Bug Report: Can't log-in to Mastodon instance after upgrade if 2-factor auth enabled
by Dave Jones
- Description: After today's upgrade of noagendasocial.com, I began receiving this screen after entering my 2nd factor authentication token:
- Initially I couldn't log in with Firefox or Chrome, but Amaroq still worked. But, when I went to "account preferences" in Amaroq to check the app tokens it kicked me out of Amaroq and I began getting the same behaviour upon trying to log back in.
- I then went to my Freedom Controller account (connected to noagendasocial.com as an app) and the existing token still allows posting status updates to my timeline.
- Update
- Confirmed that changing the value of OTP_SECRET in the .env.production mastodon server config file after a user sets up 2-factor auth produces this behaviour.
- Used the following SQL command to remove 2-factor from all instance accounts:
UPDATE users SET otp_required_for_login=false WHERE otp_required_for_login=true;
- Flow
- 1. Go to sign in page: /auth/sign_in
- 2. Enter username and password
- 3. Page redirects to 2-factor token entry page which still has the /auth/sign_in url
- 4. No matter what numbers I put in on this screen I get a 500 - Internal Server Error response back
- What I've tried:
- Logging in from web interface and from Amaroq app.
- Clearing all local storage, cookies, session storage from browser
- Requesting a password reset (and then following through with it)
- Putting in purposely incorrect 2fa code to provoke a different response