[CORE-5067] 2FA: Spaces in company name cause issue with setting up new TOTP token - Blesta

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 5.9.0
Fix Version/s: 5.9.3
Component/s: Client Interface, Staff Interface
Labels:
None

Description

The 2FA system allows clients and staff to scan a QR code to set up TOTP. Some tokens like LastPass and Oracle do not work when there is an unescaped space in the Company Name.

Reported, not yet tested internally.

Issue: Space Character in Issuer Section within OTP QR code doesn't work with all 3P authenticator apps

To reproduce:
Install LastPass or Oracle authenticator
Generate MFA code in the account section
Scan code with app
App fails registration with unknown/generic error
Note: it appears Google and Microsoft just fix the space on their own

Root cause:
Sample decoded qr code (current generated code in prod), notice the space before the "LLC" in the issuer section:
otpauth://totp/email%40gmail.com?secret=secret&issuer=MyHost LLC

To Fix:
Use URL encoding for the space, %20:
otpauth://totp/email%40gmail.com?secret=secret&issuer=MyHost%20LLC

Activity

There are no comments yet on this issue.

People

Assignee:

Abdy Franco

Reporter:

Paul Phillips

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

29/Jan/24 8:54 PM

Updated:

16/Feb/24 10:32 PM

Resolved:

16/Feb/24 10:32 PM

Fix Release Date:

21/Feb/24

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

27m

Agile

Completed Sprints:

5.10.0 Sprint 5 ended 12/Feb/24
5.10.0 Sprint 6 ended 22/Feb/24
View on Board