Possible Bug in anvil.users.mfa.configure_mfa_with_form

yahiakalabs · March 4, 2024, 5:10pm

What I’m trying to do:
Set up a settings page where a user can configure their own MFA.

What I’ve tried and what’s not working:
Followed this article: Anvil Docs | Logging in Using Code

Specifically, using:

anvil.users.mfa.configure_mfa_with_form(allow_cancel=True)

I get this dialog as expected:

However, I get this error when entering my password and clicking on ‘use authenticator app’:

Looking at the anvil-runtime source code, it seems the user’s email is not being passed to the relevant function (_configure_mfa):

    def configure_mfa_with_form(allow_cancel=False):

        error = None
        while True:
            mfa_method, password = _configure_mfa(None, error, True, allow_cancel, "Save")

That function requires the user’s email to work.

I suppose I could call generate_totp_secret directly but I’d rather use this more abstract function to handle the workflow.

ianb · March 5, 2024, 4:30pm

What happens if you call the configure_mfa_with_form dialogue with an already logged in user, the clojure code looks like it has some method to get the “current” email address. (Or I could be reading it wrong, which is often the case)

yahiakalabs · March 5, 2024, 8:29pm

I am calling it with a logged in user and getting this error. I didn’t dig deep into the clojure code (too scary) but didn’t have to go further than the Python modules.

Anyway here’s a clone link to my app (Settings form). It depends on two open source apps but the Settings form is fairly standalone.

ianb · March 5, 2024, 8:39pm

I think it is a bug, I don’t understand how it is supposed to work at all if it is not passing the parameter it needs, just like you said.

stucork · March 6, 2024, 5:27am

I can reproduce that error if the user is not logged in
however if i have a logged in user i cannot reproduce the error you’re seeing

The clone link has a little too much going on
If you’re able to produce a minimal example that would helpful

worth confirming the user is definitely logged in by printing
anvil.users.get_user() before calling that method

yahiakalabs · March 6, 2024, 3:43pm

Error is gone now. I must have forgotten to save the logged in user or remembered the login state or something like that.

yahiakalabs · March 10, 2024, 5:26pm

Ok I figured out how to reproduce the error:

The logged in user is successfully inferred when the user logs in during the current session.

However, when I am in a debug session, and restart the debug app (which I think starts a new session), and the user is already logged in (remembered), it can no longer infer the logged in user. This causes issues with:

configure_mfa_with_form
add_mfa_method

I also tried with a different deployed environment and reproduced the issue. It is tricky since refreshing the page usually continues the same session. But when I enter a new session and the user is already logged in, issue happens.

yahiakalabs · March 13, 2024, 3:25pm

update: I wrote my own code to avoid using those mfa functions and call some lower level functions instead.

Still, this seems like a bug in those more abstract functions.