Apps-android-commons: 2FA logins not working in 2.11
A report from one of our users:
I had trouble with the app and then uninstalled and reinstalled but I simply cannot log in. (I have 2FA enabled). I can login via browser the app simply says failed login (and then too many failed logins)
misaochan
All 18 comments
@misaochan Is this happening for all users? Can someone with 2FA enabled try to reproduce the issue in a debuggable app and share the logs.
maskaravivek
on 28 Aug 2019
I meant to test that, but I've had 2FA off for a while. Will try to reenable 2FA on my account and re-test soon.
misaochan
on 28 Aug 2019
@misaochan Is this happening for all users? Can someone with 2FA enabled try to reproduce the issue in a debuggable app and share the logs.
It happened to me too. So I disable my 2FA then login to the app... but I must write down my token again because it changed when I enable 2FA again. 馃ぃ
iwean
on 2 Sep 2019
@misaochan I think, i know what the problem. Password of this user got into list of commonly used passwords. I have this problem today. If i tried login with "popular password", app write "error" and this all.
Why did it happen: " I tried login in prod version with my beta account, and do it many times. My password blocks and go into LIST OF BAD PASSWORDS :D "
User can reset they password and all be OK, i think
PavelAplevich
on 9 Sep 2019
@PavelAplevich I suspect the recent expansion of the Common passwords list (Ref: Phab ticket, Tech News) is the reason behind this issue. That's because it seems to have happened just very recently. Though, I'm not very sure about it. 馃
sivaraam
on 10 Sep 2019
When i try login with my "bad" password, i see "connection error"(mb another, i'm not sure) and that all. And i think this is problem. User doesn't understand what happened. I read my AndStudio logcat and can understand the problem, but user can't do this
PavelAplevich
on 10 Sep 2019
@PavelAplevich I suspect the recent expansion of the Common passwords list (Ref: Phab ticket, Tech News) is the reason behind this issue.
I actually meant _... is not the reason ..._ My bad.
sivaraam
on 10 Sep 2019
When i try login with my "bad" password, i see "connection error"(mb another, i'm not sure) and that all. And i think this is problem. User doesn't understand what happened. I read my AndStudio logcat and can understand the problem, but user can't do this
The user should be made aware of the bad password issue clearly. But that is a _different issue_ than this one, I suppose.
sivaraam
on 10 Sep 2019
No, this is the reason of this issue. If user password going "bad", user can't login with his password, app write "failed login" and that's all (it doesn't clarify the reason). User try again and again, because he know that password is correct. User reinstall app and do the same actions, but app writes "failed login". In this stage i started to think that login system is broken, go into logs and in logs i see problem with my password. User who reported this bug simply didn't understand that problem is about the password, he thought problem with app. I think we can close this issue and just create the right login instructions for our users.
PavelAplevich
on 10 Sep 2019
I also was unable to login in the app from my mobile phone. I have 2FA enabled, and I seriously doubt it is due to anything like "weak password"
Darwinius
on 11 Sep 2019
Same here. I cannot login with 2FA enabled.
Steinsplitter
on 20 Sep 2019
I think we can close this issue and just create the right login instructions for our users.
I don't think so, a number of experienced users with 2FA enabled can't login. The problem is not my pw. So i can confirm was @Darwinius wrote above.
Steinsplitter
on 20 Sep 2019
I meant to test that, but I've had 2FA off for a while. Will try to reenable 2FA on my account and re-test soon.
@misaochan were you able to test this?
maskaravivek
on 21 Sep 2019
Just managed to reenable 2FA and test this. 2FA logins on 2.11-release (which is the version that users are using) do not prompt for OTP and automatically fail with the logs below.
2019-09-24 23:59:43.122 3196-3196/fr.free.nrw.commons D/LoginActivity: Login to start!
