Two factor authentication not working

[jblanchg]

Hello, I was testing the built-in two-factor authentication with the db-auth service, but I can’t get it to work. Once enabled, if I go to the login page (https://mypage/tenant/auth/login?url=https%3A//mypage/tenant/) and log in with a user, it shows the QR code for setup. Scanning it works — I can see the issuer name and username correctly in the app (Google Authenticator).

However, once I enter the code and click “Confirm”, it redirects me back to the login page (this time with the URL changed to (https://mypage/tenant/auth/login). The same behavior occurs even if I enter an incorrect verification code.

Checking the db-auth service logs, I see the following warning after clicking “Confirm” on the setup page:
WARNING in db_auth: TOTP not enabled or not in login process

Am I missing something? Thanks!

I'm using qwc-db-auth:v2025.10.16 and qwc-base-db-migrate:v2025.10.13.

[manisandro]

Hard to say at distance. Can you add some debug prints to db_auth.py directly in the container to which failed condition triggers the warning? (The warning is emitted at multiple locations)

[jblanchg]

Sure. Apparently it's redirecting to the login url here:

qwc-db-auth/src/db_auth.py

Lines 343 to 345 in 8e77c5c

	if 'login_uid' not in session:
	self.logger.warning("TOTP not enabled or not in login process")
	return redirect(url_for('login'))

[manisandro]

Is this code reached?

qwc-db-auth/src/db_auth.py

Line 209 in 8e77c5c

session['login_uid'] = user.id

[jblanchg]

Yes, the session['login_uid'] value is a number

[manisandro]

In the network inspector, do you see a the .../login request response headers containing a set-cookie header which sets a session cookie? Is this session cookie sent to the subsequent .../verify request?

[jblanchg]

When I log in I can see the set-cookie header in the request login?url=https%3A//mypage/tenant/

After scanning the QR code and clicking 'Confirm' I can't see any /verify request, but a /totp that redirects to /login, this time the login without the url parameter.

[manisandro]

Does the totp request send the session cookie?

[jblanchg]

Yes

[manisandro]

Hm unfortunately at distance I don't have any other ideas. You'd need to dig through the python code of flask.session to find out why the session isn't detected in __setup_totp.

[jblanchg]

Okay, I'll get back to this tomorrow and let you know If I find something.

Thanks