Cannot switch 2FA method between TOTP and WebAuthn: InvalidArgumentException: User already has a key from a different module enabled (totp)
Open, Needs TriagePublicPRODUCTION ERROR
Actions

Assigned To

None

Authored By

	Tol
	Tue, Jun 25, 10:49 PM

Description

Steps to replicate the issue:

Set up 2FA using TOTP or WebAuthn using Special:Manage Two-factor authentication (e.g. on enwiki)
On Special:Manage Two-factor authentication, under "Switch to an alternative method", select "Enable" for the method that was not set up
Go through login and 2FA confirmation process
Confirm switching method (click button)
Go through setup process for new method

What happens?:

An error message is shown:

[c4fa815b-f152-4751-87fd-2e0305ef9bbf] Fatal exception of type "InvalidArgumentException"

What should have happened instead?:

The 2FA method should have been switched.

Other information (browser name/version, screenshots, etc.):

I have tried this (including using different WebAuthn keys) on these platforms:

Chrome / Chrome OS 126.0.6478.120
Firefox 127.0.1 on Debian 12.5

Error

mwversion: 1.43.0-wmf.10
reqId: c4fa815b-f152-4751-87fd-2e0305ef9bbf
Find reqId in Logstash

normalized_message

[{reqId}] {exception_url}   InvalidArgumentException: User already has a key from a different module enabled (totp)

exception.trace

from /srv/mediawiki/php-1.43.0-wmf.10/extensions/OATHAuth/src/OATHUserRepository.php(162)
#0 /srv/mediawiki/php-1.43.0-wmf.10/extensions/WebAuthn/src/Authenticator.php(330): MediaWiki\Extension\OATHAuth\OATHUserRepository->createKey(MediaWiki\Extension\OATHAuth\OATHUser, MediaWiki\Extension\WebAuthn\Module\WebAuthn, array, string)
#1 /srv/mediawiki/php-1.43.0-wmf.10/extensions/WebAuthn/src/HTMLForm/WebAuthnAddKeyForm.php(74): MediaWiki\Extension\WebAuthn\Authenticator->continueRegistration(stdClass)
#2 [internal function]: MediaWiki\Extension\WebAuthn\HTMLForm\WebAuthnAddKeyForm->onSubmit(array, MediaWiki\Extension\WebAuthn\HTMLForm\WebAuthnAddKeyForm)
#3 /srv/mediawiki/php-1.43.0-wmf.10/includes/htmlform/HTMLForm.php(792): call_user_func(array, array, MediaWiki\Extension\WebAuthn\HTMLForm\WebAuthnAddKeyForm)
#4 /srv/mediawiki/php-1.43.0-wmf.10/includes/htmlform/HTMLForm.php(673): MediaWiki\HTMLForm\HTMLForm->trySubmit()
#5 /srv/mediawiki/php-1.43.0-wmf.10/includes/htmlform/HTMLForm.php(689): MediaWiki\HTMLForm\HTMLForm->tryAuthorizedSubmit()
#6 /srv/mediawiki/php-1.43.0-wmf.10/extensions/OATHAuth/src/HTMLForm/OATHAuthOOUIHTMLForm.php(81): MediaWiki\HTMLForm\HTMLForm->show()
#7 /srv/mediawiki/php-1.43.0-wmf.10/extensions/OATHAuth/src/Special/OATHManage.php(247): MediaWiki\Extension\OATHAuth\HTMLForm\OATHAuthOOUIHTMLForm->show(NULL)
#8 /srv/mediawiki/php-1.43.0-wmf.10/extensions/OATHAuth/src/Special/OATHManage.php(185): MediaWiki\Extension\OATHAuth\Special\OATHManage->addCustomContent(MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#9 /srv/mediawiki/php-1.43.0-wmf.10/extensions/OATHAuth/src/Special/OATHManage.php(105): MediaWiki\Extension\OATHAuth\Special\OATHManage->addModuleHTML(MediaWiki\Extension\WebAuthn\Module\WebAuthn)
#10 /srv/mediawiki/php-1.43.0-wmf.10/includes/specialpage/SpecialPage.php(719): MediaWiki\Extension\OATHAuth\Special\OATHManage->execute(NULL)
#11 /srv/mediawiki/php-1.43.0-wmf.10/includes/specialpage/SpecialPageFactory.php(1694): MediaWiki\SpecialPage\SpecialPage->run(NULL)
#12 /srv/mediawiki/php-1.43.0-wmf.10/includes/actions/ActionEntryPoint.php(502): MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, MediaWiki\Context\RequestContext)
#13 /srv/mediawiki/php-1.43.0-wmf.10/includes/actions/ActionEntryPoint.php(145): MediaWiki\Actions\ActionEntryPoint->performRequest()
#14 /srv/mediawiki/php-1.43.0-wmf.10/includes/MediaWikiEntryPoint.php(200): MediaWiki\Actions\ActionEntryPoint->execute()
#15 /srv/mediawiki/php-1.43.0-wmf.10/index.php(58): MediaWiki\MediaWikiEntryPoint->run()
#16 /srv/mediawiki/w/index.php(3): require(string)
#17 {main}

Impact

Notes

Details

MediaWiki Version: 1.43.0-wmf.10
Request URL: https://en.wikipedia.org/wiki/Special:Manage_Two-factor_authentication

Related Objects

Mentioned Here: T354701: Enable migration of WebAuthn credentials to loginwiki

Event Timeline

Tol created this task.Tue, Jun 25, 10:49 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptTue, Jun 25, 10:50 PM

Pppery added a project: Wikimedia-production-error.Tue, Jun 25, 11:44 PM

I was able to duplicate this error using another account (TolTest), which did not previously have 2FA enabled. I also found that this error occurs when switching between 2FA methods in either way (TOTP to WebAuthn or WebAuthn to TOTP).

Tol renamed this task from Cannot switch 2FA method from TOTP to WebAuthn to Cannot switch 2FA method between TOTP and WebAuthn.Wed, Jun 26, 2:57 AM

Tol updated the task description. (Show Details)

Hi @Tol, thanks for taking the time to report this! Please file text as text so text can be searched for; text as an image cannot be searched for. :)

Aklapper renamed this task from Cannot switch 2FA method between TOTP and WebAuthn to Cannot switch 2FA method between TOTP and WebAuthn: InvalidArgumentException: User already has a key from a different module enabled (totp).Wed, Jun 26, 9:10 AM

Aklapper updated the task description. (Show Details)

Aklapper changed the subtype of this task from "Bug Report" to "Production Error".

Aklapper set Request URL to https://en.wikipedia.org/wiki/Special:Manage_Two-factor_authentication.

Aklapper set Release Version to 1.43.0-wmf.10.

In T368468#9925395, @Aklapper wrote:

Hi @Tol, thanks for taking the time to report this! Please file text as text so text can be searched for; text as an image cannot be searched for. :)

Ah; sorry. I didn't realise the purpose of the UUID there. I'll remember this for next time; thanks for letting me know!

Cannot switch 2FA method between TOTP and WebAuthn: InvalidArgumentException: User already has a key from a different module enabled (totp)Open, Needs TriagePublicPRODUCTION ERRORActions