windows asking for an app to open au.gov.my

[SgtBatten]

After scanning the QR code into authy and hitting submit this window appears:

[abrasive]

Hmm, the whole point of having an Electron app is to be able to handle the au.gov.my:// URL scheme. I think they must have changed something in the auth flow, I'll take a look.

[abrasive]

(This is very probably the cause of #1 too)

[SgtBatten]

No worries. let me know If I can assist

[danielgruber8]

Have you discovered what the problem is?

[BeauGiles]

Experiencing the same issue here.

[abrasive]

OK, I have pushed a change that should improve the logging (or even fix the issue, who knows?).

If you run it with environment variable ELECTRON_ENABLE_LOGGING=1 then it will print any au.gov.my:// URLs that it is handed.

The auth flow still works for me, so hopefully it's just some simple (?) thing about Electron's behaviour...

[danielgruber8]

Nothing happens when pressing submit, but the terminal window displays this stuff. The registration does not complete because the submit button does nothing.

au.gov.my://app?state=63065293C60AD6A479B67F1DFC79BBC75DEF04C3&code=C3Mab1fzVcEPsoMrC3WhxHhhwEE2UK
au.gov.my://app?
au.gov.my://app?
au.gov.my://app?

[abrasive]

Thanks @danielgruber8 .

I think the issue is that myGov uses the SHA512 TOTP algorithm, but Authy doesn't support it (see eg. speakeasyjs/speakeasy#95 (comment)).

I've added better logging so now it actually tells you if myGov thinks your code is wrong. Can you confirm that's what it is?

[danielgruber8]

When using Authy, a pop up came up saying something about an invalid SHA1 key. But the enrolment now completed successfully when using andOTP..... and I could login to myGov perfectly. You did fix something though as I did try using andOTP previously and had the same issue.

[danielgruber8]

keepassxreboot/keepassxc#873 (comment)

[danielgruber8]

Is there any way to convert the AndOTP code back in to Authy? Or not possible?

Also Electron logging shows a lot of security warnings

user@tux:~/Downloads/mygov-totp-enroll-master$ ELECTRON_ENABLE_LOGGING=1 npm start

[email protected] start /home/user/Downloads/mygov-totp-enroll-master
electron .

