After doing a system upgrade from Debian 10 Buster to Debian 11 Bullseye, no user can log into the wiki, with the error “Sorry, username or password was wrong.”.
The actual answer lay in the logs of nginx:
2022/03/20 19:38:46 [error] 222120#222120: *373 FastCGI sent in stderr: "PHP message: PHP Warning: array_filter() expects parameter 1 to be array, bool given in /var/www/wiki.neilzone.co.uk/lib/plugins/twofactor/action.php on line 450 PHP message: PHP Warning: Invalid argument supplied for foreach() in /var/www/wiki.neilzone.co.uk/lib/plugins/twofactor/action.php on line 450" while reading response header from upstream, client: [IP address], server: wiki.neilzone.co.uk, request: "POST /doku.php?id=start HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.4-fpm.sock:", host: "wiki.neilzone.co.uk", referrer: "https://wiki.neilzone.co.uk/"
I searched online, and I found a few people had had a similar issue, but none with dokuwiki, let alone the specific twofactor plugin.
The interim solution was to delete the twofactor plugin from dokuwiki’s lib/plugin directory.
In doing that, the login system no longer required two-factor authentication, and so I could log in.
Not ideal, but it worked.
The actual fix
Rather than attempt to code my own solution, I was hoping for something more supportable. And, fortunately, there is such an answer.
Andi, one of the lead developers of dokuwiki, is rewriting some of the dokuwiki plugins, including twofactor, and the plugin for Google Authenticator (which, in practice, just means “TOTP” - I don’t use Google for it).
What I did:
- I backed up the
attributeplugins from lib/plugins in the dokuwiki installation directory to somewhere else.
- I deleted the current
- I downloaded the updated versions of the plugins:
- I checked ownership of the plugins was my webserver user (in my case, www-data)
and that was it. I could log in again, with TOTP-based 2FA.
Note that the UX is different with the new plugin. Rather than putting in your TOTP code on the same screen as username and password, it is now a second, separate, screen.
With thanks to Andi for his help on the dokuwiki forum.
decoded.legal donated to dokuwiki this month, as part of its regular FOSS support.