2019-09-24 23:59:43.224 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
2019-09-24 23:59:43.655 3196-3308/fr.free.nrw.commons I/chatty: uid=10079(fr.free.nrw.commons) RenderThread identical 40 lines
2019-09-24 23:59:43.659 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
2019-09-24 23:59:43.673 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
2019-09-24 23:59:43.730 3196-3308/fr.free.nrw.commons I/chatty: uid=10079(fr.free.nrw.commons) RenderThread identical 7 lines
2019-09-24 23:59:43.742 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
2019-09-24 23:59:43.747 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
2019-09-24 23:59:43.762 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
2019-09-24 23:59:43.768 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
2019-09-24 23:59:43.794 3196-3308/fr.free.nrw.commons I/chatty: uid=10079(fr.free.nrw.commons) RenderThread identical 3 lines
2019-09-24 23:59:43.799 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
2019-09-24 23:59:43.813 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
2019-09-24 23:59:43.836 3196-3308/fr.free.nrw.commons I/chatty: uid=10079(fr.free.nrw.commons) RenderThread identical 3 lines
2019-09-24 23:59:43.847 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
2019-09-24 23:59:43.853 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
2019-09-24 23:59:43.864 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
2019-09-24 23:59:43.870 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
2019-09-24 23:59:43.882 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
2019-09-24 23:59:43.888 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
2019-09-24 23:59:44.044 3196-3308/fr.free.nrw.commons I/chatty: uid=10079(fr.free.nrw.commons) RenderThread identical 18 lines
2019-09-24 23:59:44.056 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
2019-09-24 23:59:44.344 3196-4854/fr.free.nrw.commons D/CustomApiResult: API response for method https://commons.wikimedia.org/w/api.php is
<?xml version="1.0" encoding="UTF-8"?><api batchcomplete=""><query><tokens logintoken="redacted+\"/></query></api>
2019-09-24 23:59:44.362 3196-4854/fr.free.nrw.commons D/ApacheHttpClientMediaWikiApi: Login token is redacted+\
2019-09-24 23:59:45.610 3196-4854/fr.free.nrw.commons D/CustomApiResult: API response for method https://commons.wikimedia.org/w/api.php is
<?xml version="1.0" encoding="UTF-8"?><api><clientlogin status="UI" message="Please enter a verification code from your authentication device." messagecode="oathauth-auth-ui"><requests><_v id="MediaWiki\Extension\OATHAuth\Auth\TOTPAuthenticationRequest" required="required" provider="Two-factor authentication (OATH)." account="Misaochan"><metadata/><fields><OATHToken type="string" label="Token" help="The one-time password used as the second factor of two-factor authentication."/></fields></_v></requests></clientlogin></api>
2019-09-24 23:59:45.630 3196-3196/fr.free.nrw.commons D/LoginActivity: Login done!
2019-09-24 23:59:45.631 3196-3196/fr.free.nrw.commons D/LoginActivity: Login failed with reason: genericerror-UI
2019-09-24 23:59:45.638 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
2019-09-24 23:59:45.664 3196-3308/fr.free.nrw.commons D/EGL_emulation: eglMakeCurrent: 0xe7685360: ver 3 1 (tinfo 0xe76833c0)
Additionally, 2FA logins also fail in backend-overhaul (the un-released development branch). @maskaravivek @ashishkumar468 please be aware that backend-overhaul logs display the user's password in plaintext. This should never happen, please make sure this is fixed before we merge backend-overhaul to master.
Edit: for anyone else reading this who might be concerned - you are safe as long as you don't manually build our development branch and post logs. Passwords are not displayed in 2.11 logs.
misaochan
on 24 Sep 2019
HI @misaochan , Do the tests fail on the latest commit of backend-overhaul, I don't have 2FA enabled with me, would it be possible for you to attach the relevant logs from backend-overhaul
ashishkumar468
on 25 Sep 2019
@ashishkumar468 Yes, the tests fail on the latest commit of backend-overhaul. I didn't post the logs yesterday because they contain a lot more sensitive information than 2.11-release logs. I'll try and redact them today and email them to you and Vivek.
misaochan
on 25 Sep 2019
That would be great, thanks JO :)
ashishkumar468
on 25 Sep 2019
Related issues
nicolas-raoul
路
3Comments
domdomegg
路
3Comments
misaochan
路
4Comments
misaochan
路
4Comments
nicolas-raoul
路
4Comments
Most helpful comment
I also was unable to login in the app from my mobile phone. I have 2FA enabled, and I seriously doubt it is due to anything like "weak password"