2fa rencryption does not work

[MartinVanVan]

Hello,

I've tried the steps to reencrypt all data and create a new crypt key.
Until the last step everything works as expected.
Login into the admin panel with 2fa also works.

But after I do the last step bin/magento gene:encryption-key-manager:invalidate to invalidate the old crypt, I can't log into the admin panel using 2fa. As stated in the final step to test admin and customer login expected that everything will work as usual.

Looking into the system.log i get following error if i try to enter th 2fa code:

[2025-01-06T16:44:34.152131+00:00] main.CRITICAL: Magento\Framework\Exception\NoSuchEntityException: Secret for user with ID#12 was not found in /var/www/share/staging-aws.xxx.com/releases/13/vendor/magento/module-two-factor-auth/Model/Provider/Engine/Google.php:120
Stack trace:
#0 /var/www/share/staging-aws.xxx.com/releases/13/vendor/magento/module-two-factor-auth/Model/Provider/Engine/Google.php(196): Magento\TwoFactorAuth\Model\Provider\Engine\Google->getTotp(Object(Magento\AdminAdobeIms\Model\User\Interceptor))
#1 /var/www/share/staging-aws.xxx.com/releases/13/vendor/magento/module-two-factor-auth/Controller/Adminhtml/Google/Authpost.php(144): Magento\TwoFactorAuth\Model\Provider\Engine\Google->verify(Object(Magento\AdminAdobeIms\Model\User\Interceptor), Object(Magento\Framework\DataObject))
#2 /var/www/share/staging-aws.xxx.com/releases/13/vendor/magento/framework/Interception/Interceptor.php(58): Magento\TwoFactorAuth\Controller\Adminhtml\Google\Authpost->execute()
#3 /var/www/share/staging-aws.xxx.com/releases/13/vendor/magento/framework/Interception/Interceptor.php(138): Magento\TwoFactorAuth\Controller\Adminhtml\Google\Authpost\Interceptor->___callParent('execute', Array)
#4 /var/www/share/staging-aws.xxx.com/releases/13/vendor/magento/framework/Interception/Interceptor.php(153): Magento\TwoFactorAuth\Controller\Adminhtml\Google\Authpost\Interceptor->Magento\Framework\Interception\{closure}()

If I change the invalidated crypt key in the env.php back to its old value, then Login with 2fa will work again.

[convenient]

Hello

Thanks for the issue that does sound like something is not working.

The issue with 2FA data is that its double encrypted, our test case is as so

module-encryption-key-manager/dev/test.sh

Lines 47 to 49 in 97ae562

	FAKE_GOOGLE_TOKEN=$(vendor/bin/n98-magerun2 dev:encrypt 'googletokenabc123')
	TWOFA_JSON="{\"google\":{\"secret\":\"$FAKE_GOOGLE_TOKEN\",\"active\":true}}"
	TWOFA_JSON_ENCRYPTED=$(vendor/bin/n98-magerun2 dev:encrypt "$TWOFA_JSON")

So the cases we investigated were like

The table holds some data like

0:3:xyz987

When you decrypt that you get

{"google":{"secret":"0:3:abc123","active":true}}

And if you decrypted the 0:3:abc123 you'd get the actual secret.

---

To help us understand the issue can you please

1. Look in the database for the raw encrypted value
2. Run it through n98-magerun2.phar dev:decrypt 0:3:abc123
3. Look at the format of this JSON body and share a sanitised copy of it?

I would be interested to hear

1. if the main data stored in the table starts with 0:3: or 1:3:
2. if the inner encrypted payload starts with 0:3: or 1:3:

If we can capture the format we can get a test case and see where its gone awry.

[MartinVanVan]

As stated in the error message the secret for ID#12 couldn't be found.
So i assume the value is stored in the tfa_user_config

So apparently the data is in 0:3 as well as 1:3

I don't know why but magerun dev:decrypt didn't work. I just got an empty output.

[convenient]

Hello

When you ran the php bin/magento gene:encryption-key-manager:reencrypt-tfa-data what kind of output did it give ?

