Skip to content

Use of --lock-env on bin/magento config:set twofactorauth/general/force_providers results in bin/magento errors #39836

New issue
New issue
Open
#40541
Open
Use of --lock-env on bin/magento config:set twofactorauth/general/force_providers results in bin/magento errors#39836
#40541
Assignees
shmVan
Labels
Area: SecurityComponent: SecurityIssue: ConfirmedGate 3 Passed. Manual verification of the issue completed. Issue is confirmedPriority: P2A defect with this priority could have functionality issues which are not to expectations.Reported on 2.4.8Indicates original Magento version for the Issue report.Reproduced on 2.4.xThe issue has been reproduced on latest 2.4-develop branch
@MylesForrest

Description

@MylesForrest
MylesForrest
opened on Apr 17, 2025

Preconditions and environment

Encountered during install and configuration of 2.4.8 (Community)

Steps to reproduce

Run bin/magento config:set --lock-env twofactorauth/general/force_providers google.

Observe that env.php now contains:

'twofactorauth' => [
    'general' => [
        'force_providers' => [
            'google'
        ]
    ]
]

Run bin/magento.
Run bin/magento with a command specified.

Expected result

bin/magento lists commands without error.
bin/magento with a command specified does not produce an error.

Actual result

bin/magento output ends with:

Type Error occurred when creating object: Magento\TwoFactorAuth\Model\Provider\Engine\DuoSecurity, explode(): Argument #2 ($string) must be of type string, array given

bin/magento with a command specified yields:

There are no commands defined in the "config" namespace.  
                                                            
  Did you mean one of these?                                
      module:config                                         
      setup:config                                          
      setup:store-config

Additional information

Dug in a bit - vendor/magento/module-two-factor-auth/Model/Provider/Engine/DuoSecurity.php L:199 is returned the array from env.php if --lock-env was used during the config:set.

isDuoForcedProvider expects a string, not an array.

Can be worked around by manually setting env.php:

'twofactorauth' => [
    'general' => [
        'force_providers' => 'google'
    ]
]

Haven't dug in enough yet to determine if the underlying issue is with vendor/magento/module-config/Console/Command/ConfigSet/LockProcessor.php or vendor/magento/module-two-factor-auth/Model/Config/Backend/ForceProviders.php.

Release note

No response

Triage and priority

  • Severity: S0 - Affects critical data or functionality and leaves users without workaround.
  • Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
  • Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
  • Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
  • Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

Metadata

Metadata

Assignees

Labels

Area: SecurityComponent: SecurityIssue: ConfirmedGate 3 Passed. Manual verification of the issue completed. Issue is confirmedPriority: P2A defect with this priority could have functionality issues which are not to expectations.Reported on 2.4.8Indicates original Magento version for the Issue report.Reproduced on 2.4.xThe issue has been reproduced on latest 2.4-develop branch

Type

No type

Projects

High Priority Backlog

Status

Ready for Development

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions