Actions
Defect #34233
closed
otpauth uri should include a login id, not an email address
Start date:
Due date:
% Done:
0%
Estimated time:
Resolution:
Fixed
Affected version:
Description
Currently, the otpauth uri generated by redmine includes the user's email address. But it should be an account name, not an email address.
(1) TOTP gem's document says that the parameter for TOTP#provisioning_uri is "name of the account".
(2) Some TOTP authenticator app displays it as the account name for the service. But you cannot sign in to Redmine with the displayed "account" because what you should enter to the login form is not an email address but a login id.
The issue can be fixed with the following patch.
diff --git a/lib/redmine/twofa/totp.rb b/lib/redmine/twofa/totp.rb
index e304208a2..603661350 100644
--- a/lib/redmine/twofa/totp.rb
+++ b/lib/redmine/twofa/totp.rb
@@ -50,7 +50,7 @@ module Redmine
end
def provisioning_uri
- totp.provisioning_uri(@user.mail)
+ totp.provisioning_uri(@user.login)
end
def init_pairing_view_variables
Related issues
Updated by Go MAEDA over 3 years ago
- Related to Feature #1237: Add support for two-factor authentication added
Updated by Go MAEDA over 3 years ago
- Subject changed from otpauth uri should include an account name, not an email address to otpauth uri should include a login id, not an email address
- Status changed from New to Closed
- Assignee set to Go MAEDA
- Resolution set to Fixed
Committed the fix as a part of #1237.
Actions