It should have given some output similar to

Running reencrypt-tfa-data
The latest encryption key is number 1, looking for old entries
Looking for encoded_config in tfa_user_config, identified by 'config_id'
########################################################################################################################
config_id: 1
ciphertext_old: 0:3:VYVmpwkM1mhg5qh0pX1fJg8kV9rWlWr7Q/aOl4CtbdHXaSOyPUJ7L92J8/JlwE86kAKiyAsXgztqBNqdbd6+Ct3z0vGAzguwe63rtjfhRffYzXwhugdTdDt4ov8lpfci66N86dSQddNdLJ+orrPgMNIf2daUFZMbPyviWkCnPGq/CA==
plaintext_old: {"google":{"secret":"0:3:k+zKqK36ipT7v9fff0bWTLBk1/OtYNHHizMUyZGAk2KyWcSFPFz+FKIdJQyy","active":true}}
plaintext_new: {"google":{"secret":"1:3:BW\/UG73qg8O9oqRqQJ3hqAW7YRuK1f+xoXFuxs46vaCytH3xqpsd8ADrqRsU","active":true}}
ciphertext_new: 1:3:ISY01PTteJ9wJkMjvEfbwNxtoMXeLz96y67yP5FkiDUAaznkz7/1J5yFQCsjs7LTuonEKrIZG8hIrPOf1qc/O6cajRcxdu3WzSe7qYMKErXIkhyvoKBmBTrnrVhgbQccsYp/FMBvhQPcUqiDXpShQVDPMFRT2q7Ray2KXjdvMdwRERs=
########################################################################################################################
Done

It seems that the values are not re-encrypted at all which suggests some failure in this command

[MartinVanVan]

Hello,

I ran this command on our staging server (production mode). The output look like this:

########################################################################################################################
config_id: 5
ciphertext_old: 0:3:JdrimUlSdWP9FAUNAjS/o71iWETyrn+m0fmwBTQu1NgrlaNful/CSPclplhQ4jAG1vBl5IrShFw3E56FmaS7JUIK5SBZBUm1DaLbr/2GHBqSPTytCsxHOh02FylL70xGMXf6WxazcmY1GqZXxv/UUbfCAqsOBaaYE84tk2D42Sy10CvbaOgV1Aj8KnHvcGKHbxH3E3uvdFvIEF8NeJfU4BQC7Fb77+xsfSxu4y4rUtKpNFcP9DbOyE+eQq9GZqG/AG3Fb6IA1H6POCXy85TEeHUWwvS3fGfDqnMpzMzPvP8fLPPXHcetFDWCVkxd579an0lTXwiRn+t13JmfSapSS5QHLtneP11krSsid41SpYja00dmX3y5BQoKmb5tY8CrT7Ufdap5+YIEieWMnwoBq4I8s3Bf6lZDmA6crDq8cy8dAWfmyjGFMh9nrWhnhfN9XGoyfkIh1ZJxhmhARPLhmwaL6AO8QKVxLEb4BXRoZmky9AoDmyaNWlrZbF2RMgRb9bmYXF1Ay/X+CA==
plaintext_old: {"google":{"secret":"0:3:tDngocyx0ldPkszGxzSyNoJVcdIX25XRF3CVRJR10kpDVGGBbw1WXYqNIrP0QKrQDMpf3rpGlyXfiZue82hPKW3Rb1T1jnl9CGYwEepYWjhQ1HbCxMLXW1lKF0vEDHly9cx5dCCZ3dBGYtciajL6D7m5HfepZa5eqoSOtYlYmo3ze\/gz01Ttn\/euvCLBVJYO\/nPK5wIdBDX3jAU1Xf9HP4\/V9rOohNJ1fdGN9gnTKOvWRwyrJGeEamdQPpX+p6xcylM6CA3bQ0u7nBkY7Pu7U32+KXoTbKn6xv6a4wKXIxYRTyG4ENozJTPKFsogIuBN","active":true}}
plaintext_new: {"google":{"secret":"1:3:SyTj6Q5Kjl08N9IW8CaGV4SbT2xmusj1zFZTcHsC9FsID5a7auwV48kTpWD8qdCtunP+78\/LhWp32xnQtsKJBouHnhSDjOXsy1Eci0W3H2ErpLF3tiwEgYwUwXBhOIT\/A7uACSaGlaGm7mwK+BljV6mhD2efhz3+v\/prTiTSv9hJmqyOoejLiOYywGWai8dHNfDMGgpl0G9U+TPGJeyp30SDoYSJm7Cc51l6OYD2hYQsFOLDjLxKdiRzfI2qlG+PoPIETD2r35Q4uzhcGZ5EecbchcUDb5bWJv2tRSJFvWmrBGCNqb5iGDa4Bl3SWlrw","active":true}}
ciphertext_new: 1:3:4k0xRYdLu1SLAiLuZsPSRVWU83ijojydnT3M4FB/kNZKiZrgZF4+nTYOgYyTbQx/TvB2JT2pJmZdDgfsDeT4SE3R40YNMH63mSdeJVBsjxXIQCYgXcsqpx8iFaRCQupNOdvhYvFHs3NXAMhrxd5hik7+he+wpL54fLMagdN+nRbJ2F9t8XSMfARpU1ALIqIgAr+wkUHqVNXxU7wpGvyIh+46QkaICzg8UVyoLlBYOBHRkpa+RCSee/6EUm5NDCp6Kmd70jPvQNYyTdPoszC9cpZtoze8awvpv/figHDLpRLyuomUd9mn6jD/u21FL6Bwz3AVjttBSDGwdq0qTLHTbY5ljOvk7E6A/xO5TgDJBvJ6nBlpk/i50oqXuDd1zWd8rVY72CBAWwgWcVblUXHHOBxTvWHPh9r1uZ11kpoJPg+8nl685XAphAFklP1Fjn5io0ifJbns1/vPiT7mRWNAnXYlmb6PcWYcWvMoVFJZXn5EajEt+a4I3/K5D+GTGEDflGWVzUKVUTOD
########################################################################################################################

