Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API request to /session/ endpoint fails and triggers 2FA verification e-mail #22022

Closed
1 task done
mheland opened this issue Jan 16, 2025 · 1 comment
Closed
1 task done

API request to /session/ endpoint fails and triggers 2FA verification e-mail #22022

mheland opened this issue Jan 16, 2025 · 1 comment
Labels
Ghost(Pro) [triage] An issue that should be sent to the Pro support team

Comments

@mheland
Copy link

mheland commented Jan 16, 2025

Issue Summary

2FA for Ghost admin - great, thank you!

However, requesting a session cookie over API to https://example.com/ghost/api/admin/session/

with json payload

{
    "username": "[email protected]",
    "password": "12345abc"
}

Gives API Error

{"errors":[{"message":"User must verify session to login.","context":null,"type":"Needs2FAError","details":null,"property":null,"help":null,"code":"2FA_TOKEN_REQUIRED","id":"03085e80-d45a-11ef-bd16-ad338f303067","ghostErrorCode":null}]}

The Ghost API requests sends a Verification code to my e-mail, [email protected] - which is not super helpful.

Tried logging in to Ghost with this user ([email protected]) and password - did not get a 2FA request.

Image

Steps to Reproduce

  1. Request a session from /admin/session/ endpoint with username and password as payload.
  2. API error: "User must verify session to login" as above

Expected:
I log in on Ghost with Username and Password, is prompted for a 2FA code which I receive in mail.
After authenticating my user with the 2FA code to Ghost the API call now returns a Ghost session cookie from /admin/session/

Ghost Version

5.106.1-0-ga963b514+moya

Node.js Version

N/A

How did you install Ghost?

GhostPro Hosting

Database type

MySQL 5.7

Browser & OS version

N/A

Relevant log / error output

curl -c ghost-cookie.txt -d [email protected] -d password=abc123 -H "Origin: https://example.ghost.io" -H "Accept-Version: v3.0" https://example.ghost.io/ghost/api/admin/session/

{"errors":[{"message":"User must verify session to login.","context":null,"type":"Needs2FAError","details":null,"property":null,"help":null,"code":"2FA_TOKEN_REQUIRED","id":"6fba3a10-d45c-11ef-bd16-ad338f303067","ghostErrorCode":null}]}%

Code of Conduct

  • I agree to be friendly and polite to people in this repository
@github-actions github-actions bot added the needs:triage [triage] this needs to be triaged by the Ghost team label Jan 16, 2025
@mheland mheland changed the title API request to Session endpoint generates 2FA verification e-mail API request to /session/ endpoint fails and triggers 2FA verification e-mail Jan 16, 2025
@cmraible cmraible added the Ghost(Pro) [triage] An issue that should be sent to the Pro support team label Jan 21, 2025
@github-actions github-actions bot removed the needs:triage [triage] this needs to be triaged by the Ghost team label Jan 21, 2025
@github-actions GitHub Actions
Copy link
Contributor

Hi there! If you're having any issue with a Ghost(Pro) site, please drop us an email on [email protected] and we'll be more than happy to give you a hand directly 🙂

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jan 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Ghost(Pro) [triage] An issue that should be sent to the Pro support team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cmraible @mheland