create_second_factor_totp 存在问题

Started POST "/u/create_second_factor_totp.json" for 209.249.35.130 at 2020-02-19 14:21:20 +0000
Processing by UsersController#create_second_factor_totp as JSON
Completed 500 Internal Server Error in 5ms (ActiveRecord: 0.0ms | Allocations: 1781)
Addressable::URI::InvalidURIError (Invalid scheme format: Our Great Forum)
/var/www/discourse/vendor/bundle/ruby/2.6.0/gems/addressable-2.7.0/lib/addressable/uri.rb:901:in `scheme='
  Rendering text template
  Rendered text template (Duration: 0.0ms | Allocations: 1)

“Our Great Forum” 几乎是系统设置中的论坛标题。实际值类似于“Our Great Forum: Our fine tagline”，因此日志中显示的只是冒号 之前 的部分。我在系统设置的其他地方没有看到“Our Great Forum”，所以我不明白为什么日志中会出现不带 : tagline 部分的内容。

唉。这是 2.4.0.beta10 (6301477b4c)。我打算升级并让他们再试一次。如果能让用户在最新版本上重试，我会更新此内容。

日志文件中的堆栈跟踪向你说明了什么？

我在日志里只看到这些。我没有看到回溯信息。不过，我在“基于令牌的认证器”部分点击“新建认证器”时就会收到该错误。

而且在最新升级后，情况依然如此。

哇，确实有些不对劲。

你能否将请求复制为 curl 命令并发布出来（请隐去任何个人身份信息以及令牌/随机数），以便我们判断问题是出在客户端还是服务器端？

Can confirm that if you have a title with a space before a colon this causes a failure on latest:

with SiteSetting.title = "It's Spaceballs: The Discourse" I get an error clicking on:

Addressable::URI::InvalidURIError in UsersController#create_second_factor_totp

Invalid scheme format: It's Spaceballs
Extracted source (around line #901):

#899       end
#900       if new_scheme && new_scheme !~ /\A[a-z][a-z0-9\.\+\-]*\z/i
*901         raise InvalidURIError, "Invalid scheme format: #{new_scheme}"
#902       end
#903       @scheme = new_scheme
#904       @scheme = nil if @scheme.to_s.strip.empty?

Extracted source (around line #826):

#824         # Bunch of crazy logic required because of the composite components
#825         # like userinfo and authority.
*826         self.scheme = options[:scheme] if options[:scheme]
#827         self.user = options[:user] if options[:user]
#828         self.password = options[:password] if options[:password]
#829         self.userinfo = options[:userinfo] if options[:userinfo]

Extracted source (around line #2392):

#2390       raise LocalJumpError, "No block given." unless block_given?
#2391       @validation_deferred = true
*2392       yield
#2393       @validation_deferred = false
#2394       validate
#2395       return nil


Rails.root: /home/michael/prog/Discourse/discourse

Application Trace
app/models/concerns/second_factor_manager.rb:27:in `totp_provisioning_uri'
app/controllers/users_controller.rb:1148:in `create_second_factor_totp'
lib/middleware/omniauth_bypass_middleware.rb:68:in `call'
lib/content_security_policy/middleware.rb:12:in `call'
config/initializers/100-quiet_logger.rb:18:in `call'
config/initializers/100-silence_logger.rb:31:in `call'
lib/middleware/missing_avatars.rb:23:in `call'
lib/middleware/turbo_dev.rb:34:in `call'

