Reactive-Resume icon indicating copy to clipboard operation
Reactive-Resume copied to clipboard

Published 20 hours ago verified publisher icon AmruthPillai

[Bug] Two-Factor Authentication (2FA) Setup Verification Zod Message is incorrect

Open lplawlor opened this issue 10 months ago • 5 comments

Is there an existing issue for this?

  • [X] Yes, I have searched the existing issues and none of them match my problem.

Product Variant

Cloud (http://rxresu.me)

Current Behavior

Upon setting up a TOTP device, you must "Enter the 6-digit code from your authenticator app to verify that 2FA has been setup correctly." However, if you submit an incorrect code, the message displayed in the FormMessage component is a strange 6-character string.

As an example, I created a dummy account and put in just the first 5 digits of the 2FA code (I've since deleted the account so this screenshot isn't at risk of revealing anything sensitive.) image

Expected Behavior

The error message should read "Code must be exactly 6 digits long.", as defined in the Zod schema.

Steps To Reproduce

  1. Go to User settings while logged-in
  2. Disable 2FA (if already enabled).
  3. Click "Enable 2FA"
  4. Setup your TOTP device.
  5. Enter an incorrect code into the "Code" field on the dialogue which reads "Enter the 6-digit code from your authenticator app to verify that 2FA has been setup correctly."

What browsers are you seeing the problem on?

Firefox

What template are you using?

None

Anything else?

I've had a glance over the associated Zod schema. The only thing I see that might be causing this bug is the usage of the Lingui translate macro t. It's worth noting that the t-call-in-function ESLint rule is being ignored for this line of the Zod schema, which may be producing strange behaviour.

lplawlor avatar Mar 27 '24 21:03 lplawlor

I tried to recreate but I am getting this

Screenshot from 2024-04-02 12-15-41

Although, it could happen since the error message is not passed for the length check. https://github.com/AmruthPillai/Reactive-Resume/blob/a578bd10548593f5f056211452e22cef3bfa0001/libs/dto/src/auth/two-factor.ts#L7-L8

abizek avatar Apr 02 '24 06:04 abizek

Hey, I don't think that's the same form / Zod schema as the one I experienced the bug with.

It seems to only be present in the form for verifying the 2FA code the very first time.

There's a link in my original post to the Zod schema in question. It uses a custom regex rather than a .length(6) call.

lplawlor avatar Apr 02 '24 10:04 lplawlor

Oh, you mean this guy?

https://github.com/AmruthPillai/Reactive-Resume/blob/a578bd10548593f5f056211452e22cef3bfa0001/apps/client/src/pages/dashboard/settings/_dialogs/two-factor.tsx#L50

My bad.

abizek avatar Apr 02 '24 11:04 abizek

Yeah that's the one. No worries!

lplawlor avatar Apr 02 '24 11:04 lplawlor

This happens only on https://rxresu.me, I cannot recreate it even in a production build locally, but as per Lingui docs, a lazy translation should solve the issue here without using t. The lazy translation works on a production build I ran locally, but we'll have to deploy it and see if it works on https://rxresu.me.

abizek avatar Apr 02 '24 11:04 abizek