403 when calling /en/2fa_check

[Trainmaster2]

Describe the bug When I try to use the Authenticator app code 2FA, the call to /en/2fa_check fails with a 403 error. I assume this has something to do with removing all permissions from the anonymous user. It also seems to log me in successfully anyway.

To Reproduce Steps to reproduce the behavior:

1. Remove all permissions from the anonymous user. (Done to prevent access without logging in.)
2. Enable Authenticator app 2FA on your account.
3. Attempt to log in using the Authenticator app code.

Expected behavior I would hope that it wouldn't be possible to break the login process by changing permissions.

Screenshots

Server Side

• Part-DB Version: 1.17.1
• PHP Version: 8.3.21
• Database Server: sqlite

Desktop (please complete the following information):

• OS: Pop!_OS
• Browser: Vivaldi
• Version: 7.1.3570.60

Additional context I'm actually getting a 500 now when trying to deliberately recreate it in an In Private window. I'm also using Pangolin and Newt as a reverse proxy.

[jbtronics]

What does the logs tell you what is the reason for the 500 error?

Does the error occur in the normal 2FA workflow? Because its normal, that you cannot access the 2FA endpoints as long as you are not in an 2FA request. As soon as you are fully authenticated, the endpoints should not work anymore.

The permissions of the anonymous user should not matter here, the 2FA doesnt check for these high level permissions, and as soon as you entered the password correctly and see the 2FA forms, you are logged in as user, which just have no permission to access anything else, than the 2FA forms.