It seems i did not run --force option before so all data has not been reencrypted. Now all data is starting with 1:3
After running the dev:decrypt command i get this:

./n98-magerun2.phar dev:decrypt 1:3:VDRhcfRoqcLPUr8xKcKK1HoQZA9qgUoZS9HLWyPyUB70sitX37SsEIs0wzFfqwn82Np6NyJeeDH8GrHB+eP1SP86Jkh/gOE9fFqdlonqj2ewG1TuZlQPbE69p/eis1CvxBiRiAs5kCRw9vkVyn1ZIle7ZSDbL8I0qSo9O0OgE1nG1bPoDXL9rkFpg7hZmQuQMoYqJzVbTxZwArt1NnTxvpots2mM4GRVpagmFqmY4XPzhq0kYtH1XpDuVXFP8YiSQbqusTJmec6ZtpnOu0ooZ3QqCOLGkeTWSuT7j2ScsJ39xm1voVwKENdoenpKdOZNjG2xJJB1HbSqUZKVcI3+Hgo2O2LcpNo4qe2rKwYwT4Aqp3j1WqNn88YJoakLVa6n6QEvYgDK4OiRmBkrRfi/tDZUA2wnssJYAVc3NyvSMaoReLDSKRHV21XBvZ7vY0h9tLZj6Mn9gl44noZTiGw8l5d3XoPTHwYiBqd8GlGxh27irjwFS7yIPdxKHlkHQFEI6OzNCYEPey5DYCGBayc=
{"google":{"secret":"0:3:uLNT\/SCQvqkgWahq2EAdlHCbUq6aPDxZgJTDVYCvp\/FXe99L7tRTWPqp5e5z0eel45zc1tuKS+EyFRc+UoYdwD8UCXAbSoymvM0jlWUc+FXDSW78j\/OsUP\/AgozbfIRvC+qlSNpzoSlkAk8R5s4D9sWfW8YGTm00303MKyROv5XkhknSZXrTzt5wt6wC1IijMhk4qJTSkxhluIfi7snLdHycoOCcsPJrLk\/tIsFfmX61M1dWF5DvhUydog11zaxFAqASBGCi4w4wv1yI6d9QsbYi\/y++mBeHh6E\/\/KpBAfajn+TsDokYdsJJC2OUTW13","active":true}}

tfa is still not possible and i still get the error mentioned above.

[convenient]

Hello @MartinVanVan

Thanks for the info, in that last test can you run the dev:decrypt with the example for config_id 5 that you gave above? So it would be like

./n98-magerun2.phar dev:decrypt 1:3:4k0xRYdLu1SLAiLuZsPSRVWU83ijojydnT3M4FB/kNZKiZrgZF4+nTYOgYyTbQx/TvB2JT2pJmZdDgfsDeT4SE3R40YNMH63mSdeJVBsjxXIQCYgXcsqpx8iFaRCQupNOdvhYvFHs3NXAMhrxd5hik7+he+wpL54fLMagdN+nRbJ2F9t8XSMfARpU1ALIqIgAr+wkUHqVNXxU7wpGvyIh+46QkaICzg8UVyoLlBYOBHRkpa+RCSee/6EUm5NDCp6Kmd70jPvQNYyTdPoszC9cpZtoze8awvpv/figHDLpRLyuomUd9mn6jD/u21FL6Bwz3AVjttBSDGwdq0qTLHTbY5ljOvk7E6A/xO5TgDJBvJ6nBlpk/i50oqXuDd1zWd8rVY72CBAWwgWcVblUXHHOBxTvWHPh9r1uZ11kpoJPg+8nl685XAphAFklP1Fjn5io0ifJbns1/vPiT7mRWNAnXYlmb6PcWYcWvMoVFJZXn5EajEt+a4I3/K5D+GTGEDflGWVzUKVUTOD

Just so I can follow the stream of data all the way through

[MartinVanVan]

