CenterForOpenScience · cslzchen · Aug 8, 2024 · Aug 8, 2024 · Aug 8, 2024
diff --git a/.../java/io/cos/cas/osf/authentication/handler/support/OsfPostgresAuthenticationHandler.java b/.../java/io/cos/cas/osf/authentication/handler/support/OsfPostgresAuthenticationHandler.java
@@ -165,14 +165,16 @@ protected final AuthenticationHandlerExecutionResult authenticateOsfPostgresInte
             if (oneTimePassword == null) {
                 throw new OneTimePasswordRequiredException("2FA TOTP required for user [" + username + "]");
             }
+            final long transformedOneTimePassword = Long.parseLong(oneTimePassword);
+            boolean checkPassed;
             try {
-                final long transformedOneTimePassword = Long.parseLong(oneTimePassword);
-                if (!TotpUtils.checkCode(osfTotp.getTotpSecretBase32(), transformedOneTimePassword)) {
-                    throw new InvalidOneTimePasswordException("Invalid 2FA TOTP for user [" + username + "] (Type 1)");
-                }
-            } catch (final Exception e) {
+                checkPassed = TotpUtils.checkCode(osfTotp.getTotpSecretBase32(), transformedOneTimePassword);
+            } catch (final Exception e){
                 throw new InvalidOneTimePasswordException("Invalid 2FA TOTP for user [" + username + "] (Type 2)");
             }
+            if (!checkPassed) {
+                throw new InvalidOneTimePasswordException("Invalid 2FA TOTP for user [" + username + "] (Type 1)");
+            }
         }
 
         if (!osfUser.isTermsOfServiceAccepted() && !isTermsOfServiceChecked) {

diff --git a/src/main/java/io/cos/cas/osf/model/OsfTotp.java b/src/main/java/io/cos/cas/osf/model/OsfTotp.java
@@ -4,6 +4,7 @@
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.ToString;
+import lombok.extern.slf4j.Slf4j;
 
 import org.apache.commons.codec.binary.Base32;
 
@@ -28,6 +29,7 @@
 @NoArgsConstructor
 @Getter
 @ToString
+@Slf4j
 public class OsfTotp extends AbstractOsfModel {
 
     @OneToOne
@@ -50,8 +52,14 @@ private boolean isDeleted() {
     }
 
     public String getTotpSecretBase32() {
-        final byte[] bytes = DatatypeConverter.parseHexBinary(totpSecret);
-        return new Base32().encodeAsString(bytes);
+        try {
+            // Handle totpSecret generated before OSF Python 3.12 upgrade
+            final byte[] bytes = DatatypeConverter.parseHexBinary(totpSecret);
+            return new Base32().encodeAsString(bytes);
+        } catch (final IllegalArgumentException e) {
+            // Handle totpSecret generated after OSF Python 3.12 upgrade
+            return new Base32().encodeAsString(totpSecret.getBytes());
+        }
     }
 
     public boolean isActive() {