_2fDevices redaction corrupts session
Affected version
Version: 2.18.2
Platform: Alma Linux 9, custom Docker image (using the RPMS from https://lemonldap-ng.org/redhat/stable/)
Summary
Active Directory grants an auth level of 2, and some apps require an auth level of 5. The Upgrade Session plugins handles the re-auth with a second factor (WebAuthn and TOTP are configured). While this is working, I sometime have a corrupted session. The issue comes from the _2fDevices, which looks like
"_2fDevices": "******"
As LL::NG is expecting a JSON array, this is breaking. The session can neither be displayed in the manager, nor can it be upgraded with 2FA. If I try to access a app which requires an authLevel of 5, I just get a white page with "Internal Server Error" instead of the 2FA upgrade page on the portal.
Logs
[Wed Feb 28 10:04:12 2024] [LLNG:655] [warn] User rejected due to insufficient authentication level
[Wed Feb 28 10:04:12 2024] [LLNG:655] [warn] -> Session upgrade enabled
[Wed Feb 28 10:04:12 2024] [LLNG:655] [error] Corrupted session (_2fDevices): malformed JSON string, neither tag, array, object, number, string or atom, at character offset 0 (before "******") at /usr/share/perl5/vendor_perl/JSON.pm line 190.
[uwsgi-perl error] Can't use an undefined value as an ARRAY reference at /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/2F/Engines/Default.pm line 305.
[Wed Feb 28 10:04:54 2024] [LLNG:41] [error] Corrupted session (_2fDevices): malformed JSON string, neither tag, array, object, number, string or atom, at character offset 0 (before "******") at /usr/share/perl5/vendor_perl/JSON.pm line 190.
[uwsgi-perl error] Can't use an undefined value as an ARRAY reference at /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/2F/Engines/Default.pm line 305.
Backends used
uwsgi and nginx for the portal and manager, Traefik and uwsgi for the Handler, postgres for configuration and sessions, Active Directory (samba4) for UserDB and PasswordDB. Handlers are using the REST API for config and session. I think the issue comes from here. 2fDevices is an hidden attribute (don't know where this is configured yet). I've enabled "Export secrets attributes" on the REST server, but it doesn't look like it changes anything. As the handler gets a "*******" from the REST API for the session, when it updates the session, it corrupts it in the session database. Attribute redaction should honor attribute type (eg, set 2fDevices as ["*****"] instead of "*****") so at least the session wouldn't be corrupted. I also need to find how to remove 2fDevices from the hidden attribute list so it can be served to my handlers with the REST API, but this is probably just a matter of correct configuration.