2FAuth
2FAuth copied to clipboard
Bubka
[WebExt]: Data cannot be refreshed from server / Invalid or unknown personal access token
2FAuth version
5.5.2
Extension version
1.1.1-beta
Browsers
Supermium (Chromium)
What happened?
English is not my native language; please excuse typing errors.
I am using Supermium browser (Chromium-based) v133. I installed a browser extension from the Google Chrome Web Store and configured its API token. After this, within the next tens of minutes or a few hours, the browser extension stops working correctly.
When I click on it, it first displays an error message "Data cannot be refreshed from server" for about 0.5-1 second, and then it switches to "Invalid or unknown personal access token." Subsequent repeated clicks on the extension directly show the "Invalid or unknown personal access token" error.
Switching the browser to incognito mode, clearing browser cookies, restarting the browser, and enabling/disabling the extension do not resolve the issue. The only way to make it work again is to uninstall the extension, reinstall it, and reconfigure it.
What other efforts have I tried?
I have uninstalled and reinstalled the browser extension more than 10 times. Each time, after the initial setup, it works normally for tens of minutes or a few hours before this issue inevitably occurs.
Whenever the problem occurs, I uninstall the extension and also reset the API Token at the same time, but this has no effect. When the issue arises, the extension's interface does not offer an option to reset its data; I can only manually uninstall and reinstall it. If possible, I would like to have a button to reset the browser extension's data persistently available at the bottom of the page before entering any operational workflow.
I checked the server-side Nginx logs, which show the following output:
192.0.2.1 - - [01/Jun/2025:16:56:31 +0800] "GET /api/v1/twofaccounts?ids=1,4,5,6,7,8,9,10,11,24,25,26,27&withOtp=1 HTTP/2.0" 200 3619 "https://totp.example.com/accounts" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1 - - [01/Jun/2025:16:57:01 +0800] "GET /api/v1/twofaccounts?ids=1,4,5,6,7,8,9,10,11,24,25,26,27&withOtp=1 HTTP/2.0" 200 3619 "https://totp.example.com/accounts" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1 - - [01/Jun/2025:16:57:31 +0800] "GET /api/v1/twofaccounts?ids=1,4,5,6,7,8,9,10,11,24,25,26,27&withOtp=1 HTTP/2.0" 200 3619 "https://totp.example.com/accounts" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1 - - [01/Jun/2025:16:58:01 +0800] "GET /api/v1/twofaccounts?ids=1,4,5,6,7,8,9,10,11,24,25,26,27&withOtp=1 HTTP/2.0" 200 3619 "https://totp.example.com/accounts" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1 - - [01/Jun/2025:16:58:31 +0800] "GET /api/v1/twofaccounts?ids=1,4,5,6,7,8,9,10,11,24,25,26,27&withOtp=1 HTTP/2.0" 200 3619 "https://totp.example.com/accounts" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1 - - [01/Jun/2025:16:59:01 +0800] "GET /api/v1/twofaccounts?ids=1,4,5,6,7,8,9,10,11,24,25,26,27&withOtp=1 HTTP/2.0" 200 3619 "https://totp.example.com/accounts" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1 - - [01/Jun/2025:16:59:31 +0800] "GET /api/v1/twofaccounts?ids=1,4,5,6,7,8,9,10,11,24,25,26,27&withOtp=1 HTTP/2.0" 200 3619 "https://totp.example.com/accounts" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1 - - [01/Jun/2025:18:20:37 +0800] "OPTIONS /api/v1/user/preferences HTTP/2.0" 204 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1 - - [01/Jun/2025:18:20:37 +0800] "OPTIONS /api/v1/twofaccounts?withOtp=1 HTTP/2.0" 204 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1- - [01/Jun/2025:18:20:37 +0800] "OPTIONS /api/v1/groups HTTP/2.0" 204 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1 - - [01/Jun/2025:18:20:37 +0800] "GET /api/v1/user/preferences HTTP/2.0" 401 30 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1 - - [01/Jun/2025:18:20:37 +0800] "GET /api/v1/groups HTTP/2.0" 401 30 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1 - - [01/Jun/2025:18:20:37 +0800] "GET /api/v1/twofaccounts?withOtp=1 HTTP/2.0" 401 30 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1- - [01/Jun/2025:18:20:44 +0800] "OPTIONS /api/v1/user/preferences HTTP/2.0" 204 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1 - - [01/Jun/2025:18:20:44 +0800] "OPTIONS /api/v1/groups HTTP/2.0" 204 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1 - - [01/Jun/2025:18:20:44 +0800] "OPTIONS /api/v1/twofaccounts?withOtp=1 HTTP/2.0" 204 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1 - - [01/Jun/2025:18:20:44 +0800] "GET /api/v1/user/preferences HTTP/2.0" 401 30 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1 - - [01/Jun/2025:18:20:44 +0800] "GET /api/v1/twofaccounts?withOtp=1 HTTP/2.0" 401 30 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
