MeshCentral Router 2FA Issue
Closed this issue · 14 comments
I'm not sure if this is just me or not but recently, logging into the Windows version MeshCentral Router with 2FA enabled and checking the "Don't ask for 30 days" box seems to be crashing the application. It completes the login but the device list never loads and the entire application becomes unresponsive. This does not happen when logging in without that box checked or on the Mac version.
Server Version: 0.9.58
MeshCentral Router Version: 1.8.7998.37571 (according to the details tab under right click > Properties - not sure if this is relevant)
Looking into this one now.
I tried a few things and I can't replicate the issue. When you say the application crashes, are you saying MeshCentral Router crashes? The MeshCentral server crashes?
If MeshCentral Router crashes, can you look for a "debug.log" file in the same path as the "MeshCentralRouter.exe"?
If the server crashes, can you look for "mesherrors.txt" file in "meshcentral-data" folder?
Any more information would be great.
Sorry, I should have been more specific. It's MeshCentral Router that's crashing - the server is fine. Unfortunately, there's no debug.log and Router isn't actually closing - it stays up but frozen (again, only when choosing to remember the 2FA session). This could well be something that's just happening to me but I'm not sure what to do about it beyond re-downloading Router which I've done a few times. Please let me know if there is anything else I can provide.
If you can run:
meshcentralrouter.exe -debug
Cause the crash to happen and send back the "debug.log" file, that would be great. Do take care to check if the file contains any private information and XXXXX any such info before sending it back. I will take a look at it right away. Thanks.
See attached. My domain has been replaced with [XXX] and my auth cookie data has been removed. I'm assuming things like mesh IDs are not private since they're server-specific? If you need any of what I removed, please let me know and I'll email it to you instead.
Thanks! Wow, the MeshCentral router sends the twoFactorCookie command to ask for a cookie and everything stops. Looking into this now, this may be a server-side issue.
Do you happen to have a twoFactorCookieDurationDays on the config.json? If so, what is it set to? If you can be exact in what it's set to, that would be great? (Like cut & paste the line from the config.json). Thanks.
I have the default value but haven't set anything manually:
"_twoFactorCookieDurationDays": 30,
Ha thanks. Ok, I will make some changes and hope it fixes it.
Hopefully this is fixed in v0.9.60.
No luck, unfortunately. Debug log looked pretty much exactly the same with this being the last line:
21:29:PM.5141: WebSocket: WebSocketClient-SEND-String: {"action":"twoFactorCookie"}
Update: I found out today that this is happening only on my computer or possibly specifically with my account. Two newly created users were able to access Router with the remember 2FA checkbox checked without issue. Is this cached somewhere that I can find and delete from my side?
Updating to say that this is specific to my account. I just created a new test user, enabled app-based 2FA, and logged into MeshCentral Router with the "don't ask" box checked on the same computer I've been having this problem on (Windows 10 Pro, 19044) with no issue. I then tried resetting the authenticator on my main account but that didn't help so I'm really at a loss as to why it's broken at this point.
As an additional test, I finally found where in the registry the settings are stored and cleared the TwoFactorCookie value though trying to log in with the 2FA checkbox checked still resulted in a frozen client. As a last-ditch effort, I grabbed the 2FA cookie from my browser session and pasted it into that registry value which did work (as in I can launch the app and skip the 2FA check at the moment). I'm not sure exactly what this tells you but it's as far as I was able to troubleshoot it at the moment.
I may have fixed this with latest MeshCentral Router, if not please re-file.