2FA plugin accepts every password
I just tried to set up the Two Factor Plugin and I saw, that I can enter every password at twoFactor.enable. Every password gets accepted, which probably should not be the way to go.
22 Replies
oh this shouldn't happen
could you try
1.0.8-beta.2 if it fixes the issue.that worked, thanks!
but I am wondering: the verification code after scanning the qr code gives me the error "invalid two factor authentication"
although the google authenticator gives me this code
does it constantly return you that?
if you mean after waiting for a new code and then try the new one, yes
so it's not working with any code you get from the authenticator app?
yes, exactly
there might be a misconfiguration. Check again and try scanning the URL. If you disable and enable it, a new secret will be generated. If you're trying to use the old value, it won't work. So check that.
also after disabling, I'll get the error. I see, that I also get this one in the console: could that be the problem?
dont exactly know, why this one getting called, If I am in the settings, not on the auth two factor verification page?
this should only be called on two fa page or when trying to enable
maybe create new user and try to enable it to see the problem
that sadly did not change anything.
to the message above: yes, I mean on enabling, sorry.
@bekacru any other idea about this one?
Hey wasn't working today 🙂 will get back to you later
no problem, thanks!
hey, any updates? @bekacru
Hey could you check if it still happens on latest?
hey, sorry for the late response, I was sick over the week.
I just tried it, and it worked on latest - thanks!
But in the Google Authenticator App, my App is displayed as "Better Auth" how can I change that? In my auth.ts I already set appName
Oh sorry man. hope you're doing better. And you can set
issuer in the plugin configthanks.
so the docs are wrong? It says
appName: "My App", // provide your app name. It'll be used as an issuer.It should have worked actually. I'll check why it didn't.
with issuer in the config, it worked. just wondered if the docs are wrong then, as it says appName will define the issuer
im abt to sleep, but can you lmk if the docs already elaborates on this?
If not i can add documentation which states that the authenticator app will display by the issuer
you can check it yourself
but no, it isn't.
It isn't? interesting...
Alright I'll add it to docs when i wake.