Yeah sure
Doing it for the example above i get this output

./n98-magerun2.phar dev:decrypt 1:3:4k0xRYdLu1SLAiLuZsPSRVWU83ijojydnT3M4FB/kNZKiZrgZF4+nTYOgYyTbQx/TvB2JT2pJmZdDgfsDeT4SE3R40YNMH63mSdeJVBsjxXIQCYgXcsqpx8iFaRCQupNOdvhYvFHs3NXAMhrxd5hik7+he+wpL54fLMagdN+nRbJ2F9t8XSMfARpU1ALIqIgAr+wkUHqVNXxU7wpGvyIh+46QkaICzg8UVyoLlBYOBHRkpa+RCSee/6EUm5NDCp6Kmd70jPvQNYyTdPoszC9cpZtoze8awvpv/figHDLpRLyuomUd9mn6jD/u21FL6Bwz3AVjttBSDGwdq0qTLHTbY5ljOvk7E6A/xO5TgDJBvJ6nBlpk/i50oqXuDd1zWd8rVY72CBAWwgWcVblUXHHOBxTvWHPh9r1uZ11kpoJPg+8nl685XAphAFklP1Fjn5io0ifJbns1/vPiT7mRWNAnXYlmb6PcWYcWvMoVFJZXn5EajEt+a4I3/K5D+GTGEDflGWVzUKVUTOD
{"google":{"secret":"1:3:SyTj6Q5Kjl08N9IW8CaGV4SbT2xmusj1zFZTcHsC9FsID5a7auwV48kTpWD8qdCtunP+78\/LhWp32xnQtsKJBouHnhSDjOXsy1Eci0W3H2ErpLF3tiwEgYwUwXBhOIT\/A7uACSaGlaGm7mwK+BljV6mhD2efhz3+v\/prTiTSv9hJmqyOoejLiOYywGWai8dHNfDMGgpl0G9U+TPGJeyp30SDoYSJm7Cc51l6OYD2hYQsFOLDjLxKdiRzfI2qlG+PoPIETD2r35Q4uzhcGZ5EecbchcUDb5bWJv2tRSJFvWmrBGCNqb5iGDa4Bl3SWlrw","active":true}}

[convenient]

Hello @MartinVanVan

Can you check that the ciphertext stored in the database against config_id: 5 is the same as the one you just tested on the CLI?

[MartinVanVan]

@convenient No its not.
I was also wondering why, also the re-encryption command did not output ciphertext for all entries in the database.

Using the ciphertext stored in the database i get this output:

./n98-magerun2.phar dev:decrypt 1:3:5mB0dxwbe1CGbtsWPBLdScjrGJYD8MTX0u4DactbKyk5losUqFYIPmw=
{"u2fkey":[]}

Edit:
Another example for id 12 is

./n98-magerun2.phar dev:decrypt 1:3:s/vMXgaTf52jb06s4BS2GjIrv7tSwFlJq26S/foys8fos1XR789Z/ITLgYIh90cNuxX0JAr7GzDc9F/wxxQFw1PVRUIFlOglf20hXJcRrGh1yGZ1SJX/jbW70/z/el2ocndAQ/HG7O1Xz7fWyJmpeWWCkemCaRS0mfWfkFZmvOPuOaAjZSzjq/QTDrAiyeXxyLNWvwOHr+FiJrOJA0QY6tlZi6Aj34RLYPbdGeR6UDR1Ekxz7/vBjV5E4VLNaM5LG7KpMJyIMC1N5T8IjSDCHYOk4eZGxhPH7rhcwMrEo5DPUxiN22nZeJBmweXjnYcqwxI8khDeLZBhCuqEfuKrOYH4PyhUnengP+BikrRej3aLGGuFeRHswYULXiSrjW+aNBpce4SoArqpVQsyZu4L3MAHmXEtNeGdCKLQioWuxte7SMM21t0yHpTvOMw6AX8D9xSGLP41YMF567t7hfGXZCnVkIAEgsHfoIy4i+PcvRbNYHI85f1Es4uhImE2nHKUU7I0qZ8yyV5mMfV8kFc=
{"google":{"secret":"0:3:uLNT\/SCQvqkgWahq2EAdlHCbUq6aPDxZgJTDVYCvp\/FXe99L7tRTWPqp5e5z0eel45zc1tuKS+EyFRc+UoYdwD8UCXAbSoymvM0jlWUc+FXDSW78j\/OsUP\/AgozbfIRvC+qlSNpzoSlkAk8R5s4D9sWfW8YGTm00303MKyROv5XkhknSZXrTzt5wt6wC1IijMhk4qJTSkxhluIfi7snLdHycoOCcsPJrLk\/tIsFfmX61M1dWF5DvhUydog11zaxFAqASBGCi4w4wv1yI6d9QsbYi\/y++mBeHh6E\/\/KpBAfajn+TsDokYdsJJC2OUTW13","active":true}