legacy totp authenticators on an account will still be considered and will block / fail for users when totp is globally disabled

[ikiris]

Version

v4.38.8

Deployment Method

Other

Reverse Proxy

Traefik

Reverse Proxy Version

?

Description

If a user previously had a TOTP authenticator attached to their account, when totp is globally disabled via config they are still treated as existing on the account, and can be selected as an authentication option, however they just stall at loading screens locking out users.

Reproduction

see description

Expectations

TOTP authenticators should not be considered as existing when totp is globally disabled, allowing users to only use remaining options, or action the initial add a device workflow if it is the only attached option to the account.

Configuration (Authelia)

No response

Build Information

seriously?

Logs (Authelia)

seriously?

Logs (Proxy / Application)

No response

Documentation

No response

Pre-Submission Checklist

• I agree to follow the Code of Conduct

• This is a bug report and not a support request

• I have read the security policy and this bug report is not a security issue or security related issue

• I have either included the complete configuration file or I am sure it's unrelated to the configuration

• I have either included the complete debug / trace logs or the output of the build-info command if the logs are not relevant

• I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide

• I have checked for related proxy or application logs and included them if available

• I have checked for related issues and checked the documentation

[glime-ai]

Please note this response was created using generative AI leveraging previously available information from the repository. This information may be helpful however it is our strong recommendation that you carefully consider the information before blindly applying it.

---

Based on the information provided, it seems like there is an issue with the handling of TOTP authenticators when the TOTP option is globally disabled in the Authelia configuration. When TOTP is disabled, the system should not consider any previously attached TOTP authenticators as valid authentication methods. This should prevent them from appearing as an option during the login process, thereby avoiding the issue where users are locked out due to the system stalling at loading screens.

To resolve this issue, you should ensure that the configuration for disabling TOTP is correctly implemented. Here are a few steps you can take:

1. Verify Configuration: Check your configuration.yml file to ensure that the TOTP is set to disabled correctly. It should look something like this:

   totp:
     disable: true

2. Clear Cache: Sometimes, changes in configuration might not take effect immediately due to caching. Try clearing any server or application caches.

3. Restart Services: After making changes to the configuration, restart Authelia and any related services to ensure all configurations are reloaded.

4. Check User Profiles: Ensure that no residual TOTP configurations are lingering in user profiles that might cause the system to still consider them.

5. Logs and Debugging: If the problem persists, check the logs for any errors or warnings that might give more insight into what is going wrong. Adjust the logging level if necessary to capture more detailed information.

6. Update and Patch: Ensure that you are running the latest version of Authelia, as bugs are regularly fixed in newer releases. Check the official Authelia release notes for any patches or updates that might address this issue.

If after following these steps the issue still occurs, it might be beneficial to reach out to the Authelia support or community forums for more specific guidance or to report a potential bug.

This comment was generated by Glime.

[ikiris]

sorry, version .7, not .8