Framework Trace
addressable (2.7.0) lib/addressable/uri.rb:901:in `scheme='
addressable (2.7.0) lib/addressable/uri.rb:826:in `block in initialize'
addressable (2.7.0) lib/addressable/uri.rb:2392:in `defer_validation'
addressable (2.7.0) lib/addressable/uri.rb:823:in `initialize'
addressable (2.7.0) lib/addressable/uri.rb:138:in `new'
addressable (2.7.0) lib/addressable/uri.rb:138:in `parse'
addressable (2.7.0) lib/addressable/uri.rb:607:in `encode'
rotp (5.1.0) lib/rotp/totp.rb:61:in `provisioning_uri'
actionpack (6.0.1) lib/action_controller/metal/basic_implicit_render.rb:6:in `send_action'
actionpack (6.0.1) lib/abstract_controller/base.rb:196:in `process_action'
actionpack (6.0.1) lib/action_controller/metal/rendering.rb:30:in `process_action'
actionpack (6.0.1) lib/abstract_controller/callbacks.rb:42:in `block in process_action'
activesupport (6.0.1) lib/active_support/callbacks.rb:135:in `run_callbacks'
actionpack (6.0.1) lib/abstract_controller/callbacks.rb:41:in `process_action'
actionpack (6.0.1) lib/action_controller/metal/rescue.rb:22:in `process_action'
actionpack (6.0.1) lib/action_controller/metal/instrumentation.rb:33:in `block in process_action'
activesupport (6.0.1) lib/active_support/notifications.rb:180:in `block in instrument'
activesupport (6.0.1) lib/active_support/notifications/instrumenter.rb:24:in `instrument'
activesupport (6.0.1) lib/active_support/notifications.rb:180:in `instrument'
actionpack (6.0.1) lib/action_controller/metal/instrumentation.rb:32:in `process_action'
actionpack (6.0.1) lib/action_controller/metal/params_wrapper.rb:245:in `process_action'
activerecord (6.0.1) lib/active_record/railties/controller_runtime.rb:27:in `process_action'
actionpack (6.0.1) lib/abstract_controller/base.rb:136:in `process'
actionview (6.0.1) lib/action_view/rendering.rb:39:in `process'
rack-mini-profiler (1.1.6) lib/mini_profiler/profiling_methods.rb:104:in `block in profile_method'
actionpack (6.0.1) lib/action_controller/metal.rb:191:in `dispatch'
actionpack (6.0.1) lib/action_controller/metal.rb:252:in `dispatch'
actionpack (6.0.1) lib/action_dispatch/routing/route_set.rb:51:in `dispatch'
actionpack (6.0.1) lib/action_dispatch/routing/route_set.rb:33:in `serve'
actionpack (6.0.1) lib/action_dispatch/journey/router.rb:49:in `block in serve'
actionpack (6.0.1) lib/action_dispatch/journey/router.rb:32:in `each'
actionpack (6.0.1) lib/action_dispatch/journey/router.rb:32:in `serve'
actionpack (6.0.1) lib/action_dispatch/routing/route_set.rb:837:in `call'
rack (2.0.8) lib/rack/tempfile_reaper.rb:15:in `call'
rack (2.0.8) lib/rack/conditional_get.rb:38:in `call'
rack (2.0.8) lib/rack/head.rb:12:in `call'
rack (2.0.8) lib/rack/session/abstract/id.rb:259:in `context'
rack (2.0.8) lib/rack/session/abstract/id.rb:253:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/cookies.rb:648:in `call'
activerecord (6.0.1) lib/active_record/migration.rb:567:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
activesupport (6.0.1) lib/active_support/callbacks.rb:101:in `run_callbacks'
actionpack (6.0.1) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/actionable_exceptions.rb:17:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/debug_exceptions.rb:32:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
logster (2.6.3) lib/logster/middleware/reporter.rb:43:in `call'
railties (6.0.1) lib/rails/rack/logger.rb:38:in `call_app'
railties (6.0.1) lib/rails/rack/logger.rb:28:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/request_id.rb:27:in `call'
rack (2.0.8) lib/rack/method_override.rb:22:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/static.rb:126:in `call'
rack (2.0.8) lib/rack/sendfile.rb:111:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/host_authorization.rb:83:in `call'
rack-mini-profiler (1.1.6) lib/mini_profiler/profiler.rb:296:in `call'
message_bus (2.2.3) lib/message_bus/rack/middleware.rb:57:in `call'
railties (6.0.1) lib/rails/engine.rb:526:in `call'
railties (6.0.1) lib/rails/railtie.rb:190:in `public_send'
railties (6.0.1) lib/rails/railtie.rb:190:in `method_missing'
rack (2.0.8) lib/rack/urlmap.rb:68:in `block in call'
rack (2.0.8) lib/rack/urlmap.rb:53:in `each'
rack (2.0.8) lib/rack/urlmap.rb:53:in `call'
unicorn (5.5.3) lib/unicorn/http_server.rb:605:in `process_client'
unicorn (5.5.3) lib/unicorn/http_server.rb:700:in `worker_loop'
unicorn (5.5.3) lib/unicorn/http_server.rb:548:in `spawn_missing_workers'
unicorn (5.5.3) lib/unicorn/http_server.rb:144:in `start'
unicorn (5.5.3) bin/unicorn:128:in `<top (required)>'
bin/unicorn:87:in `load'
bin/unicorn:87:in `block in <main>'
bin/unicorn:86:in `fork'
bin/unicorn:86:in `<main>'

