Fixed Two-factor authentication doesn't work for usernames with special characters

Steffen · May 3, 2018

If a username contains a special character like for example a question mark then XenForo generates an invalid OTP URL. You can try this for example with the username "Steffen?". When scanning the QR code, Google Authenticator for Android complains that the key wasn't recognized ("Schlüssel wurde nicht erkannt").

Notice the double question mark in the following JavaScript code generated by XenForo. The first question mark needs to be URL-encoded.

JavaScript:

$el.qrcode({
    text: 'otpauth://totp/My%20Forum%3A%20Steffen??secret=...&issuer=My%20Forum'
});

It should look like this:

JavaScript:

$el.qrcode({
    text: 'otpauth://totp/My%20Forum%3A%20Steffen%3F?secret=...&issuer=My%20Forum'
});

I think this is a bug in the OTP library used by XenForo: https://github.com/ChristianRiesen/otp/pull/29

Christian Riesen · May 4, 2018

Thanks for the bug report and pull request on the otp library.

I merged it and tagged it with a new version. If you use 2.6.0 it should be fine.

Chris D · May 4, 2018

Thanks Christian. Not only for the fix, but creating the library in the first place. It’s working really well for us.

Christian Riesen · May 4, 2018

No problem. If you have some more input, let me know, always looking to improve it.

Chris D · May 4, 2018

Wow, we were using a pretty old version as far as I can tell.

2.6.0 is included in our next release. Thanks for the fix @Steffen and thanks again for giving it attention so quickly @Christian Riesen.

Christian Riesen · May 4, 2018

No worries, it hasn't changed much in the past few versions. It should be 100% compatible for all "^2" constraints. I'd suggest using a "^2.6" constraint on your side for now.

Chernabog · Sep 25, 2018

Christian Riesen said:
Thanks for the bug report and pull request on the otp library.

I merged it and tagged it with a new version. If you use 2.6.0 it should be fine.

Okay I am glad I saw your name here lol .... I am combing my XF installation backups trying to ensure the backup I restore does not have all the wonky stuff happening with the failed file checks that occurred overnight ... I saw your name and thought it was part of whatever happened.

Glad to know you're a real person @Christian Riesen and a good guy

Christian Riesen · Sep 25, 2018

Drunken said:
Okay I am glad I saw your name here lol .... I am combing my XF installation backups trying to ensure the backup I restore does not have all the wonky stuff happening with the failed file checks that occurred overnight ... I saw your name and thought it was part of whatever happened.

Glad to know you're a real person @Christian Riesen and a good guy

Yes I happen to be a real person

And if you run into issues with 2FA let me know, I might be able to help.

Chernabog · Sep 25, 2018

Christian Riesen said:
Yes I happen to be a real person And if you run into issues with 2FA let me know, I might be able to help.

No so far that works perfectly!

I have some other healthcheck, wonky, messed up... something isnt right issue pop up while I was sleeping last night that I am trying to figure out. I guess I will know after my 38k files restore over my installation.

Thank you to @Jaxel for his EWR database and structure backup system.

Fixed Two-factor authentication doesn't work for usernames with special characters

Steffen

Well-known member

Christian Riesen

New member

Chris D

XenForo developer

Christian Riesen

New member

Chris D

XenForo developer

Christian Riesen

New member

Chernabog

Well-known member

Christian Riesen

New member

Chernabog

Well-known member

We value your privacy