User locked out of account because of 2FA

I update my Nexcloud instance using the web updater to 27.0.1 and it totally broke the two factor authentication. here is what happened:

I updated the instance, TOTP got disabled because it wasn’t compatible,

I added another admin user and elevated it to admin, I could login without any issues.

I disabled 2FA entirely and it didn’t help.

I then installed and enabled 2FA admin app from Nextcloud store and successfully generated a code for the original user.

But I can’t even get the login to prompt me for the admin code, all I get is this (after I put username and password):

Screenshot from 2023-08-06 16-28-44722×242 32.6 KB

The url is this and it keeps refreshing:

the output of occ twofactureauth:state ORIGINALUSER

sudo -u apache php  occ twofactorauth:state ORIGINALUSER
Two-factor authentication is enabled for user ORIGINALUSER

Enabled providers:
- admin
Disabled providers:
- backup_codes
- email
- totp

Originally I had totp and backup_codes enabled. TOTP got disable and enabling it doesn’t change anything, I get the same page.
I tried installing email with the new admin user I created but I can’t set the email up in the command line.

Any help would be appreciated as I don’t even know where to start debugging this.

Enviroment:

Nextcloud 27.0.1
On baremetal
Nextcloud is up with Apache and Behind an Nginx reverse proxy

If you have ssh-access to the linux server, where your nc is running on open the php console and disable the 2fa option via cmd according to the official documentation manual.

totp is a shipped app since NC25 so it definitely works with NC27. It should have upgraded automatically during the upgrade.

Not sure exactly where/how you ended up at this point, but the entry in your nextcloud.log file associated with that Request ID should provide a clue as to what is going on. Feel free to post it if it seems indecipherable.

I would also suggest - if you haven’t already - authenticating from another browser (preferably one with all cookies associated with your NC url removed) since there could be some stale session state causing weird issues.

I tried that but I get the same error when logging in. Now I can’t even disable admin method.

sudo -u apache php  occ twofactorauth:disable ORIGINALUSER admin
The provider does not support this operation.

I found the issue,

Thanks to @jtr I looked at the log files and the issue was with the app named spreed.

I had to disable spreed to make it work again.

I have no Idea what spreed is and why it was making a 2FA issue.

this was my error:

"message":"Call to undefined method OCA\\Talk\\Config::getUserTypingPrivacy()"

I’m not sure if it’s a bug I have to report or it’s even related to 2FA at all, but i found this;

Thanks!

Turns out “Spreed” is Nextcloud talk.

I’m not sure why Nextcloud Talk is causing an issue in login. I disabled it since I don’t use Nextcloud talk anyway.

Glad you got it worked around.

From the sounds of it, either Spreed (Talk) didn’t update fully (which can happen with web updates/upgrades; triggering updates and running upgrades from the command-line are typically more reliable/robust). Spreed is a larger app (~200MB) so it’s probably more likely to hit problems like this (and hard to predict since everyone’s network conditions and compute environment is unique).

Also may have been an OPcache issue. The easiest resolution would be to restart your PHP environment (Apache in your case; FPM if one uses it) after an NC upgrade or app update (at least if weird issues crop up).