Project

General

Profile

Actions
Copy link

Defect #34233

closed

otpauth uri should include a login id, not an email address

Added by Go MAEDA about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Go MAEDA
Category:
Accounts / authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Currently, the otpauth uri generated by redmine includes the user's email address. But it should be an account name, not an email address.

(1) TOTP gem's document says that the parameter for TOTP#provisioning_uri is "name of the account".

(2) Some TOTP authenticator app displays it as the account name for the service. But you cannot sign in to Redmine with the displayed "account" because what you should enter to the login form is not an email address but a login id.

The issue can be fixed with the following patch.

diff --git a/lib/redmine/twofa/totp.rb b/lib/redmine/twofa/totp.rb
index e304208a2..603661350 100644
--- a/lib/redmine/twofa/totp.rb
+++ b/lib/redmine/twofa/totp.rb
@@ -50,7 +50,7 @@ module Redmine
       end

       def provisioning_uri
-        totp.provisioning_uri(@user.mail)
+        totp.provisioning_uri(@user.login)
       end

       def init_pairing_view_variables

Related issues

Related to Redmine - Feature #1237: Add support for two-factor authenticationClosedGo MAEDA2008-05-14

Actions
Actions
Copy link
 #1

Updated by Go MAEDA about 4 years ago

  • Related to Feature #1237: Add support for two-factor authentication added
Actions
Copy link
 #2

Updated by Go MAEDA about 4 years ago

  • Subject changed from otpauth uri should include an account name, not an email address to otpauth uri should include a login id, not an email address
  • Status changed from New to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the fix as a part of #1237.

Actions
Copy link

Also available in: Atom PDF