twofactor_totp
twofactor_totp copied to clipboard
nextcloud
TOTP still enabled after deleting and recreating account
Steps to reproduce
- Enable TOTP for a user.
- As admin, delete user
- As admin, create user again with the same username
Expected behaviour
User should be able to log-in without TOTP prompt.
Actual behaviour
User is prompted for a TOTP secret he may have already deleted.
Server configuration
Operating system: Debian 9.6
Web server: Nginx
Database: MariaDB
PHP version: 7.2
Version: (see admin page) 15.0.0
Updated from an older version or fresh install: fresh install
The app currently does not clean up on user deletion, hence the same UID will cause the old data to be used for the new user.
If you're interested in contributing a fix, you can see how a similar cleanup mechanism was implemented for the backup codes here: https://github.com/nextcloud/server/blob/35a372dadd54db42d16bc65f071e4aed0c306b83/apps/twofactor_backupcodes/lib/AppInfo/Application.php#L61.
Do i understand correctly (from https://github.com/nextcloud/server/pull/18770) that this is a problem with the TOTP app, not with the server?
Are you going to fix the issue?
Do i understand correctly (from nextcloud/server#18770) that this is a problem with the TOTP app, not with the server?
Yes.
Are you going to fix the issue?
It's not planned right now. If you would like to help I can give you some pointers to get started. I think it shouldn't be too complex.
Given that this issue is still open and I reckon with low priority, is there any way to manually clean up the User TOTP secret from the database?
