Uploaded image for project: 'Blesta Core'
  1. Blesta Core
  2. CORE-5067

2FA: Spaces in company name cause issue with setting up new TOTP token

    Details

      Description

      The 2FA system allows clients and staff to scan a QR code to set up TOTP. Some tokens like LastPass and Oracle do not work when there is an unescaped space in the Company Name.

      Reported, not yet tested internally.

      Issue: Space Character in Issuer Section within OTP QR code doesn't work with all 3P authenticator apps

      To reproduce:
      Install LastPass or Oracle authenticator
      Generate MFA code in the account section
      Scan code with app
      App fails registration with unknown/generic error
      Note: it appears Google and Microsoft just fix the space on their own

      Root cause:
      Sample decoded qr code (current generated code in prod), notice the space before the "LLC" in the issuer section:
      otpauth://totp/email%40gmail.com?secret=secret&issuer=MyHost LLC

      To Fix:
      Use URL encoding for the space, %20:
      otpauth://totp/email%40gmail.com?secret=secret&issuer=MyHost%20LLC

        Activity

          People

          • Assignee:
            abdy Abdy Franco
            Reporter:
            admin Paul Phillips
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Fix Release Date:
              21/Feb/24

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Remaining Estimate - 0 minutes
              0m
              Logged:
              Time Spent - 27 minutes
              27m

                Agile