2FA broken after upgrading to latest Grav, admin-panel, and login-plugin

[Eihrister]

Hello,

Last night I upgraded one of my sites from the pre-latest Stable versions (I keep up to date) to Grav 1.7.10, and there were also 4 new plugin updates available, amongst which the "login" plugin, and the admin panel.

However, logging in after my session expired, is impossible now without disabling 2FA manually by editing my user/accounts/danielm.yaml file.

Every time I try to log in with 2FA enabled now, it throws me a "Invalid Security Token" error after entering the 2FA code.

Tried the following:

• bin/grav cache
• bin/grav clean
• Private window in multiple different browsers (Firefox, Chrome, Brave, Edge).
• Regenerating 2FA secret and re-adding to Google Authenticator.
• Disabling 2FA works, it's the only thing that lets me in.

I tried reproducing it on another Grav site I run, which was running the same versions and upgraded to the latest Stable versions of the above as well. Same issues, can no longer log in to that site either without disabling 2FA.

Seems as if the login-plugin upgrade broke something, or the admin panel (seems less likely).

Kind regards,

Eih

You are running Grav v1.7.10

GPM Releases Configuration: Stable

PLUGINS [ 22 ]

Packages table
--------------

+-------+--------------------------+------------------+---------+-----------+----------+
| Count | Name                     | Slug             | Version | Installed | Enabled  |
+-------+--------------------------+------------------+---------+-----------+----------+
| 1     | GDPR Privacy Setup       | gdprprivacysetup | v0.1.1  | installed | disabled |
| 2     | Problems                 | problems         | v2.0.3  | installed | enabled  |
| 3     | Color Tools              | color-tools      | v1.0.1  | installed | enabled  |
| 4     | Error                    | error            | v1.7.1  | installed | enabled  |
| 5     | Markdown Notices         | markdown-notices | v1.1.0  | installed | enabled  |
| 6     | Instagram Feed           | instagram-feed   | v1.0.0  | installed | enabled  |
| 7     | Zapier RSS               | zapier-rss       | v1.0.0  | installed | enabled  |
| 8     | License Manager          | license-manager  | v1.0.1  | installed | enabled  |
| 9     | Svg Icons                | svg-icons        | v1.0.2  | installed | enabled  |
| 10    | Seo Magic                | seo-magic        | v1.0.3  | installed | enabled  |
| 11    | Warm Cache               | warm-cache       | v1.0.1  | installed | enabled  |
| 12    | NextGen Content Edit...  | nextgen-editor   | v1.0.6  | installed | enabled  |
| 13    | Sitemap                  | sitemap          | v3.0.1  | installed | enabled  |
| 14    | Lightbox Gallery         | lightbox-gallery | v1.0.3  | installed | enabled  |
| 15    | Shortcode Core           | shortcode-core   | v5.0.5  | installed | enabled  |
| 16    | File Browser             | file-browser     | v0.2.8  | installed | enabled  |
| 17    | LangSwitcher             | langswitcher     | v1.4.2  | installed | enabled  |
| 18    | Form                     | form             | v5.0.1  | installed | enabled  |
| 19    | Email                    | email            | v3.1.2  | installed | enabled  |
| 20    | Login                    | login            | v3.4.2  | installed | enabled  |
| 21    | Flex Objects             | flex-objects     | v1.0.7  | installed | enabled  |
| 22    | Admin Panel              | admin            | v1.10.9 | installed | enabled  |
+-------+--------------------------+------------------+---------+-----------+----------+

THEMES [ 1 ]

Packages table
--------------

+-------+----------+---------+---------+-----------+---------+
| Count | Name     | Slug    | Version | Installed | Enabled |
+-------+----------+---------+---------+-----------+---------+
| 1     | Typhoon  | typhoon | v1.1.0  | installed | enabled |
+-------+----------+---------+---------+-----------+---------+

[mahagr]

Does this happen in admin or site?

[Eihrister]

Does this happen in admin or site?

Valid question! Forgot to mention that- My main site doesn't have any content behind a login, so was talking from an "admin panel" point of view.

I just tested it on the site I reproduced it on, and there logging in through the normal site does not have the same issue. The admin panel there fails with "Invalid Security Token", but 2FA on the regular site works as intended.

[mahagr]

@Eihrister Thanks for reporting this one! We will release a fix for this soon.

[Eihrister]

Hi again,

I just saw the release and upgraded; unfortunately, the problem has changed, but is not quite solved yet.

This is what I get after entering my 2FA code now; "You have been succesfully logged in", and a "You have been logged out" at the same time, reprompting for a 2FA code, not returning to the username/password screen, either. Reopening in a new private window does not make it work, either.

[mahagr]

Can you ping me in discord as I'm not able to reproduce your issue. Also, do you have some login integration plugin turned on?

[mahagr]

All issues should be fixed now (tested with this site), so closing the issue.

Fixes are in the next release.