CUNY Academic Commons

Hi Raffi,

I'm assuming you are using the Time-based One Time Password (TOTP) 2FA option. I just tested this and I cannot confirm needing to input the TOTP code twice. If you are not using the TOTP 2FA option, can you tell me which 2FA method you are using (Email, WebAuthn)?

If you are using TOTP, can you try a few things? Can you try disabling any browser extensions before attempting to login? If after disabling your browser extensions and the TOTP code works on the first instance, try to pinpoint which of the addons is causing the problem. If I had to guess, there might be a privacy addon that could be blocking a cookie or a referrer addon that could be interfering with the form submission.

Hey Raymond. Is your test account connected to jetpack?

Hi Raffi,

My test account is not connected to Jetpack. Are you attempting to use the 2FA option that the Commons offers? https://help.commons.gc.cuny.edu/can-change-password/.

Or are you attempting to use Jetpack's version of 2FA on a Commons site that you manage? https://jetpack.com/support/sso/. (I wasn't aware of Jetpack's 2FA option until you mentioned Jetpack just now.) If so, I'll need to do some more testing.

It's the former. But maybe I have both enabled? I get the same page.

Since you're using the 2FA option that the Commons offers, can you try using another browser with no extensions enabled and try again?

Can you also list a detailed list of steps that you're using to login? Are you logging in from the homepage of the Commons or are you logging in from a subdomain site of the Commons? Jetpack should have no effect from the main site of the Commons as Jetpack is not activated on the main site. If you have the Jetpack version of 2FA enabled and you're attempting to login from a subdomain site, perhaps disable Jetpack's 2FA from that subdomain site?

That's odd. I tried just now and can't repro it.

Tried again in incognito mode in Chrome and also can't repro.

I tried in Firefox using a private window. Can't repro there either.

Sorry, Ray, I can't repro it. Are there any logs that would capture this behavior?

OK. I repro'd it on another machine using a different browser. That suggests to me that once the machine ID of 2FA is known, the problem doesn't occur.

And, not only is the 2FA repeated, the entire authentication is repeated. Here's the sequence of what I am seeing:

1. Authenticate with username and password.
2. Enter OTP.
3. Authenticate with username and password again.
4. Enter OTP again (could be a different OTP depending on the time elapsed.

On the same browser, I logged out and logged in again. I was able to repo this time as well.

On a private window in the same browser (Firefox), I was not able to repro the problem. That may suggest something is happening with the cookies.

Indeed, if I do select "remember me," I can't repro.

Here are the steps then:
1. Authenticate with username and password. Do not select "remember me."
2. Enter OTP.
3. Authenticate again with username and password.
4. Enter OTP again.

Is this the intended behavior?

Here are the steps then:
1. Authenticate with username and password. Do not select "remember me."
2. Enter OTP.
3. Authenticate again with username and password.
4. Enter OTP again.

Is this the intended behavior?

Thanks for the extensive testing and the steps to duplicate, Raffi. This isn't intended behavior, however I am unable to replicate the problem on Chrome, Edge or Firefox. To be clear, are you logging in at https://commons.gc.cuny.edu/wp-login.php?

On a private window in the same browser (Firefox), I was not able to repro the problem. That may suggest something is happening with the cookies.

Yes, I believe it's a problem with your browser set up. Are you using any extensions in your repro setup or any custom browser settings? I would try and disable any privacy-related addons temporarily just to see if that will make a difference or not.

Raymond Hoh wrote in #note-15:

Here are the steps then:
1. Authenticate with username and password. Do not select "remember me."
2. Enter OTP.
3. Authenticate again with username and password.
4. Enter OTP again.

Is this the intended behavior?

Thanks for the extensive testing and the steps to duplicate, Raffi. This isn't intended behavior, however I am unable to replicate the problem on Chrome, Edge or Firefox. To be clear, are you logging in at https://commons.gc.cuny.edu/wp-login.php?

Yes and no. I start at https://khatchad.commons.gc.cuny.edu using the top right corner form. I eventually wind up at the site you mention above.

On a private window in the same browser (Firefox), I was not able to repro the problem. That may suggest something is happening with the cookies.

Yes, I believe it's a problem with your browser set up. Are you using any extensions in your repro setup or any custom browser settings?

Since I was able to repro in Firefox, I actually doubt it's something to do with my browser setup. AFAIK, I don't have any extensions installed in Firefox. I only use it for testing.

I would try and disable any privacy-related addons temporarily just to see if that will make a difference or not.

Just checked firefox. I don't have anything installed at all.

Raymond Hoh wrote in #note-17:

Yes and no. I start at https://khatchad.commons.gc.cuny.edu using the top right corner form. I eventually wind up at the site you mention above.

Thanks for mentioning that you were attempting to login from your subdomain site.

No problem. Thanks for asking!

I have reproduced the problem.

Great!

The issue is due to our custom login routine that was redirecting users to the main site after entering a successful 2FA code.

I would expect to be redirected to the original page, indeed, rather than the main site. However, if I authenticate on a subdomain, shouldn't I see be authenticated on the main site? That's been my experience for the most part.

I've just added a fix for this here -- https://github.com/cuny-academic-commons/cac/commit/627c241e7a3484edd93b7cf5cbb1d0eb644c4fa5. Fix has also been deployed to production.

Can you try 2FA again from your subdomain site, Raffi?

I'll check it now.

It works. Thanks!

I think there's problem here. I sign in on the top of an arbitrary page, but once I do that, I am taken to the home page. I think I should stay on the page for which I signed in.

Filed https://redmine.gc.cuny.edu/issues/18287.