Defect #34233

otpauth uri should include a login id, not an email address

Added by Go MAEDA about 1 year ago. Updated about 1 year ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Go MAEDA% Done:

0%

Category:Accounts / authentication
Target version:-
Resolution:Fixed Affected version:

Description

Currently, the otpauth uri generated by redmine includes the user's email address. But it should be an account name, not an email address.

(1) TOTP gem's document says that the parameter for TOTP#provisioning_uri is "name of the account".

(2) Some TOTP authenticator app displays it as the account name for the service. But you cannot sign in to Redmine with the displayed "account" because what you should enter to the login form is not an email address but a login id.

The issue can be fixed with the following patch.

diff --git a/lib/redmine/twofa/totp.rb b/lib/redmine/twofa/totp.rb
index e304208a2..603661350 100644
--- a/lib/redmine/twofa/totp.rb
+++ b/lib/redmine/twofa/totp.rb
@@ -50,7 +50,7 @@ module Redmine
       end

       def provisioning_uri
-        totp.provisioning_uri(@user.mail)
+        totp.provisioning_uri(@user.login)
       end

       def init_pairing_view_variables

Related issues

Related to Redmine - Feature #1237: Add support for two-factor authentication Closed 2008-05-14

Associated revisions

Revision 20307
Added by Go MAEDA about 1 year ago

otpauth uri should include a login id, not an email address (#1237, #34233).

History

#1 Updated by Go MAEDA about 1 year ago

  • Related to Feature #1237: Add support for two-factor authentication added

#2 Updated by Go MAEDA about 1 year ago

  • Subject changed from otpauth uri should include an account name, not an email address to otpauth uri should include a login id, not an email address
  • Status changed from New to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the fix as a part of #1237.

Also available in: Atom PDF