192.0.2.1- - [01/Jun/2025:18:20:44 +0800] "GET /api/v1/groups HTTP/2.0" 401 30 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
When I log into my deployed 2FA website and, while logged in, directly access the PATH shown in the Nginx logs (/api/v1/twofaccounts?ids=...&withOtp=1), the browser returns the following message:
{"message":"Unauthenticated."}
I checked the log file in the website directory: /storage/logs/laravel-2025-06-01.log
The log output for all dates is very similar, containing only messages like these:
[2025-06-01 17:02:54] production.NOTICE: App setting 'lastRadarScan' set to 1748768574
[2025-06-01 17:02:54] production.NOTICE: App setting 'latestRelease' reset to default
[2025-06-01 17:42:45] production.INFO: New OTP generated for TwoFAccount (id:11)
[2025-06-01 17:42:45] production.INFO: OTP requested for TwoFAccount (id:24)
[2025-06-01 17:42:45] production.INFO: New OTP generated for TwoFAccount (id:24)
[2025-06-01 17:42:45] production.INFO: OTP requested for TwoFAccount (id:25)
[2025-06-01 17:42:45] production.INFO: New OTP generated for TwoFAccount (id:25)
[2025-06-01 17:42:45] production.INFO: OTP requested for TwoFAccount (id:26)
[2025-06-01 17:42:45] production.INFO: New OTP generated for TwoFAccount (id:26)
[2025-06-01 17:42:45] production.INFO: OTP requested for TwoFAccount (id:27)
[2025-06-01 17:42:45] production.INFO: New OTP generated for TwoFAccount (id:27)
I also cleared the cache in the 2FA system settings.
Other potentially relevant environment information: Nginx v1.27.1 MySQL v8.0.24 PHP v8.4.2 Redis v7.2.4
Environment variable information (from debug output): Date: Sun, 01 Jun 2025 17:45:38 +0800 userAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Version: 5.5.2 Environment: production Install path: / Debug: true Cache driver: file Log channel: daily Log level: debug DB driver: mysql PHP version: 8.4.2 Operating system: Linux interface: fpm-fcgi Auth guard: web-guard webauthn user verification: preferred Trusted proxies: none lastRadarScan: 2025-06-01 09:02:54
Some additional information from the .env file:
THROTTLE_API=null
Sorry, I forgot to include the relevant images when I submitted the bug.
Most of the time, the first image will only be displayed for less than 1 second before switching to the second image's interface
I submitted v1.1.2 this afternoon to the chrome web store. This new version change the way unauthorized requests are handled by the extension. You should now see a dedicated page with the ability to reset the extension rather than uninstalling it. If you don't want to wait for the store validation, this new version is also available here: https://github.com/Bubka/2FAuth-WebExtension/releases/tag/v1.1.2-beta
I checked the log file in the website directory: /storage/logs/laravel-2025-06-01.log The log output for all dates is very similar, containing only messages like these:
You should enable debug logs by setting APP_DEBUG=true and LOG_LEVEL=debug in your env variables. Additional entries in the logs may help to understand when/why authentication fails.
Please let me know if it helps.
oh, I just saw at the end of your post that you already set log level to debug 🤦🏻
Jup with the new update I can see this screen. The API key shouldn't have changed nor should it be deleted as I can still see it in the 2FAuth webinterface.
From this error page, right-clic the popup and click Inspect, dev tools should open.
Switch to the network tab and click the Refresh button in the pop-up. A new XHR request with a 401 response should have appear in the tab. Click on it and check the Request headers in the Headers tab. Is the Authorization header present ? Does its value contain the token after the term Bearer ?
thx. I have updated 2FA to version v5.6.0 and the Chrome browser extension to 1.1.2-beta. After resetting the browser data, it has been working normally for more than ten hours without the bug reoccurring. It is currently working well.