Can't log in, 2FA errors forever

[indirect]

2FA accounts are unable to log in when running script/server:

our-boxen andre$ script/boxen
--> Preparing to auto-update...
--> Complete! Nothing new from upstream.
--> Oh, looks like you've provided your login as environmental variable...

GitHub password: **********

--> It looks like you have two-factor auth enabled.

One time password (via SMS or device):
******

--> That one time password didn't work. Let's try again.

One time password (via SMS or device):
******

--> That one time password didn't work. Let's try again.

Repeat until you get tired and give up. It's an infinite loop.

(Yes, I'm 100% sure my password and token are correct, and I used them to log in to GitHub.com moments before using them in Boxen.)

[jacobbednarz]

Thanks for the report @indirect.

Are you able to check whether Boxen is listed as an authorized application at https://github.com/settings/applications? Could you also provide the version of boxen and our-boxen you are running?

From the messages above, it looks like something is breaking down at lib/boxen/preflight/creds.rb#L59. Could you try debugging around that HTTP request and ensure it is passing the correct token, etc?

[indirect]

@jacobbednarz ah, sorry I should have included versions and such. I did a straight up checkout of a61b60d, and ran bundle install --path .bundle; script/boxen. That should make it pretty easy to repro. 👍

I did some print-debugging inside creds.rb, and it does appear to be passing the headers hash to Octokit with the correct OTP:

One time password (via SMS or device):
******
otp is 445316
headers: {"X-GitHub-OTP"=>"445316"}
otp is 445316
rescued OneTimePasswordRequired
--> That one time password didn't work. Let's try again.

Nevertheless, it seems like Octokit is raising OneTimePasswordRequired even with the header set correctly. :/

[jacobbednarz]

I've taken the following steps:

• Checked out a61b60d

• Revoked boxen-web token at https://github.com/settings/applications

• Revoked single personal token at https://github.com/settings/tokens

• Ran Boxen commands from your report

  $ bundle install --path .bundle; script/boxen
  --> Preparing to auto-update...
  --> Complete! Nothing new from upstream.
  --> Oh, looks like you've provided your login as environmental variable...
  
  GitHub password: *******
  
  --> It looks like you have two-factor auth enabled.
  
  One time password (via SMS or device):
  ******
  Fact file /opt/boxen/repo/facts.d/example.yaml was parsed but returned an empty data set
  Notice: Compiled catalog for helios.belkin in environment production in 4.41 seconds
  

From what I can guess, the OTP stuff is being caused by one of the following:

• Your OTP device is suffering from clock drift. I've experienced this in the past and to fix it is to resync your devices' clock and try again. I'd recommend your Mac and 2FA device be resynced to be sure.
• There are duplicate tokens and it's grabbing the first one (maybe?) and it's using the wrong seed.

[indirect]

Ugh. Thanks for checking on this! It working for you is super, super confusing. I'm using the Authy app on my iPhone, and I am able to generate valid OTP tokens and log in to github.com successfully, so I'm super confused about why Octokit can't log in using them. I guess I'll just manually generate a token and stuff it in my netrc and move on.

[jacobbednarz]

If you dump the HTTP request being made, does it line up with your Mac clock (and be within a couple of minutes)?

[indirect]

@jacobbednarz here's a full dump using the debug instructions from the Octokit readme and some extra debug prints from me (starting with "**"). It seems like Octokit is making a second request, and the second request is raising the exception, even though the first request failed? The only line of ruby code getting run is tmp_api.authorizations(:headers => headers).

My best guess about what's happening is that Octokit is following the returned Link URL to the second page, and that request is failing because the OTP code is only valid for one request? Not sure. Open to any ideas. In the end, I'm making this work by running boxen --token abc123 and letting it save my token into the keychain.

GitHub login: |indirect| 
GitHub password: **********
** got login and password, going to try `get_tokens`
** started get_tokens
** about to run `tmp_api.authorizations(:headers => {})
I, [2017-01-27T23:56:04.924339 #11160]  INFO -- : get https://api.github.com/authorizations?&per_page=100
D, [2017-01-27T23:56:04.924413 #11160] DEBUG -- request: Accept: "application/vnd.github.beta+json"
User-Agent: "Octokit Ruby Gem 2.7.2"
Authorization: "Basic aW5kaXJlY3Q6Z2JTZGFmbDswMQ=="
** rescued OneTimePasswordRequired
--> It looks like you have two-factor auth enabled.

