Fix fresh install, improve error handling, and add Duo Push auto-approval #20
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…rror Two bugs were present in the get_config method: 1. Missing session.commit() after creating new Config object - New config rows were added to session but never committed - This caused empty database on fresh installations - Result: synack_domain and other config values were None 2. Session closed before accessing attributes - getattr() called after session.close() - SQLAlchemy tried to lazy-load attributes from closed session - This raised DetachedInstanceError on attribute access The fix: - Add session.commit() after session.add(config) - Store the return value before closing session - This ensures the config row is persisted and attributes are loaded This is a pre-existing bug that affects all fresh database installations.
Derb237
changed the title
Fixed three bugs in the request error handling: 1. Line 155: Fixed typo where 'fail_reason' was set instead of 'reason_failed' for HTTP 412 status codes 2. Line 170: Moved unconditional debug log into a conditional that only logs terminal failures (400, 401, 403, 412) 3. Lines 147-151: Fixed each status code to set its own specific error message instead of reusing a shared 'Request failed' message: - 400: "Bad request" - 401: "Unauthorized" - 403: "Logged out" - 412: "Mission already claimed" Previously, when debug mode was enabled, every HTTP request would log 'MISSION ALREADY CLAIMED' regardless of the actual status code or context. Additionally, 401 errors were being logged with misleading messages because the reason_failed variable was being reused across different status codes. Bug introduced in commit c406ca9 (March 2, 2025)
- Remove infinite retry loop on invalid credentials (400) - Clear stored email/password when authentication fails - Add explicit error handling for account locked (423) - Make 400 and 423 non-retryable in API layer to prevent rapid-fire retries - Raise clear error messages for both authentication failure scenarios This prevents the previous behavior where entering wrong credentials would trigger rapid retries that locked the account. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Implements three-priority Duo MFA authentication system: 1. OTP (highest priority) - Auto-generates HOTP codes from secret 2. Auto-approval - Uses device credentials to approve pushes via Duo API 3. Manual push (fallback) - Traditional approve-on-phone flow Database changes: - Add duo_push_akey, duo_push_pkey, duo_push_host, duo_push_rsa_key_path columns - Add duo_device column to persist user's selected device - Migration: 20522d39dc63_add_duo_push_method Duo Push auto-approval: - Integrate with Duo device API using RSA-SHA512 signed requests - Load device credentials from database and RSA key from file - Poll for pending push notifications and auto-approve - Hard fail if auto-approval is configured but broken (prevents hanging) - Auto-correct duo_device when credentials don't match selected device HOTP hex secret auto-conversion: - Auto-detect 32-char hex format (from synackDUO's hotp_secret) - Convert by treating hex string as UTF-8, then base32 encode - Based on duo-hotp reference implementation - Accepts both hex (hotp_secret) and base32 (otpauth://) formats 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add Duo Manual and Automatic push based approval, and fix all the bugs I found along the way:
Database Fixes
Error Handling & Logging
Duo MFA Enhancements