Can’t import QR Codes from Confluence 2FA

[bioschaf]

Version

5.2.0

Details & Steps to reproduce

Try to import QR-Code provided by Confluence’s 2FA module. There is no error message, but no data is returned by the backend. If I try to use the “read from qr code” feature, a 422 error is returned.

Expectation

QR codes from confluence could be imported.

Error & Logs

No logging server side. No visible errors in the front end. 422 error from the backend in some cases.

Execution environment

No response

Containerization

• Docker

Additional information

QR codes from other sources work as expected.

I checked the confluence QR code with other readers. It contains the correct information, if I import the qr contents it works just fine. I am also able to scan it with various 2FA apps.
Since I have no control over the confluence instance and the qr code contains personal information, I cannot share it publicly. I could however share it directly with the developers for testing.

[Bubka]

Hi,
Please do so:

1. Open the Advanced Form
2. Open the browser Dev Tools with F12, click on the Network tab, with the XHR filter enabled
3. Click the Prefill using a QR code button of the form
4. Submit the Confluence QR code
5. In the Network tab, you will see a POST request to /api/v1/qrcode/decode. What is the response code? 200? 422? if 422, click the request line and look at its Response tab. What is the error returned?
6. Under the decode request you will find a request to /api/v1/twofaccounts/preview. Again, what is the response code and the error if any?

If you get an error like The uri is not a valid otpauth uri, click the request to /api/v1/qrcode/decode, then the Response tab. It contains the URI encoded in the QR code. Can you please copy it here after you have redacted sensitive data, I would like to see how it is formed. It should give something like otpauth://totp/confluence:[redacted_identifier]?issuer=confluence&secret=[redacted_secret]

What's the format of redacted_identifier? an email? If not, does it contains any special character?

[bioschaf]

Hi,

• the response code to /api/v1/qrcode/decode is 200, the response is emtpy {"data":""}
• the response code to /api/v1/twofaccounts/preview is 422, error is
  `{"message":"The uri field is required.","errors":{"uri":["The uri field is required."]}}'

From that it seems the QR code cannot be read. I checked with 2FA-Apps and with https://iamyuthan.github.io/2FA-Solver/2FA-Solver.html
The QR-Image seems fine. It contains otpauth://totp/domain.xy:name@otherdomain.xy?issuer=domain.xy&secret=16Alphanumeric

[Bubka]

Ok I get it. I made some changes to the QrCode decoding service in v5.2 to enhance decoding but I forgot to change one line. I still need to reproduce the use case with test data but I'm pretty sure it matches your issue.

[Bubka]

A fix is ready, but I will not release a new version before August.

As you were able to decode the QR code with another service, you can add your confluence account to 2FAuth using the advanced form. The fields wait for the values contained in otpauth://totp/domain.xy:[name@otherdomain.xy](mailto:name@otherdomain.xy)?issuer=domain.xy&secret=16Alphanumeric :

• Actual value of domain.xy goes to Service
• Actual value of [name@otherdomain.xy](mailto:name@otherdomain.xy) goes to Account.
  But you won't be able to set the field with the exact same value because : are not allowed. Just fill it with name@otherdomain.xy, it has no impact on the OTPs validity
• Type of OTP is TOTP
• Actual value of 16Alphanumeric goes to Secret
• Digits must be 6
• Algorithm must be sha1
• Period must be 30

[bioschaf]

Thank you for your replay. I checked with several older versions down to 4.2.4 but still could not import the QR code.

The most simple workaround would be to use "Import" then "Direct input" where I can paste the decoded URI without any modifications. The additional step of decoding, however, makes it hard to use your project in a multi-user enviroment.

For now I will apply this patch which seems to fix the issue

diff --git a/app/Services/QrCodeService.php b/app/Services/QrCodeService.php
index 9ce5cb72..f7bd5e19 100644
--- a/app/Services/QrCodeService.php
+++ b/app/Services/QrCodeService.php
@@ -64,7 +64,7 @@ public static function decode(\Illuminate\Http\UploadedFile $file)
             }
         }
 
-        $data = urldecode($qrcode->text());
+        $data = urldecode($text);
 
         Log::info('QR code decoded');

[Bubka]

This is exactly the planned fix 😃 👍🏻

The additional step of decoding, however, makes it hard to use your project in a multi-user environment

Could you be more specific?! I don't understand what's wrong with the decoding step in a multi-user environment.

[bioschaf]

What I meant with that is I cannot tell an end user to go decode the qr-code himself and then paste that uri into your app.

But with the fix that is not necessary any more.

[Bubka]

Indeed, registering an account using a qr code have to be straightforward. This is why 2FAuth automatically decodes the qr codes in a normal situation.

In your case, it didn't work because the text in the Confluence qr code couldn't be read without the more aggressive decoding options, and because of my mistake in passing $qrcode->text() instead of $text in $data = urldecode($qrcode->text());