PADD does not properly reject failed authentication when 2FA is enabled on WebUI

[mwoolweaver]

Describe the bug
when 2FA is enabled on WebUI and you provide the WebUI password (w/o TOTP) PADD will say Authentication successful. and will produce a broken dashboard as seen in screenshot.

It appears that PADD assumes it is dealing with pi-hole in a docker container given the output shown.

To Reproduce
Steps to reproduce the behavior:

1. setup 2FA on WebUI
2. start PADD (./padd.sh --server pi.hole --secret +pass/word=) and provide WebUI password (w/o TOTP)
3. get what is seen in screenshot

Expected behavior

give failed login error instead of broken output

Screenshots

Additional context

also side question:

how does PADD expect to receive the --secret?

i have tried with

double quotes "+pass/word="
single quotes '+pass/word='
no quotes +pass/word=

it always rejects it and asks for it again then i can paste into terminal and PADD will accept it.

the password provided by the api has +, /, and = in it. Is bash somehow misinterpreting these characters?

[yubiuser]

also side question:

This is a bug introduced by #392.

Please try branch fix/secret

[mwoolweaver]

Please try branch fix/secret

that works for passing the secret

[mwoolweaver]

Also just for clarity on this

when 2FA is enabled on WebUI and you provide the WebUI password (w/o TOTP).

PADD rejects other wrong passwords correctly but when you provide the WebUI password specifically it does what is seen in the screenshot above

[yubiuser]

I'll have a look at supporting 2FA/correctly rejecting 2FA.

Did you try to login with enabled 2FA and the app password?

[mwoolweaver]

Did you try to login with enabled 2FA and the app password?

Yes the app password is working correctly after using fix/secret found in #415

I just stumbled upon this issue by accident yesterday and just figured I'd report it.

[yubiuser]

@mwoolweaver

Could you please try 2fa brach as well?

[mwoolweaver]

2fa branch seems to require 2FA regardless of the password (app or WebUI) I provide but does login and populate data.

Not sure what is expected but it's worth noting, this is the same behavior as the WebUI (https://pi.hole), will accept App password or WebUI password with 2FA.

[yubiuser]

Yes, this is kind of by design. As we don't know what type of password the user inputs we ask for the second factor. However, if you supply the app password, the 2fa can be empty or some random number.

[mwoolweaver]

However, if you supply the app password, the 2fa can be empty or some random number.

can confirm passing --2fa 0 works as you describe

[mwoolweaver]

i would consider this fixed by #416 if the behavior described in #416 (comment) is what is desired.

[mwoolweaver]

also side question:

how does PADD expect to receive the --secret?

i have tried with

double quotes "+pass/word=" single quotes '+pass/word=' no quotes +pass/word=

it always rejects it and asks for it again then i can paste into terminal and PADD will accept it.

the password provided by the api has +, /, and = in it. Is bash somehow misinterpreting these characters?

should this be a separate issue?

[rdwebdesign]

Probably similar to this issue: pi-hole/pi-hole#5771

Try to put the password in single quotes, like this: --secret '+pass/word='

EDIT:
I just saw that you already try it...

[mwoolweaver]

@rdwebdesign it is fixed with #415 (fixes password not being accepted with --secret) or #416 (goes bit further with adding 2fa support) but from the looks of not many have encountered it yet, seems i am the only one.