RE: Unable to get successful EnableTwoFactor using dotnet client

Thanks @dan

Hi All, (pinging @Dan )

Could someone let me know what I am doing wrong here.

I'm trying to set user data using PatchUser. I'm getting a 200 back but the data is never changed.

When I use UpdateUser it works but of course strips out all non-specified data.

Here are two code samples.

This works, but as expected strips data as it is a replace.

        FusionAuthSyncClient client = new FusionAuthSyncClient(Configuration["FusionAuthApiKey"], Configuration["FusionAuthAuthority"], Configuration["FusionAuthTenantId"]);
        Guid guid = new Guid(userID);
        recoveryCode = "abc";

        Dictionary<string, object> data = new Dictionary<string, object>();
        data.Add("recoveryCode", recoveryCode);

        UserRequest userRequest = new UserRequest();
        userRequest.user.data = data;

        var response = client.UpdateUser(guid, userRequest);

This does not work, and I suspect I'm doing something wrong.

        FusionAuthSyncClient client = new FusionAuthSyncClient(Configuration["FusionAuthApiKey"], Configuration["FusionAuthAuthority"], Configuration["FusionAuthTenantId"]);
        Guid guid = new Guid(userID);
        recoveryCode = "abc";

        Dictionary<string, object> data = new Dictionary<string, object>();
        data.Add("recoveryCode", recoveryCode);

        var response = client.PatchUser(guid, data);

I'm thinking it has something to do with recoveryCode being under data in the JSON hierarchy. I've tried nesting the dictionary within another dictionary, but PatchUser doesn't like that because it's expecting (Guid? userid, Dictionary<string, object> request), and not a nested dict. I've also tried nesting a UserRequest within the Dictionary, but it expectedly doesn't like that either.

However I've also tried updating a field like firstName too and that won't update either, so I'm not sure what I'm doing wrong.

Any help would be appreciated.

Thanks
Craig

UPDATE:

That was what the problem was. I switched from the GoogleAuthenticator NuGet package mentioned in my first post, and I am now using QRCoder, and that seems to have solved the problem.

Regards
Craig

UPDATE:

I've determined that the NuGet package mentioned above is giving me a different QR code than what FusionAuth would give me if I manually enabled two factor authentication using the same secret.

I've also determined that FusionAuth bases their two factor authentication on TOTP as defined in RFC 6238, so I can only assume that the package I chose is using a different algorithm. I've looked at a the documentation for the NuGet package and it does not mention what algorithm it is using.

I'm going to switch to another QR code generator that does adhere to RFC 6238 and see if that fixes things.

It would be nice of course if when using the FusionAuth API call GenerateTwoFactorSecret that it would also send back an image that can be used in the authenticator app. That would ensure the correct QR code and eliminate the need for an additional package to generate the QR code.

I will update later with my findings.

• Craig

Hi,

I'm using FusionAuth 1.21.0, and my app is running on .NET 5/Blazor Server.

I am unable to get a successful response to EnableTwoFactor using the FusionAuth dotnet client.

The first thing I do is GenerateTwoFactorSecret, which I use to create the QR code (using the GoogleAuthenticator NuGet Package by Brandon Potter). The QR code is brought into the authenticator app and I get a code. I validate the code with the QR code package's check method and get a successful validation of the code.

I then try to EnableTwoFactor using the code and the validationSecret (Base64 from GenerateTwoFactorSecret) and no matter what I do I get a 421 error.

The FusionAuthSyncClient is created using the same settings used to generate the secret, so it won't be that. In FusionAuth API settings I have enabled all (get, post, put, patch & delete) temporarily to test for /api/user/two-factor.

The server, desktop and mobile device are all time sync'd within a second of each other.

Here's my code:

    async Task GenerateQRCode()
    {
        InProgress = true;
        await Task.Delay(1);
        FusionAuthSyncClient client = new FusionAuthSyncClient(Configuration["FusionAuthApiKey"], Configuration["FusionAuthAuthority"], Configuration["FusionAuthTenantId"]);

        var secretResponse = client.GenerateTwoFactorSecret();

        if (secretResponse.WasSuccessful())
        {
            verificationSecret = secretResponse.successResponse.secret;

            TwoFactorAuthenticator tfa = new TwoFactorAuthenticator();
            var setupInfo = tfa.GenerateSetupCode(Configuration["Settings:AppName"], emailAddress, verificationSecret, false, 300);

            QRCodeStr = setupInfo.QrCodeSetupImageUrl;
            manualEntrySetupCode = setupInfo.ManualEntryKey;

            QRCodeGenerated = true;
        }
    }

GenerateQRCode is called from the HTML form, and once QRCodeGenerated becomes true, then the QR code is displayed.

    void Verify2FACode()
    {
        TwoFactorAuthenticator tfa = new TwoFactorAuthenticator();
        isCorrectPIN = tfa.ValidateTwoFactorPIN(verificationSecret, verificationCode);
        isPINChecked = true;

        if (isCorrectPIN)
        {
            Enable2FA();
        }
    }

Once the QR code is displayed, and the user has entered the verification code, on submit Verify2FACode is called. If not successful the form is redisplayed notifying that the code was incorrect. If successfully validated, Verify2FACode calls Enable2FA.

    void Enable2FA()
    {
        FusionAuthSyncClient client = new FusionAuthSyncClient(Configuration["FusionAuthApiKey"], Configuration["FusionAuthAuthority"], Configuration["FusionAuthTenantId"]);
        Guid guid = new Guid(userID);

        io.fusionauth.domain.api.TwoFactorRequest requestBody = new io.fusionauth.domain.api.TwoFactorRequest();
        requestBody.code = verificationCode;
        requestBody.delivery = io.fusionauth.domain.TwoFactorDelivery.None;
        requestBody.secret = verificationSecret;

        var response = client.EnableTwoFactor(guid, requestBody);
        // once this works, do some more stuff...
    }

It's at this point in the code that I'm getting a 421 error.

Here is a list of some of the in memory variables:

So you can see that all the variables in the responseBody match what is passed to it.

Unfortunately FusionAuth doesn't give my any feedback as to what is wrong beyond the code being incorrect (in the docs). It'd be nice if there was a way for me to see what it is expecting based on the secret passed to it.

The only thing I can think of is that the QR code that is being displayed is resulting in an incorrect code and one that does not match what FusionAuth is expecting. I will play with that tomorrow, but in the mean time if anyone has any other suggestions I'd be happy to hear them.

Thanks
Craig