** before get_otp
I, [2017-01-27T23:56:05.326115 #11160]  INFO -- : post https://api.github.com/authorizations
D, [2017-01-27T23:56:05.326174 #11160] DEBUG -- request: Accept: "application/vnd.github.beta+json"
User-Agent: "Octokit Ruby Gem 2.7.2"
Authorization: "Basic aW5kaXJlY3Q6Z2JTZGFmbDswMQ=="
One time password (via SMS or device):
******
** get_otp return 782335
** before get_tokens again
** started get_tokens
** about to run `tmp_api.authorizations(:headers => {"X-GitHub-OTP"=>"782335"})
I, [2017-01-27T23:56:12.639715 #11160]  INFO -- : get https://api.github.com/authorizations?headers%5BX-GitHub-OTP%5D=782335&per_page=100
D, [2017-01-27T23:56:12.660826 #11160] DEBUG -- request: Accept: "application/vnd.github.beta+json"
User-Agent: "Octokit Ruby Gem 2.7.2"
Authorization: "Basic aW5kaXJlY3Q6Z2JTZGFmbDswMQ=="
X-GitHub-OTP: "782335"
I, [2017-01-27T23:56:13.083434 #11160]  INFO -- Status: 200
D, [2017-01-27T23:56:13.083526 #11160] DEBUG -- response: server: "GitHub.com"
date: "Sat, 28 Jan 2017 07:56:13 GMT"
content-type: "application/json; charset=utf-8"
transfer-encoding: "chunked"
connection: "close"
status: "200 OK"
x-ratelimit-limit: "5000"
x-ratelimit-remaining: "4985"
x-ratelimit-reset: "1485593330"
cache-control: "private, max-age=60, s-maxage=60"
vary: "Accept, Authorization, Cookie, X-GitHub-OTP, Accept-Encoding"
etag: "W/\"dc15ee839174d41a75ed63362a0eb350\""
x-github-media-type: "github.beta; format=json"
link: "<https://api.github.com/authorizations?headers=%7B%22X-GitHub-OTP%22%3D%3E%22782335%22%7D&per_page=100&page=2>; rel=\"next\", <https://api.github.com/authorizations?headers=%7B%22X-GitHub-OTP%22%3D%3E%22782335%22%7D&per_page=100&page=2>; rel=\"last\""
access-control-expose-headers: "ETag, Link, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval"
access-control-allow-origin: "*"
content-security-policy: "default-src 'none'"
strict-transport-security: "max-age=31536000; includeSubdomains; preload"
x-content-type-options: "nosniff"
x-frame-options: "deny"
x-xss-protection: "1; mode=block"
x-served-by: "0e17b94a265a427d9cafe798ceea7c02"
x-github-request-id: "CBD5:2C95:71DD497:909038C:588C4E9C"
I, [2017-01-27T23:56:13.106454 #11160]  INFO -- : get https://api.github.com/authorizations?headers=%7B%22X-GitHub-OTP%22%3D%3E%22782335%22%7D&page=2&per_page=100
D, [2017-01-27T23:56:13.106533 #11160] DEBUG -- request: Accept: "application/vnd.github.beta+json"
User-Agent: "Octokit Ruby Gem 2.7.2"
Authorization: "Basic aW5kaXJlY3Q6Z2JTZGFmbDswMQ=="
** rescued OneTimePasswordRequired
--> That one time password didn't work. Let's try again.

** before get_otp
I, [2017-01-27T23:56:13.455564 #11160]  INFO -- : post https://api.github.com/authorizations
D, [2017-01-27T23:56:13.455612 #11160] DEBUG -- request: Accept: "application/vnd.github.beta+json"
User-Agent: "Octokit Ruby Gem 2.7.2"
Authorization: "Basic aW5kaXJlY3Q6Z2JTZGFmbDswMQ=="
One time password (via SMS or device):

[jacobbednarz]

I've tried replicating this for the last few days and I've come up empty 😞

@MikeMcQuaid are you able to take a look at the logs at GitHub for the possible cause here? I'd like to be able to safe guard against but not sure what is actually causing the issue.

[MikeMcQuaid]

@jacobbednarz Email [email protected] and they'll be able to help more.

[jacobbednarz]

@indirect did you get anywhere with this? I'm happy to make changes within Boxen if there is something we can do better.