Two Factor authentication issue: "undefined method `[]' for nil:NilClass"

[jgthms]

Hi and thanks for creating this library.

I am developing an app with both a main account type, and an admin one. I've succesfully followed these instructions to create both account types.

After finalising all the website features, I decided to reset the database with rake db:reset to see how the app would behave on a fresh install.

After creating a new admin account, I'm running into this error:

My rodauth_admin.rb configuration looks like this:

My rodauth_app.rb configuration is:

class RodauthApp < Rodauth::Rails::App
  # primary configuration
  configure RodauthMain

  # secondary configuration
  configure RodauthAdmin, :admin

  route do |r|
    rodauth.load_memory # autologin remembered users

    r.rodauth # route rodauth requests

    # ==> Authenticating requests
    # Call `rodauth.require_account` for requests that you want to
    # require authentication for. For example:
    #
    # # authenticate /dashboard/* and /account/* requests
    # if r.path.start_with?("/dashboard") || r.path.start_with?("/account")
    #   rodauth.require_account
    # end

    # ==> Secondary configurations
    r.rodauth(:admin) # route admin rodauth requests

    if request.path.start_with?("/admin")
      rodauth(:admin).require_account
    end

    # require MFA if the user is logged in and has MFA setup
    if rodauth(:admin).uses_two_factor_authentication?
      rodauth(:admin).require_two_factor_authenticated
    end
  end
end

Did I miss a step somewhere?

[janko]

Could you please post the full backtrace of the exception? It's not clear from the error message where it's coming from.

[jgthms]

Here it is:

