rRPK/plugins/kolab_2fa: QR code does not include secret
Closed, InvalidPublic


QR code should contain a string like ?secret=X1A3C7... which is missing.

atm there is only otpauth://totp/<custom-string>?issuer=<custom-string2> within the QR code.




Ticket Type

Event Timeline

Weird - I cannot seem to reproduce this issue on my Debian Stretch box with up-to-date Kolab 16 packages (roundcubemail 1.4-0~kolab53, roundcubemail-plugins-kolab 3.4-0~kolab57) and the Elastic skin.

roundcubemail 1.4-0 is still beta.
can you try with current stable v1.3.8 from upstream, pls?

Sorry, I cannot easily downgrade to 1.3.8 to try stuff out on my system.
May I ask which distro you are on and which version of Kolab you're using?

For TOTP a quick and dirty fix may be applied (at your own risk, of course).

  1. Find the following code in "lib/Kolab2FA/Driver/TOTP.php"
// PHP gets a string, but we're comparing integers.
$code = (int)$code;

Change it to:

// PHP gets a string, but we're comparing integers.
//$code = (int)$code;

This eliminates tons of warnings in the log. Needs to be verified by the developers.

  1. Find the following code in 'lib/Kolab2FA/OTP/TOTP.php'
use OTP;

Change it to:

//use OTP;
use Base;

This also needs to be verified by the developers. It is a quick and dirty fix to get things running in my test environment.

Please be aware that it works on MY machine with roundcube 4 beta on Ubuntu 18.04 with nginx and php 7.2. It might not work on your system or the original code may work as expected.
It could be an issue with PHP 7.2 or a weird bug in the beta of roundcube (which might happen in a beta - it's not yet fully stable)

So if you run into trouble with missing secret in the QR, the fix above might help. I didn't get it to work with the Google Authenticator - but FreeOTP works. Might have to do with my decision to use sha256.

Good luck!

You may have a look at this one:

It is a fork which fixes some issues with deprecated dependencies and TOTP problems. Would love to receive feedback - works perfect for me.

vanmeeuwen closed this task as Invalid.Mar 21 2019, 11:16 PM
vanmeeuwen added a subscriber: vanmeeuwen.

This isn't a Kolab bug, nor a bug in the master branch of kolab-plugins that provides kolab_2fa, that closely follows the roundcube upstream master branch.

Please don't expect a DIY mix-and-match to end up in a supported environment.

pasik added a subscriber: pasik.Aug 29 2019, 9:08 PM