2FA

stephen.saucier 0 · 24 Feb 2022, 20:58

After I go through api/login with credentials of a user who has 2FA enabled, I get this response:

{"methods":[{"id":"4ZF7","lastUsed":true,"method":"sms","mobilePhone":"17062259155"}],"twoFactorId":"ETCK_CQPo5ARy7SvrWC7vd4rC0ilbNRSc52pdE0rDd0"}

I then immediately grab the method ID and twoFactorId from that and request that FA send a code to that two factor method, like so:

curl -v
-X POST 'https://fa.capital.dev.tranwall.net/api/two-factor/send/ETCK_CQPo5ARy7SvrWC7vd4rC0ilbNRSc52pdE0rDd0'
-H 'Cookie: access_token=eyJhb...; refresh_token=Zzanp...'
-H 'Accept: application/json, text/plain, */*'
-H 'Content-Type: application/json'
-d '{"methodId":"4ZF7"}'

Unfortunately, this responds with a 400:

{"fieldErrors":{"methodId":[{"code":"[invalid]methodId","message":"The [methodId] is not valid. No two-factor method with this Id was found enabled for the user."}]}}

Why would the methodId be invalid, if it is given to me by FA in the first place?

stephen.saucier 0 · 4 Mar 2022, 15:56

My only option here has been to disable MFA for this user and have them enable it again on next login.

EDIT: Sorry, I didn't add a good topic name. Maybe "Invalid methodID for MFA-enabled user".

dan · 4 Mar 2022, 15:56

@stephen-saucier-0

Hmmm. What version of FusionAuth are you running? I looked at the code and this sequence should work fine.

This certainly looks like it might be a bug. Would you mind filing an issue with details, including your version and a link to this forum post? https://github.com/fusionauth/fusionauth-issues/issues

Thanks!

stephen.saucier 0 · 8 Mar 2022, 20:45

@dan I have filed an issue here: https://github.com/FusionAuth/fusionauth-issues/issues/1627