Hi,

I tried to ask a complex question which got no answers, so I’m trying to formulate it again.

Basically: I lost access to the web interface (even with the admin). This is most likely because one of the auth plugins is not working, namely, Duo Security (Two-step authentication), possibly because it has wrong credentials. That’s irrelevant, though: nobody can login, not even with REST (i.e. with Pydio Sync), mostly because once the login/password is accepted, Pydio is calling the auth plugin, which gives an error, and this is interpreted as not having any valid active repository. I know that this sounds a bit weird, but from what I could gather from the source code, this is my theory about what happens: the first auth plugin, which just asks for login and password from the DB, is working fine, and the authentication is accepted; but now Pydio has instructions to load another plugin to get access to the data, and when this second plugin is called, and fails, Pydio is left with a DB-authenticated user but without the knowledge if the default/active repository is accessible for that user or not… and ultimately fails:

Logs.png2788×936 451 KB

Note the error coming from SecureTokenMiddleware.php, line 70 — this ought still be calling the Duo Security plugin, which I don’t want to, and therefore it fails.

A similar error was reported in the past without answer.

Note that I can comment out the exception on SecureTokenMiddleware.php and get rid of the error. This still doesn’t work, because Pydio is expecting the Duo Security to provide it with a valid workspace; as a consequence, the user gets logged in, but the page remains empty, since there is no active workspace. By ‘empty’ I really mean empty; I have no access to anything at all and thus cannot turn off the Duo Security plugin from the web interface.

So, how do I accomplish the same thing manually, i.e. either from the command line interface, changing the DB manually, or by tweaking any configuration files?

Note that this question has been recently asked again but the answer (upload size??) totally baffles me!

Hi,
you can disable plugins by editing the manifest.xml found in /plugins/
then you will have a line with the state of the plugin ( which will be located at the begining of the file)

Thank you so much, zayn! I had no idea that it was so simple to manually disable a plugin!..

I will mark this question as solved, although, unfortunately, it didn’t fix the issue for me — actually, the Duo Security plugin was already disabled, so I guess that I managed to do that on the backoffice after all, before losing all access to it.

Nevertheless, things still don’t work. The SecureTokenMiddleware.php is still being called, although there is not supposed to be any more ‘security token’ plugin active:

More logs.png2768×312 120 KB

This seems more elusive to catch, because SecureTokenMiddleware.php is being called from deep within the authentication plugin (which should never be disabled!). My guess is that ‘somewhere’ there is still an active list of a chain of auth plugins that need to be called, and Pydio somehow ‘knows’ it needs to ask for a secure token, but it cannot find any enabled plugin to do that task.

So my next issue is to figure out where exactly it gets that information from. I suppose that will be my next question here on the forums!..

Fixed by reinstalling Pydio 8.0.2 from scratch.