Avainsanana Mattermost

No backup/recovery code mechanism for MFA

10. toukokuuta 2021 klo 17.28
Sijainti: Vianhallintajärjestelmät: Github
Avainsanat: Mattermost, security

Summary

After setting up multi-factor authentication, losing the authentication code-generating device means losing access to the Mattermost account. While having MFA is excellent, I’m afraid to set it up for my admin user account (which is the one most critically needing it), because there’s no recovery mechanism in case I lose my authenticator device.

Steps to reproduce

  1. Enable up multi-factor authentication in the System Console
  2. Configure 2FA with an authenticator app on your phone
  3. Break/lose/have your phone stolen
  4. Try to log in

Expected behavior

Have a ”use a backup code instead” link next to the MFA token prompt.

Observed behavior (that appears unintentional)

There’s no alternative way to provide the MFA. You can not log in.

Possible fixes

None available AFAICT. There’s no way to add security keys as alternatives either.

There’s an existing Jira ticket ticket about this (and it’s linked to an abandoned PR), but it’s closed as ”moved to ProductBoard for prioritization”, and I don’t know what’s happened since then, as I don’t have access to ProductBoard (that I know of).

Mattermost version

v5.34.2

Vastaa viestiin sen kontekstissa (Github)

I see, so it’s a result of conflicting indicators from the user

19. joulukuuta 2020 klo 18.41
Sijainti: Vianhallintajärjestelmät: Github
Avainsanat: Mattermost, saavutettavuus

@agnivade Oh I see, so it’s a result of conflicting indicators (”away” vs. being active) from the user. I’m trying to recalibrate my expectation based on this, but it’s difficult.

My immediate thought is perhaps (in the problematic case) sending the notification, but then clearing it only once I start typing (typing appears to have an event associated with it, at least based on the logs) would be better than the immediately clearing ghost notification, but you’re right, this is more complicated than immediately apparent.

Some UI/UX design wizardry would probably be needed to eliminate the possibility of mixed user signals, if at all possible. I don’t have a good solution for now, so feel free to close the issue if you deem it appropriate.

Vastaa viestiin sen kontekstissa (Github)

Yup, your description of the issue is exactly right

18. joulukuuta 2020 klo 15.23
Sijainti: Vianhallintajärjestelmät: Github
Avainsanat: Mattermost

Yup, your description of the issue is exactly right @agnivade, and thanks for looking into this!

I set up the two users in parallel windows. Sending a normal message as userB this way does not trigger the issue (I do get a notification on userA’s phone, but it doesn’t go away by itself), but that’s because userA’s window is (obviously) not active, since I’m typing in userB’s window. The notification is only cleared once I activate userA’s window.

But I can trigger the issue by using (for instance) /echo 'hello A' 4 instead (as userB), then hopping on to activate userA’s window during the 4-second delay, so that userA’s window is active when receiving the message. That’s the crucial bit: the receiver’s window is active when receiving the message. If his status is ’Online’, there’s no push notification (as expected), but if it’s ’Away’, that’s when I get the ghost notification.

Here’s server log and MPNS log during one minute where (as userB) I first send a normal message, then (at about 30 seconds) using /echo.

Vastaa viestiin sen kontekstissa (Github)

Still reproducible here with the current server (v5.29.1)

18. joulukuuta 2020 klo 10.26
Sijainti: Vianhallintajärjestelmät: Github
Avainsanat: Mattermost

Yes, this is still reproducible here with the current server (v5.29.1).

Here’s the server log and MPNS log during which

  1. I switch log level from error to debug
  2. I send one ”hello” message to a bot (from the web UI)
  3. the bot responds with one message
  4. I switch log level from debug back to error

Vastaa viestiin sen kontekstissa (Github)

build.sh uses bashisms, but shebangs /bin/sh

14. marraskuuta 2020 klo 14.23
Sijainti: Vianhallintajärjestelmät: Github
Avainsanat: Android, Bash, Dash, Debian, LXC, Mattermost, Ubuntu

1.37.0 fails to build in my build environment (Ubuntu 18.04 in LXC) with this error:

ubuntu@mattermost-mobile:~/mattermost-mobile$ npm run build:android

> mattermost-mobile@1.37.0 build:android /home/ubuntu/mattermost-mobile
> ./scripts/build.sh apk

./scripts/build.sh: 3: ./scripts/build.sh: Syntax error: "(" unexpected
npm ERR! code ELIFECYCLE
npm ERR! errno 2
npm ERR! mattermost-mobile@1.37.0 build:android: `./scripts/build.sh apk`
npm ERR! Exit status 2
npm ERR! 
npm ERR! Failed at the mattermost-mobile@1.37.0 build:android script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/ubuntu/.npm/_logs/2020-11-14T11_47_00_288Z-debug.log

The top of that file, build.sh, refers to /bin/sh, but on Ubuntu and Debian, /bin/sh has been Dash for quite a while, whereas build.sh seems to written for Bash (where function is a valid keyword):

ubuntu@mattermost-mobile:~/mattermost-mobile$ head scripts/build.sh 
#!/bin/sh

function execute() {
    cd fastlane && NODE_ENV=production bundle exec fastlane $1 $2
}

I suggest switching the shebang to #/bin/bash, or better yet, #!/usr/bin/env bash (for path-agnosticity). In my environment, using either one fixes the build.

