cal.com
cal.com copied to clipboard
calcom
Invalid admin password banner - message is not correct
Found a bug? Please fill out the sections below. 👍
Issue Summary
The banner warning of an invalid password does not have the correct message. The message shown states:
You are admin but you do not have a password length of at least 15 characters or no 2FA yet. Change Password to gain admin access,
but you need the password length and the 2FA to both be enabled. This problem had previously been discussed in another issue: https://github.com/calcom/cal.com/issues/7914 but that issue was closed without fixing the problem.
Steps to Reproduce
- Run a full production build. The error does not occur in a dev environment.
- Logon as an admin user.
- Disable two factor authentication.
- Logoff then logon again.
- Banner message appears.
This is misleading to users so message ought to be corrected. This may also involve correcting the message in other languages.
Technical details
....../packages/features/auth/lib/next-auth-options.ts
// authentication success- but does it meet the minimum password requirements?
const validateRole = (role: UserPermissionRole) => {
// User's role is not "ADMIN"
if (role !== "ADMIN") return role;
// User's identity provider is not "CAL"
if (user.identityProvider !== IdentityProvider.CAL) return role;
// User's password is valid and two-factor authentication is enabled
if (isPasswordValid(credentials.password, false, true) && user.twoFactorEnabled) return role;
// Code is running in a development environment
if (isENVDev) return role;
// By this point it is an ADMIN without valid security conditions
return "INACTIVE_ADMIN";
};
Should also check in other languages ...../apps/web/public/static/locales/...../common.json
Hey @mpette200 for some reason I'm not able to reproduce the issue. In my case when i logged in as an admin the 2FA was disabled by default. I enabled it by scanning the QR code with my authenticator app and then disabled it. But i didn't see any banner as you mentioned after logging back into the website. I could be going wrong somewhere, could you please guide me through? also @PeerRich is this issue already fixed?
Apologies, I forgot to state it only occurs on a full production build because the relevant code also does a check against isENVDev. I have updated the first post to state that step 1 is to do a full production build.
I would like to work on this issue. @PeerRich could you please assign it to me?
@mpette200 So the banner should only about password length or only about 2FA according to the situation, is that what you are telling ??
I just installed it through my Unraid server and I'm getting this banner and my password is over 15 characters and I tried setting 2FA, but was unsuccessful. I reported it in #9690
I am also getting this. My password is randomly generated and about 25 characters. Enabling 2Factor did not help. I am running this on a RHEL server using docker.
I have the same issue, reported it to #9690, but it is unfortunately closed, however the bug exists!
Oddly on one instance I originally deployed this, the issue went away and I can see the admin tools again. However on a new instance I again get the same:
"You are admin but you do not have a password length of at least 15 characters or no 2FA yet"
And I cannot access the admin settings.
EDIT This was odd... while trying to play around with this, I updated my account to be an admin via the postgres database.
Here is what I ran:
docker exec -it calcom_database psql -U calendso_user -h localhost calendso -c "select id, username, email, role, \"emailVerified\", \"twoFactorEnabled\" from users"
docker exec -it calcom_database psql -U calendso_user -h localhost calendso -c "UPDATE users SET role='ADMIN' WHERE email="[email protected]"'
Then when opened an incognito tab and logged in to the original created admin user, everything seemed okay? I have no idea if this would have triggered for it to be fixed or not. Just something I noticed, might not be related in any way