[7960:0729/112016.334569:INFO:CONSOLE(259)] "%cElectron Deprecation Warning (nodeIntegration default change)", source: /home/user/Downloads/mygov-totp-enroll-master/node_modules/electron/dist/resources/electron.asar/renderer/security-warnings.js (259)
[7960:0729/112016.334822:INFO:CONSOLE(170)] "%cElectron Security Warning (Insecure Content-Security-Policy)", source: /home/user/Downloads/mygov-totp-enroll-master/node_modules/electron/dist/resources/electron.asar/renderer/security-warnings.js (170)
[7960:0729/112019.674258:INFO:CONSOLE(345)] "Uncaught ReferenceError: jQuery is not defined", source: https://auth.my.gov.au/mygov/content/mgv2/js/mgv2-vendor.js (345)
[7960:0729/112019.677403:INFO:CONSOLE(1)] "Uncaught ReferenceError: $ is not defined", source: https://auth.my.gov.au/mygov/content/mgv2/js/mgv2-application.js (1)
[7960:0729/112019.688680:INFO:CONSOLE(128)] "%cElectron Security Warning (Node.js Integration with Remote Content)", source: /home/user/Downloads/mygov-totp-enroll-master/node_modules/electron/dist/resources/electron.asar/renderer/security-warnings.js (128)
[7960:0729/112019.689687:INFO:CONSOLE(259)] "%cElectron Deprecation Warning (nodeIntegration default change)", source: /home/user/Downloads/mygov-totp-enroll-master/node_modules/electron/dist/resources/electron.asar/renderer/security-warnings.js (259)
[7960:0729/112019.689906:INFO:CONSOLE(170)] "%cElectron Security Warning (Insecure Content-Security-Policy)", source: /home/user/Downloads/mygov-totp-enroll-master/node_modules/electron/dist/resources/electron.asar/renderer/security-warnings.js (170)
[7960:0729/112029.582094:INFO:CONSOLE(345)] "Uncaught ReferenceError: jQuery is not defined", source: https://auth.my.gov.au/mygov/content/mgv2/js/mgv2-vendor.js (345)
[7960:0729/112029.585296:INFO:CONSOLE(1)] "Uncaught ReferenceError: $ is not defined", source: https://auth.my.gov.au/mygov/content/mgv2/js/mgv2-application.js (1)
[7960:0729/112029.720747:INFO:CONSOLE(128)] "%cElectron Security Warning (Node.js Integration with Remote Content)", source: /home/user/Downloads/mygov-totp-enroll-master/node_modules/electron/dist/resources/electron.asar/renderer/security-warnings.js (128)
[7960:0729/112029.721831:INFO:CONSOLE(259)] "%cElectron Deprecation Warning (nodeIntegration default change)", source: /home/user/Downloads/mygov-totp-enroll-master/node_modules/electron/dist/resources/electron.asar/renderer/security-warnings.js (259)
[7960:0729/112029.722001:INFO:CONSOLE(170)] "%cElectron Security Warning (Insecure Content-Security-Policy)", source: /home/user/Downloads/mygov-totp-enroll-master/node_modules/electron/dist/resources/electron.asar/renderer/security-warnings.js (170)
[7960:0729/112035.394603:INFO:CONSOLE(345)] "Uncaught ReferenceError: jQuery is not defined", source: https://auth.my.gov.au/mygov/content/mgv2/js/mgv2-vendor.js (345)
[7960:0729/112035.398661:INFO:CONSOLE(1)] "Uncaught ReferenceError: $ is not defined", source: https://auth.my.gov.au/mygov/content/mgv2/js/mgv2-application.js (1)
[7960:0729/112035.418176:INFO:CONSOLE(128)] "%cElectron Security Warning (Node.js Integration with Remote Content)", source: /home/user/Downloads/mygov-totp-enroll-master/node_modules/electron/dist/resources/electron.asar/renderer/security-warnings.js (128)
[7960:0729/112035.419067:INFO:CONSOLE(259)] "%cElectron Deprecation Warning (nodeIntegration default change)", source: /home/user/Downloads/mygov-totp-enroll-master/node_modules/electron/dist/resources/electron.asar/renderer/security-warnings.js (259)
[7960:0729/112035.419255:INFO:CONSOLE(170)] "%cElectron Security Warning (Insecure Content-Security-Policy)", source: /home/user/Downloads/mygov-totp-enroll-master/node_modules/electron/dist/resources/electron.asar/renderer/security-warnings.js (170)
[7960:0729/112109.283155:INFO:CONSOLE(345)] "Uncaught ReferenceError: jQuery is not defined", source: https://auth.my.gov.au/mygov/content/mgv2/js/mgv2-vendor.js (345)
[7960:0729/112109.286127:INFO:CONSOLE(1)] "Uncaught ReferenceError: $ is not defined", source: https://auth.my.gov.au/mygov/content/mgv2/js/mgv2-application.js (1)
[7960:0729/112109.289670:INFO:CONSOLE(128)] "%cElectron Security Warning (Node.js Integration with Remote Content)", source: /home/user/Downloads/mygov-totp-enroll-master/node_modules/electron/dist/resources/electron.asar/renderer/security-warnings.js (128)
[7960:0729/112109.290589:INFO:CONSOLE(259)] "%cElectron Deprecation Warning (nodeIntegration default change)", source: /home/user/Downloads/mygov-totp-enroll-master/node_modules/electron/dist/resources/electron.asar/renderer/security-warnings.js (259)
[7960:0729/112109.290763:INFO:CONSOLE(170)] "%cElectron Security Warning (Insecure Content-Security-Policy)", source: /home/user/Downloads/mygov-totp-enroll-master/node_modules/electron/dist/resources/electron.asar/renderer/security-warnings.js (170)
au.gov.my://app?state=63065293C60AD6A479B67F1DFC79BBC75DEF04C3&code=lACSpZq9XzQkjqWvofHwJHgGUzF4bh
[7960:0729/112112.406750:INFO:CONSOLE(259)] "%cElectron Deprecation Warning (nodeIntegration default change)", source: /home/user/Downloads/mygov-totp-enroll-master/node_modules/electron/dist/resources/electron.asar/renderer/security-warnings.js (259)
[7960:0729/112112.406954:INFO:CONSOLE(170)] "%cElectron Security Warning (Insecure Content-Security-Policy)", source: /home/user/Downloads/mygov-totp-enroll-master/node_modules/electron/dist/resources/electron.asar/renderer/security-warnings.js (170)
au.gov.my://app?
body?? [object Object]
{ meta:
{ code: 500,
relatesTo: '',
gsk: '',
url:
'/authbiz-ext-sec/api/v1/authclients/g2c2pjLUThOaBumECqbf/totpverify.json' },
info:
[ { code: 'AE.2', message: 'Invalid username or credential..' } ] }
Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.
au.gov.my://app?

[abrasive]

I'm guessing if Authy haven't fixed it by now they aren't going to bother. It's an unfortunate bit of needless bureaucratic paranoia on the part of the myGov implementors...

[SgtBatten]

Just tried the latest master in case but still it is asking for an app and not working when i hit submit

[liilac]

The most recent commit (4cce822) works for me on Windows 10 (1909).

Successfully enrolled a TOTP authenticator; login tested after initial verification.

Built and run directly from the Windows host.

All operations were executed from an unprivileged PowerShell shell.

PS C:\path\to\mygov-totp-enroll> git clone
...
PS C:\path\to\mygov-totp-enroll> npm install
...
PS C:\path\to\mygov-totp-enroll> npm start

Versions

Summary

Commit: 4cce822
NodeJS Version: v14.2.0
Windows 10 build: 1909
Windows OS Version: 10.0.18363.0

Detailed information

NodeJS Packages

Please see this gist

NodeJS version

PS C:\> node --version
v14.2.0

Windows OS Version

PS C:\> [System.Environment]::OSVersion.Version

Major  Minor  Build  Revision
-----  -----  -----  --------
10     0      18363  0

PowerShell Version

PS C:\> Get-Host |  Select-Object Version

Version
-------
5.1.18362.752

[jimsug]

This worked for me just now, with similar settings to the above, though I had to set different CSP values:

<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'; form-action https: au.gov.my:;">

on instructions.html and

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">

on ui.html did the trick for me.

[SgtBatten]

Okay so this seems to be resolved as mentioned for me too, however didnt realise that Authy is not supported so I cannot use it anyway. not conveniently anyhow.

[SgtBatten]

Success using bitwarden.

[abrasive]

Awesome! Cheers @SgtBatten