-language", "en-US,en;q=0.9"}, {"cache-control", "max-age=0"}, {"cdn-loop", "cloudflare"}, {"cf-connecting-ip", "67.191.205.149"}, {"cf-ipcountry", "US"}, {"cf-ray", "5d00bb8ac9f01853-EWR"}, {"cf-request-id", "0514538ab90000185383bba200000001"}, {"cf-visitor", "{\"scheme\":\"https\"}"}, {"connection", "upgrade"}, {"content-length", "255"}, {"content-type", "application/x-www-form-urlencoded"}, {"cookie", "__cfduid=dfd5d63cc9632b28b8065804cca83a87e1599580793; __Host-pleroma_key=SFMyNTY.g3QAAAABbQAAAAd1c2VyX2lkbQAAABI5eXhCbVpsR3NzZ2h6QVBFekE.NiSuf5QhgDnuEOs4A2DMe8P44HRqAcSWsAufkEDI-xQ; _pk_ses.2.362e=1; _pk_id.2.362e=6baef5c0e5aaf331.1599580803.8.1599652619.1599646739."}, {"dnt", "1"}, {"host", "nsfw.social"}, {"origin", "https://nsfw.social"}, {"referer", "https://nsfw.social/oauth/authorize"}, {"sec-fetch-dest", "document"}, {"sec-fetch-mode", "navigate"}, {"sec-fetch-site", "same-origin"}, {"sec-fetch-user", "?1"}, {"upgrade-insecure-requests", "1"}, {"user-agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36"}, {"x-forwarded-for", "67.191.205.149"}, {"x-forwarded-proto", "https"}], request_path: "/oauth/mfa/verify", resp_body: nil, resp_cookies: %{}, resp_headers: [{"cache-control", "max-age=0, private, must-revalidate"}, {"access-control-allow-origin", "*"}, {"access-control-expose-headers", "Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id,Idempotency-Key"}, {"access-control-allow-credentials", "true"}, {"x-request-id", "FjMbnXoaC4U2UB0AEUvR"}], scheme: :http, script_name: [], secret_key_base: :..., state: :unset, status: nil}, digest: "SHA-256=pV7H5LZV3xseY4HdiG1xcfmGN9jlcCI8ji0LhbL6H+A=", locale: "en", remote_ip_found: true, view_module: Pleroma.Web.OAuth.MFAView, view_template: "oob_authorization_created.html"}, available: ["recovery.html", "totp.html"], module: Pleroma.Web.OAuth.MFAView, pattern: "*", root: "lib/pleroma/web/templates/o_auth/mfa", template: "oob_authorization_created.html"}
Sep  9 11:57:35 liewrap01 pleroma: request_id=FjMbnXoaC4U2UB0AEUvR [info] Converted error Phoenix.Template.UndefinedError to 500 response
Sep  9 11:57:36 liewrap01 pleroma: [info] JOINED chat:public in 81µs#012  Parameters: %{}
Sep  9 11:57:37 liewrap01 pleroma: [error] Ranch protocol #PID<0.29283.10> of listener Pleroma.Web.Endpoint.HTTP (connection #PID<0.29280.10>, stream id 1) terminated#012** (exit) :badarg#012    :erlang.apply([], :user, [])#012    (pleroma 2.1.1) lib/pleroma/web/mastodon_api/websocket_handler.ex:104: Pleroma.Web.MastodonAPI.WebsocketHandler.terminate/3#012    (cowboy 2.8.0) /opt/pleroma/deps/cowboy/src/cowboy_handler.erl:46: :cowboy_handler.execute/2#012    (cowboy 2.8.0) /opt/pleroma/deps/cowboy/src/cowboy_stream_h.erl:300: :cowboy_stream_h.execute/3#012    (cowboy 2.8.0) /opt/pleroma/deps/cowboy/src/cowboy_stream_h.erl:291: :cowboy_stream_h.request_process/3#012    (stdlib 3.13) proc_lib.erl:226: :proc_lib.init_p_do_apply/3
Sep  9 11:57:38 liewrap01 pleroma: [error] Elixir.Pleroma.Web.MastodonAPI.WebsocketHandler received frame: :ping
Sep  9 11:57:38 liewrap01 pleroma: [error] Elixir.Pleroma.Web.MastodonAPI.WebsocketHandler received frame: :ping