Full Trace
addressable (2.7.0) lib/addressable/uri.rb:901:in `scheme='
addressable (2.7.0) lib/addressable/uri.rb:826:in `block in initialize'
addressable (2.7.0) lib/addressable/uri.rb:2392:in `defer_validation'
addressable (2.7.0) lib/addressable/uri.rb:823:in `initialize'
addressable (2.7.0) lib/addressable/uri.rb:138:in `new'
addressable (2.7.0) lib/addressable/uri.rb:138:in `parse'
addressable (2.7.0) lib/addressable/uri.rb:607:in `encode'
rotp (5.1.0) lib/rotp/totp.rb:61:in `provisioning_uri'
app/models/concerns/second_factor_manager.rb:27:in `totp_provisioning_uri'
app/controllers/users_controller.rb:1148:in `create_second_factor_totp'
actionpack (6.0.1) lib/action_controller/metal/basic_implicit_render.rb:6:in `send_action'
actionpack (6.0.1) lib/abstract_controller/base.rb:196:in `process_action'
actionpack (6.0.1) lib/action_controller/metal/rendering.rb:30:in `process_action'
actionpack (6.0.1) lib/abstract_controller/callbacks.rb:42:in `block in process_action'
activesupport (6.0.1) lib/active_support/callbacks.rb:135:in `run_callbacks'
actionpack (6.0.1) lib/abstract_controller/callbacks.rb:41:in `process_action'
actionpack (6.0.1) lib/action_controller/metal/rescue.rb:22:in `process_action'
actionpack (6.0.1) lib/action_controller/metal/instrumentation.rb:33:in `block in process_action'
activesupport (6.0.1) lib/active_support/notifications.rb:180:in `block in instrument'
activesupport (6.0.1) lib/active_support/notifications/instrumenter.rb:24:in `instrument'
activesupport (6.0.1) lib/active_support/notifications.rb:180:in `instrument'
actionpack (6.0.1) lib/action_controller/metal/instrumentation.rb:32:in `process_action'
actionpack (6.0.1) lib/action_controller/metal/params_wrapper.rb:245:in `process_action'
activerecord (6.0.1) lib/active_record/railties/controller_runtime.rb:27:in `process_action'
actionpack (6.0.1) lib/abstract_controller/base.rb:136:in `process'
actionview (6.0.1) lib/action_view/rendering.rb:39:in `process'
rack-mini-profiler (1.1.6) lib/mini_profiler/profiling_methods.rb:104:in `block in profile_method'
actionpack (6.0.1) lib/action_controller/metal.rb:191:in `dispatch'
actionpack (6.0.1) lib/action_controller/metal.rb:252:in `dispatch'
actionpack (6.0.1) lib/action_dispatch/routing/route_set.rb:51:in `dispatch'
actionpack (6.0.1) lib/action_dispatch/routing/route_set.rb:33:in `serve'
actionpack (6.0.1) lib/action_dispatch/journey/router.rb:49:in `block in serve'
actionpack (6.0.1) lib/action_dispatch/journey/router.rb:32:in `each'
actionpack (6.0.1) lib/action_dispatch/journey/router.rb:32:in `serve'
actionpack (6.0.1) lib/action_dispatch/routing/route_set.rb:837:in `call'
lib/middleware/omniauth_bypass_middleware.rb:68:in `call'
rack (2.0.8) lib/rack/tempfile_reaper.rb:15:in `call'
rack (2.0.8) lib/rack/conditional_get.rb:38:in `call'
rack (2.0.8) lib/rack/head.rb:12:in `call'
lib/content_security_policy/middleware.rb:12:in `call'
rack (2.0.8) lib/rack/session/abstract/id.rb:259:in `context'
rack (2.0.8) lib/rack/session/abstract/id.rb:253:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/cookies.rb:648:in `call'
activerecord (6.0.1) lib/active_record/migration.rb:567:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
activesupport (6.0.1) lib/active_support/callbacks.rb:101:in `run_callbacks'
actionpack (6.0.1) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/actionable_exceptions.rb:17:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/debug_exceptions.rb:32:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
logster (2.6.3) lib/logster/middleware/reporter.rb:43:in `call'
railties (6.0.1) lib/rails/rack/logger.rb:38:in `call_app'
railties (6.0.1) lib/rails/rack/logger.rb:28:in `call'
config/initializers/100-quiet_logger.rb:18:in `call'
config/initializers/100-silence_logger.rb:31:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/request_id.rb:27:in `call'
rack (2.0.8) lib/rack/method_override.rb:22:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/static.rb:126:in `call'
rack (2.0.8) lib/rack/sendfile.rb:111:in `call'
actionpack (6.0.1) lib/action_dispatch/middleware/host_authorization.rb:83:in `call'
lib/middleware/missing_avatars.rb:23:in `call'
lib/middleware/turbo_dev.rb:34:in `call'
rack-mini-profiler (1.1.6) lib/mini_profiler/profiler.rb:296:in `call'
message_bus (2.2.3) lib/message_bus/rack/middleware.rb:57:in `call'
railties (6.0.1) lib/rails/engine.rb:526:in `call'
railties (6.0.1) lib/rails/railtie.rb:190:in `public_send'
railties (6.0.1) lib/rails/railtie.rb:190:in `method_missing'
rack (2.0.8) lib/rack/urlmap.rb:68:in `block in call'
rack (2.0.8) lib/rack/urlmap.rb:53:in `each'
rack (2.0.8) lib/rack/urlmap.rb:53:in `call'
unicorn (5.5.3) lib/unicorn/http_server.rb:605:in `process_client'
unicorn (5.5.3) lib/unicorn/http_server.rb:700:in `worker_loop'
unicorn (5.5.3) lib/unicorn/http_server.rb:548:in `spawn_missing_workers'
unicorn (5.5.3) lib/unicorn/http_server.rb:144:in `start'
unicorn (5.5.3) bin/unicorn:128:in `<top (required)>'
bin/unicorn:87:in `load'
bin/unicorn:87:in `block in <main>'
bin/unicorn:86:in `fork'
bin/unicorn:86:in `<main>'