[Application Trace](http:https://127.0.0.1:3000/#) | [Framework Trace](http:https://127.0.0.1:3000/#) | [Full Trace](http:https://127.0.0.1:3000/#)
[rodauth (2.33.0) lib/rodauth/features/base.rb:714:in `get_password_hash'](http:https://127.0.0.1:3000/#)
[rodauth (2.33.0) lib/rodauth/features/base.rb:703:in `has_password?'](http:https://127.0.0.1:3000/#)
[rodauth (2.33.0) lib/rodauth/features/base.rb:525:in `possible_authentication_methods'](http:https://127.0.0.1:3000/#)
[rodauth (2.33.0) lib/rodauth/features/otp.rb:340:in `possible_authentication_methods'](http:https://127.0.0.1:3000/#)
[rodauth (2.33.0) lib/rodauth/features/two_factor_base.rb:196:in `two_factor_authentication_setup?'](http:https://127.0.0.1:3000/#)
[rodauth (2.33.0) lib/rodauth/features/two_factor_base.rb:201:in `uses_two_factor_authentication?'](http:https://127.0.0.1:3000/#)
[app/misc/rodauth_app.rb:30:in `block in <class:RodauthApp>'](http:https://127.0.0.1:3000/#)
[roda (3.75.0) lib/roda.rb:522:in `_roda_run_main_route'](http:https://127.0.0.1:3000/#)
[roda (3.75.0) lib/roda/plugins/middleware.rb:204:in `_roda_run_main_route'](http:https://127.0.0.1:3000/#)
[roda (3.75.0) lib/roda/plugins/_before_hook.rb:27:in `_roda_run_main_route'](http:https://127.0.0.1:3000/#)
[roda (3.75.0) lib/roda.rb:500:in `block in _roda_handle_main_route'](http:https://127.0.0.1:3000/#)
[roda (3.75.0) lib/roda.rb:498:in `catch'](http:https://127.0.0.1:3000/#)
[roda (3.75.0) lib/roda.rb:498:in `_roda_handle_main_route'](http:https://127.0.0.1:3000/#)
[roda (3.75.0) lib/roda/plugins/error_handler.rb:88:in `_roda_handle_main_route'](http:https://127.0.0.1:3000/#)
[roda (3.75.0) lib/roda.rb:384:in `block in base_rack_app_callable'](http:https://127.0.0.1:3000/#)
[roda (3.75.0) lib/roda.rb:53:in `call'](http:https://127.0.0.1:3000/#)
[roda (3.75.0) lib/roda/plugins/middleware.rb:156:in `block in call'](http:https://127.0.0.1:3000/#)
[roda (3.75.0) lib/roda/plugins/middleware.rb:154:in `catch'](http:https://127.0.0.1:3000/#)
[roda (3.75.0) lib/roda/plugins/middleware.rb:154:in `call'](http:https://127.0.0.1:3000/#)
[rodauth-rails (1.13.0) lib/rodauth/rails/middleware.rb:18:in `block in call'](http:https://127.0.0.1:3000/#)
[rodauth-rails (1.13.0) lib/rodauth/rails/middleware.rb:17:in `catch'](http:https://127.0.0.1:3000/#)
[rodauth-rails (1.13.0) lib/rodauth/rails/middleware.rb:17:in `call'](http:https://127.0.0.1:3000/#)
[rack (3.0.8) lib/rack/tempfile_reaper.rb:20:in `call'](http:https://127.0.0.1:3000/#)
[rack (3.0.8) lib/rack/etag.rb:29:in `call'](http:https://127.0.0.1:3000/#)
[rack (3.0.8) lib/rack/conditional_get.rb:31:in `call'](http:https://127.0.0.1:3000/#)
[rack (3.0.8) lib/rack/head.rb:15:in `call'](http:https://127.0.0.1:3000/#)
[actionpack (7.1.2) lib/action_dispatch/http/permissions_policy.rb:36:in `call'](http:https://127.0.0.1:3000/#)
[actionpack (7.1.2) lib/action_dispatch/http/content_security_policy.rb:33:in `call'](http:https://127.0.0.1:3000/#)
[rack-session (2.0.0) lib/rack/session/abstract/id.rb:272:in `context'](http:https://127.0.0.1:3000/#)
[rack-session (2.0.0) lib/rack/session/abstract/id.rb:266:in `call'](http:https://127.0.0.1:3000/#)
[actionpack (7.1.2) lib/action_dispatch/middleware/cookies.rb:689:in `call'](http:https://127.0.0.1:3000/#)
[activerecord (7.1.2) lib/active_record/migration.rb:654:in `call'](http:https://127.0.0.1:3000/#)
[actionpack (7.1.2) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'](http:https://127.0.0.1:3000/#)
[activesupport (7.1.2) lib/active_support/callbacks.rb:101:in `run_callbacks'](http:https://127.0.0.1:3000/#)
[actionpack (7.1.2) lib/action_dispatch/middleware/callbacks.rb:28:in `call'](http:https://127.0.0.1:3000/#)
[actionpack (7.1.2) lib/action_dispatch/middleware/executor.rb:14:in `call'](http:https://127.0.0.1:3000/#)
[actionpack (7.1.2) lib/action_dispatch/middleware/actionable_exceptions.rb:16:in `call'](http:https://127.0.0.1:3000/#)
[actionpack (7.1.2) lib/action_dispatch/middleware/debug_exceptions.rb:29:in `call'](http:https://127.0.0.1:3000/#)
[web-console (4.2.1) lib/web_console/middleware.rb:132:in `call_app'](http:https://127.0.0.1:3000/#)
[web-console (4.2.1) lib/web_console/middleware.rb:28:in `block in call'](http:https://127.0.0.1:3000/#)
[web-console (4.2.1) lib/web_console/middleware.rb:17:in `catch'](http:https://127.0.0.1:3000/#)
[web-console (4.2.1) lib/web_console/middleware.rb:17:in `call'](http:https://127.0.0.1:3000/#)
[actionpack (7.1.2) lib/action_dispatch/middleware/show_exceptions.rb:31:in `call'](http:https://127.0.0.1:3000/#)
[railties (7.1.2) lib/rails/rack/logger.rb:37:in `call_app'](http:https://127.0.0.1:3000/#)
[railties (7.1.2) lib/rails/rack/logger.rb:24:in `block in call'](http:https://127.0.0.1:3000/#)
[activesupport (7.1.2) lib/active_support/tagged_logging.rb:135:in `block in tagged'](http:https://127.0.0.1:3000/#)
[activesupport (7.1.2) lib/active_support/tagged_logging.rb:39:in `tagged'](http:https://127.0.0.1:3000/#)
[activesupport (7.1.2) lib/active_support/tagged_logging.rb:135:in `tagged'](http:https://127.0.0.1:3000/#)
[activesupport (7.1.2) lib/active_support/broadcast_logger.rb:240:in `method_missing'](http:https://127.0.0.1:3000/#)
[railties (7.1.2) lib/rails/rack/logger.rb:24:in `call'](http:https://127.0.0.1:3000/#)
[sprockets-rails (3.4.2) lib/sprockets/rails/quiet_assets.rb:13:in `call'](http:https://127.0.0.1:3000/#)
[actionpack (7.1.2) lib/action_dispatch/middleware/remote_ip.rb:92:in `call'](http:https://127.0.0.1:3000/#)
[actionpack (7.1.2) lib/action_dispatch/middleware/request_id.rb:28:in `call'](http:https://127.0.0.1:3000/#)
[rack (3.0.8) lib/rack/method_override.rb:28:in `call'](http:https://127.0.0.1:3000/#)
[rack (3.0.8) lib/rack/runtime.rb:24:in `call'](http:https://127.0.0.1:3000/#)
[activesupport (7.1.2) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'](http:https://127.0.0.1:3000/#)
[actionpack (7.1.2) lib/action_dispatch/middleware/server_timing.rb:59:in `block in call'](http:https://127.0.0.1:3000/#)
[actionpack (7.1.2) lib/action_dispatch/middleware/server_timing.rb:24:in `collect_events'](http:https://127.0.0.1:3000/#)
[actionpack (7.1.2) lib/action_dispatch/middleware/server_timing.rb:58:in `call'](http:https://127.0.0.1:3000/#)
[actionpack (7.1.2) lib/action_dispatch/middleware/executor.rb:14:in `call'](http:https://127.0.0.1:3000/#)
[actionpack (7.1.2) lib/action_dispatch/middleware/static.rb:25:in `call'](http:https://127.0.0.1:3000/#)
[rack (3.0.8) lib/rack/sendfile.rb:114:in `call'](http:https://127.0.0.1:3000/#)
[actionpack (7.1.2) lib/action_dispatch/middleware/host_authorization.rb:141:in `call'](http:https://127.0.0.1:3000/#)
[rack-cors (2.0.1) lib/rack/cors.rb:102:in `call'](http:https://127.0.0.1:3000/#)
[railties (7.1.2) lib/rails/engine.rb:529:in `call'](http:https://127.0.0.1:3000/#)
[puma (6.4.0) lib/puma/configuration.rb:272:in `call'](http:https://127.0.0.1:3000/#)
[puma (6.4.0) lib/puma/request.rb:100:in `block in handle_request'](http:https://127.0.0.1:3000/#)
[puma (6.4.0) lib/puma/thread_pool.rb:378:in `with_force_shutdown'](http:https://127.0.0.1:3000/#)
[puma (6.4.0) lib/puma/request.rb:99:in `handle_request'](http:https://127.0.0.1:3000/#)
[puma (6.4.0) lib/puma/server.rb:443:in `process_client'](http:https://127.0.0.1:3000/#)
[puma (6.4.0) lib/puma/server.rb:241:in `block in run'](http:https://127.0.0.1:3000/#)
[puma (6.4.0) lib/puma/thread_pool.rb:155:in `block in spawn_thread'](http:https://127.0.0.1:3000/#)