Sep  9 11:57:41 liewrap01 pleroma: request_id=FjMbnub5F6sexdkAEUxR [error] Internal server error: %Phoenix.Template.UndefinedError{assigns: %{auth: %Pleroma.Web.OAuth.Authorization{__meta__: #Ecto.Schema.Metadata<:loaded, "oauth_authorizations">, app: #Ecto.Association.NotLoaded<association :app is not loaded>, app_id: 128933, id: 169640, inserted_at: ~N[2020-09-09 11:56:59], scopes: ["read", "write", "follow"], token: "W41pBCk18UxaRsSR_7wKgRAkdrBzCk5PtkLp4nLQtfw", updated_at: ~N[2020-09-09 11:56:59], used: false, user: #Ecto.Association.NotLoaded<association :user is not loaded>, user_id: "9yxBmZlGssghzAPEzA", valid_until: ~N[2020-09-09 12:06:59.661128]}, conn: %Plug.Conn{adapter: {Plug.Cowboy.Conn, :...}, assigns: %{auth: %Pleroma.Web.OAuth.Authorization{__meta__: #Ecto.Schema.Metadata<:loaded, "oauth_authorizations">, app: #Ecto.Association.NotLoaded<association :app is not loaded>, app_id: 128933, id: 169640, inserted_at: ~N[2020-09-09 11:56:59], scopes: ["read", "write", "follow"], token: "W41pBCk18UxaRsSR_7wKgRAkdrBzCk5PtkLp4nLQtfw", updated_at: ~N[2020-09-09 11:56:59], used: false, user: #Ecto.Association.NotLoaded<association :user is not loaded>, user_id: "9yxBmZlGssghzAPEzA", valid_until: ~N[2020-09-09 12:06:59.661128]}, digest: "SHA-256=pV7H5LZV3xseY4HdiG1xcfmGN9jlcCI8ji0LhbL6H+A=", layout: {Pleroma.Web.LayoutView, "app.html"}, locale: "en", remote_ip_found: true}, before_send: [#Function<2.8858237/1 in Phoenix.Controller.fetch_flash/2>, #Function<0.105793137/1 in Plug.Session.before_send/2>, #Function<0.119468924/1 in Pleroma.Web.Endpoint.PipelineInstrumenter.call/2>, #Function<1.132129851/1 in Plug.Logger.call/2>], body_params: %{"_csrf_token" => "JQs4DmFoA3wZS0BjJX8lIzFYbAAsDREmPH_ZT0DKo9r1t8iQy0ZoeTFE", "mfa" => %{"challenge_type" => "totp", "code" => "703050", "mfa_token" => "P4aE4UWteL0IYjpdeNwPRk9_MLq9IfWPJD0Pc0Rqa8g", "redirect_uri" => "urn:ietf:wg:oauth:2.0:oob", "state" => ""}}, cookies: %{"__Host-pleroma_key" => "SFMyNTY.g3QAAAABbQAAAAd1c2VyX2lkbQAAABI5eXhCbVpsR3NzZ2h6QVBFekE.NiSuf5QhgDnuEOs4A2DMe8P44HRqAcSWsAufkEDI-xQ", "__cfduid" => "dfd5d63cc9632b28b8065804cca83a87e1599580793", "_pk_id.2.362e" => "6baef5c0e5aaf331.1599580803.8.1599652660.1599646739.", "_pk_ses.2.362e" => "1"}, halted: false, host: "nsfw.social", method: "POST", owner: #PID<0.29317.10>, params: %{"_csrf_token" => "JQs4DmFoA3wZS0BjJX8lIzFYbAAsDREmPH_ZT0DKo9r1t8iQy0ZoeTFE", "mfa" => %{"challenge_type" => "totp", "code" => "703050", "mfa_token" => "P4aE4UWteL0IYjpdeNwPRk9_MLq9IfWPJD0Pc0Rqa8g", "redirect_uri" => "urn:ietf:wg:oauth:2.0:oob", "state" => ""}}, path_info: ["oauth", "mfa", "verify"], path_params: %{}, port: 80, private: %{Pleroma.Web.Router => {[], %{}}, :phoenix_action => :verify, :phoenix_controller => Pleroma.Web.OAuth.MFAController, :phoenix_endpoint => Pleroma.Web.Endpoint, :phoenix_flash => %{}, :phoenix_layout => {Pleroma.Web.LayoutView, "app.html"}, :phoenix_router => Pleroma.Web.Router, :phoenix_template => "oob_authorization_created.html", :phoenix_view => Pleroma.Web.OAuth.MFAView, :plug_session => %{"user_id" => "9yxBmZlGssghzAPEzA"}, :plug_session_fetch => :done}, query_params: %{}, query_string: "", remote_ip: {67, 191, 205, 149}, req_cookies: %{"__Host-pleroma_key" => "SFMyNTY.g3QAAAABbQAAAAd1c2VyX2lkbQAAABI5eXhCbVpsR3NzZ2h6QVBFekE.NiSuf5QhgDnuEOs4A2DMe8P44HRqAcSWsAufkEDI-xQ", "__cfduid" => "dfd5d63cc9632b28b8065804cca83a87e1599580793", "_pk_id.2.362e" => "6baef5c0e5aaf331.1599580803.8.1599652660.1599646739.", "_pk_ses.2.362e" => "1"}, req_headers: [{"accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"}, {"accept-encoding", "gzip"}, {"accept-language", "en-US,en;q=0.9"}, {"cache-control", "max-age=0"}, {"cdn-loop", "cloudflare"}, {"cf-connecting-ip", "67.191.205.149"}, {"cf-ipcountry", "US"}, {"cf-ray", "5d00bbb0fcd81853-EWR"}, {"cf-request-id", "051453a29f00001853838e8200000001"}, {"cf-visitor", "{\"scheme\":\"https\"}"}, {"connection", "upgrade"}, {"content-length", "255"}, {"content-type", "application/x-www-form-urlencoded"}, {"cookie", "__cfduid=dfd5d63cc9632b28b8065804cca83a87e1599580793; __Host-pleroma_key=SFMyNTY.g3QAAAABbQAAAAd1c2VyX2lkbQAAABI5eXhCbVpsR3NzZ2h6QVBFekE.NiSuf5QhgDnuEOs4A2DMe8P44HRqAcSWsAufkEDI-xQ; _pk_ses.2.362e=1; _pk_id.2.362e=6baef5c0e5aaf331.1599580803.8.1599652660.1599646739."}, {"dnt", "1"}, {"host", "nsfw.social"}, {"origin", "https://nsfw.social"}, {"referer", "https://nsfw.social/oauth/authorize"}, {"sec-fetch-dest", "document"}, {"sec-fetch-mode", "navigate"}, {"sec-fetch-site", "same-origin"}, {"sec-fetch-user", "?1"}, {"upgrade-insecure-requests", "1"}, {"user-agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36"}, {"x-forwarded-for", "67.191.205.149"}, {"x-forwarded-proto", "https"}], request_path: "/oauth/mfa/verify", resp_body: nil, resp_cookies: %{}, resp_headers: [{"cache-control", "max-age=0, private, must-revalidate"}, {"access-control-allow-origin", "*"}, {"access-control-expose-headers", "Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id,Idempotency-Key"}, {"access-control-allow-credentials", "true"}, {"x-request-id", "FjMbnub5F6sexdkAEUxR"}], scheme: :http, script_name: [], secret_key_base: :..., state: :unset, status: nil}, digest: "SHA-256=pV7H5LZV3xseY4HdiG1xcfmGN9jlcCI8ji0LhbL6H+A=", locale: "en", remote_ip_found: true, view_module: Pleroma.Web.OAuth.MFAView, view_template: "oob_authorization_created.html"}, available: ["recovery.html", "totp.html"], module: Pleroma.Web.OAuth.MFAView, pattern: "*", root: "lib/pleroma/web/templates/o_auth/mfa", template: "oob_authorization_created.html"}
Sep  9 11:57:41 liewrap01 pleroma: request_id=FjMbnub5F6sexdkAEUxR [info] Converted error Phoenix.Template.UndefinedError to 500 response
Sep  9 11:57:49 liewrap01 pleroma: [error] Ranch protocol #PID<0.29392.10> of listener Pleroma.Web.Endpoint.HTTP (connection #PID<0.29393.10>, stream id 1) terminated#012** (exit) :badarg#012    :erlang.apply([], :user, [])#012    (pleroma 2.1.1) lib/pleroma/web/mastodon_api/websocket_handler.ex:104: Pleroma.Web.MastodonAPI.WebsocketHandler.terminate/3#012    (cowboy 2.8.0) /opt/pleroma/deps/cowboy/src/cowboy_handler.erl:46: :cowboy_handler.execute/2#012    (cowboy 2.8.0) /opt/pleroma/deps/cowboy/src/cowboy_stream_h.erl:300: :cowboy_stream_h.execute/3#012    (cowboy 2.8.0) /opt/pleroma/deps/cowboy/src/cowboy_stream_h.erl:291: :cowboy_stream_h.request_process/3#012    (stdlib 3.13) proc_lib.erl:226: :proc_lib.init_p_do_apply/3