Vastaa viestiin sen kontekstissa (Github)

This hasn’t manifested itself in ages anymore, so it’s probably fixed

30. elokuuta 2020 klo 16.36
Sijainti: Vianhallintajärjestelmät: Github
Avainsanat: Mattermost

This hasn’t manifested itself in ages anymore, so it’s probably fixed.

Vastaa viestiin sen kontekstissa (Github)

Mobile devices receive ghost notifications for already read messages

29. elokuuta 2020 klo 20.07
Sijainti: Vianhallintajärjestelmät: Github
Avainsanat: Android, LineageOS, Mattermost, Samsung

Summary

Mobile devices receive ”ghost” notifications for already read messages, when set to receive notifications ”when Away or offline”, and receiving user is set to be Away.

Steps to reproduce

  1. Set ”Mobile Push Notifications” to ”Trigger push notifications when”: ”Away or offline” (and send ”For all activity”)
  2. Using web interface on desktop, set your status to Away
  3. (Still in the web interface) receive a message in the currently open channel (which immediately marks it read)

Expected behavior

Nothing happens on the mobile device (no notification).

Observed behavior (that appears unintentional)

The mobile device receives a notification about the already read message. The notification immediately disappears. If you weren’t looking at the device, you’re left wondering why it alerted you.

Other info

If your status is set to Online instead of Away (at step 2), the mobile device receives no notification (as expected). If ”Trigger push notifications when” is set to ”Online, away or offline” (at step 1), the mobile device receives no notification irrespective of your Online/Away status (also as expected).

Environment Information

I’m self-hosting Mattermost 5.26.1 with self-hosted MMPNS 5.22.4. Mattermost Mobile is at version 1.34.0. My mobile devices have Android 10 (Samsung) and Android 7.1.2 (LineageOS 14.1).

I don’t know if this is an issue with the client or the server; I can re-report against the latter if appropriate.

Vastaa viestiin sen kontekstissa (Github)

No subpath, just the plain domain

4. joulukuuta 2019 klo 19.58
Sijainti: Vianhallintajärjestelmät: Github
Avainsanat: Mattermost

@amyblais No subpath, just the plain domain.

Vastaa viestiin sen kontekstissa (Github)

Here are the banner settings

5. marraskuuta 2019 klo 13.08
Sijainti: Vianhallintajärjestelmät: Github
Avainsanat: Firefox, Mattermost

Hi @amyblais, thanks for taking a look!

Here are the banner settings:

# grep -i banner config.json 
        "EnablePreviewModeBanner": true,
        "EnableBanner": false,
        "BannerText": "",
        "BannerColor": "#f2a93b",
        "BannerTextColor": "#333333",
        "AllowBannerDismissal": true

I should also mention that I’ve previously enabled Developer Mode ("EnableDeveloper": true), but I’m not sure it’s related, since the notification in this issue has the normal blue background, not a purple one.

The issue reappeared today for the other affected user, then kept disappearing and reappearing under testing, but we were unable to pin down any specific reason. Their browser console (Firefox) only has this:

websocket connecting to wss://[redacted]/api/v4/websocket websocket_client.jsx:35:20

and the server log meanwhile only has this line repeated:

mlog/log.go:174	{"name":"TypeError","message":"NetworkError when attempting to fetch resource.","stack":""}	{"path": "/api/v4/logs", "request_id": "g8wwo8yu57djmkipjxjxn7hy3y", "ip_addr": "[redacted]", "user_id": "[redacted]", "method": "POST", "err_where": "client", "http_code": 0, "err_details": ""}

(where user_id is the one for the affected user.)

Vastaa viestiin sen kontekstissa (Github)

”A new version of Mattermost is available” notification remains after selecting to ”Refresh the app now”

4. marraskuuta 2019 klo 16.52
Sijainti: Vianhallintajärjestelmät: Github
Avainsanat: Chrome, Firefox, Mattermost

Summary

Selecting the ”Refresh the app now” link from update notification doesn’t make the notification go away.

Steps to reproduce

Have MM server updated to latest release. Open an existing session of the web app in Firefox. See the refresh prompt, select ”Refresh the app now”.

Expected behavior

Web page is refreshed, the notification goes away.

Observed behavior (that appears unintentional)

Web page is refreshed, but the update notification is still there, still prompting to refresh.

Verbose version

With some of the most recent updates (perhaps 5.16 and newer), the ”Refresh the app now” link in the update notification (”A new version of Mattermost is available”) on the web app did not make that notification go away for myself and another user. The link did cause a refresh of the page content, but the notification persisted. Meanwhile the version being reported by ”About Mattermost” was the correct (5.16.2).

Ctrl+shift+r or other hard refresh attempts did not have an effect, but logging out and then back in to the site finally did make the notification go away.

We’re both Firefox users, and due to the nature of the issue it was difficult to tell if this was browser-specific, but a fresh login using Chrome (while the previous session in Firefox still showed the notification) did not bring up the notification in the new session.

The issue, though irritatingly persistent while it lasted, was still relatively ephemeral, and now that it’s gone, I wouldn’t know how to reproduce it before the next server update. That said, I’ll happily provide more details if I can.

Vastaa viestiin sen kontekstissa (Github)

Vanhempia »