[janko]

Thanks. As I suspected, the issue is in the fact that #uses_two_factor_authentication? method doesn't handle account record getting deleted while Rails session still has it logged in, which happened when you ran rake db:reset.

The quickest solution would be to also check for the presence of the account:

if rodauth(:admin).account! && rodauth(:admin).uses_two_factor_authentication?
  # ...
end

I will see if I can get a patch merged into Rodauth to make #uses_two_factor_authentication? handle this gracefully.

[jgthms]

Ok thanks. Additionally, the following block failed as well:

if request.path.start_with?("/admin")
  rodauth(:admin).require_account
end

I might wrap both conditionals in a if rodauth(:admin).account! block.

Also, everything returned to normal as soon as I verified the account and I set updated the db manually to have a valid admin account.

Thanks for your help.

[janko]

Hmm, #require_account should handle the account record missing in the DB, strange that it didn't work. Maybe the error happened when you requested a non-/admin/* page, in which case the #require_account didn't get called? You could try moving the MFA check into the /admin/* conditional after the #require_account call.

But yeah, Rodauth generally doesn't handle accounts that are deleted directly from the DB. Recommending require_account instead of require_authentication was one way I tried to mitigate these errors.

[jgthms]

Just to clarify, I reste my db and cleared my site data in the browser. After that, creating "main" accounts works fine. Creating an "admin" is where it fails. The create method throws this error and no admin account is created in the db.

I'm surprised nobody ran into this issue yet since someone cloning my repo would encounter the same problem I believe.

[janko]

Oh, I misunderstood then. So, this error happens only when you're signed into an admin account awaiting verification (create account endpoint autologs in the account by default). Did you separate out session data for admins as shown here - https://github.com/janko/rodauth-rails#multiple-configurations?