Request parameters
{"format"=>"json"}

Session dump
_csrf_token: "lk/NmJ0SlnTWvQ3HeeP22fzMicKdW/pPwzlLgi0tgY="
secure_session_id: "a16cc4e497b750f5bb1a310612427e54"
session_id: "4f2f8c8f2610c51914ff03a8e3e5f053"

Env dump
HTTP_ACCEPT: "*/*"
HTTP_ACCEPT_ENCODING: "gzip, deflate, br"
HTTP_ACCEPT_LANGUAGE: "en-GB,en-US;q=0.9,en;q=0.8,fr-CA;q=0.7,fr;q=0.6"
HTTP_ORIGIN: "http://localhost:3000"
HTTP_VERSION: "HTTP/1.1"
HTTP_X_CSRF_TOKEN: "Sv2Q7IKSgtoO7bd4aApBiX/qyGqJHknnTjncA9yNMzaevU0MGI5HHlIx/3hS65tsO01xqmnLc15RFuUa0TsEsA=="
ORIGINAL_SCRIPT_NAME: ""
REMOTE_ADDR: "127.0.0.1"
SERVER_NAME: "localhost"
SERVER_PROTOCOL: "HTTP/1.1"

Response headers
None

Here’s a failing spec:

diff --git a/spec/components/concern/second_factor_manager_spec.rb b/spec/components/concern/second_factor_manager_spec.rb
index 36e4f066ce..a657a0fdc8 100644
--- a/spec/components/concern/second_factor_manager_spec.rb
+++ b/spec/components/concern/second_factor_manager_spec.rb
@@ -47,6 +47,18 @@ RSpec.describe SecondFactorManager do
         "otpauth://totp/#{SiteSetting.title}:#{user.email}?secret=#{user_second_factor_totp.data}&issuer=#{SiteSetting.title}"
       )
     end
+    it 'should handle a colon in the site title' do
+      SiteSetting.title = 'Spaceballs: The Discourse'
+      expect(user.user_second_factors.totps.first.totp_provisioning_uri).to eq(
+        "otpauth://totp/#{URI::escape SiteSetting.title}:#{user.email}?secret=#{user_second_factor_totp.data}&issuer=#{CGI::escape SiteSetting.title}"
+      )
+    end
+    it 'should handle a space before a colon in the site title' do
+      SiteSetting.title = 'Our Spaceballs: The Discourse'
+      expect(user.user_second_factors.totps.first.totp_provisioning_uri).to eq(
+        "otpauth://totp/#{URI::escape SiteSetting.title}:#{user.email}?secret=#{user_second_factor_totp.data}&issuer=#{CGI::escape SiteSetting.title}"
+      )
+    end
   end
 
   describe '#authenticate_totp' do

→ RAILS_ENV=test rspec ./spec/components/concern/second_factor_manager_spec.rb

Randomized with seed 47333
...................F......................

Failures:

  1) SecondFactorManager#totp_provisioning_uri should handle a space before a colon in the site title
     Failure/Error: totp_object.provisioning_uri(user.email)
     
     Addressable::URI::InvalidURIError:
       Invalid scheme format: Our Spaceballs
     # /home/michael/.rvm/gems/ruby-2.6.3/gems/addressable-2.7.0/lib/addressable/uri.rb:901:in `scheme='
     # /home/michael/.rvm/gems/ruby-2.6.3/gems/addressable-2.7.0/lib/addressable/uri.rb:826:in `block in initialize'
     # /home/michael/.rvm/gems/ruby-2.6.3/gems/addressable-2.7.0/lib/addressable/uri.rb:2392:in `defer_validation'
     # /home/michael/.rvm/gems/ruby-2.6.3/gems/addressable-2.7.0/lib/addressable/uri.rb:823:in `initialize'
     # /home/michael/.rvm/gems/ruby-2.6.3/gems/addressable-2.7.0/lib/addressable/uri.rb:138:in `new'
     # /home/michael/.rvm/gems/ruby-2.6.3/gems/addressable-2.7.0/lib/addressable/uri.rb:138:in `parse'
     # /home/michael/.rvm/gems/ruby-2.6.3/gems/addressable-2.7.0/lib/addressable/uri.rb:607:in `encode'
     # /home/michael/.rvm/gems/ruby-2.6.3/gems/rotp-5.1.0/lib/rotp/totp.rb:61:in `provisioning_uri'
     # ./app/models/user_second_factor.rb:32:in `totp_provisioning_uri'
     # ./spec/components/concern/second_factor_manager_spec.rb:58:in `block (3 levels) in <top (required)>'

Finished in 0.75471 seconds (files took 2.18 seconds to load)
42 examples, 1 failure

Failed examples:

rspec ./spec/components/concern/second_factor_manager_spec.rb:56 # SecondFactorManager#totp_provisioning_uri should handle a space before a colon in the site title

Randomized with seed 47333

这应该能解决问题：

更改发行者会改变令牌值，但之前冒号完全无法处理，因此这不应影响任何新用户。

请注意，此前对于包含冒号的标题（例如 Spaceballs: The Discourse）是正常工作的（我测试时一切正常，并能将其添加到手机中），但在冒号前有两个单词时会失败。

（如果我的报告表述不够清晰，敬请见谅）

奇怪，我明明记得这两个测试都失败了。无论如何，这是一个更好的方法。

这才是真正重要的！

您能确认您的网站是否已完全恢复正常吗？

我尚未收到用户确认问题已解决的消息，但在我这边是有效的。

不过，我不太明白的是：

1. 标题中包含 : 的情况一直以来都是无效的；
2. 如果站点标题发生变化，验证器就会失效，因为它与站点标题绑定；
3. SiteSettings.title 已经很久没有更改了；
4. UserSecondFactor.where(method: 1) 返回了许多去年 8 月的记录。

我不明白这些情况如何能同时成立。是否是因为更改站点标题导致所有现有的验证器 UserSecondFactor 都失效了？编辑：并非如此。我刚刚更改了标题，昨天创建的验证器 2FA 仍然有效。

仅在 : 前有多个单词时出现：

只是添加新 TOTP 验证器的过程 是 曾经出过问题。

好吧，我相当确定标题一直包含多个单词和一个冒号（自 2019 年 5 月以来日志中未有任何变更），而且截至去年 8 月它仍然有效（因为当时生成了身份验证令牌）。不过无论如何，现在看起来它已经能正常工作了，而且修改标题并不会导致现有令牌失效，所以这算是一个胜利。

感谢快速修复！

此主题在最后一次回复后 2 天自动关闭。不再允许新回复。