500 error thrown when Bypass button is clicked

[JRDetwiler]

As the title suggests, the web client isn't working. I've tried a handful of things in my browser trying to get it to work (including that "enable cookies" message that your site is responding with). No luck. I use Firefox on Linux.

As a possibly additional bug for you: I tried running your local script version. First, it's effectively impossible to "install" on Linux. The entire dependency chain is dependant on homebrew. Second, running the duo-bypass shell script will in fact generate an HOTP code; however, it doesn't trigger the activation with Duo. I'm not sure if it broke just recently, but the tool itself seems to be not working anymore.

[nilsstreedain]

It looks like their system is rejecting the activation codes pulled from the QR code URL:

{"code": 40403, "message": "Unknown activation code", "stat": "FAIL"}

Going to do more investigating, I wonder if they added encoding?

[nilsstreedain]

Never mind, that error is after the first attempt which gives:

{"code": 40112, "message": "Signature type is not supported", "stat": "FAIL"}

Probably updated the device metadata requirements.

[mattf1n]

Does this mean that this webapp no longer works? When I click the JS throws an error:

duo-bypass.js:33 Uncaught (in promise) DOMException: Failed to execute 'atob' on 'Window': The string to be decoded is not correctly encoded.
    at duoBypass (https://duo-bypass.nilsstreedain.com/duo-bypass.js:33:28)
    at HTMLButtonElement.onclick (https://duo-bypass.nilsstreedain.com/:23:184)

Is this the same problem or should I open a separate issue?

[nilsstreedain]

@mattf1n Yeah it is related, the tool is having issues, I just haven't had time to dig into the Andoird .apk and update the device metadata.

[nilsstreedain]

Does this mean that this webapp no longer works? When I click the JS throws an error:

duo-bypass.js:33 Uncaught (in promise) DOMException: Failed to execute 'atob' on 'Window': The string to be decoded is not correctly encoded.

    at duoBypass (https://duo-bypass.nilsstreedain.com/duo-bypass.js:33:28)

    at HTMLButtonElement.onclick (https://duo-bypass.nilsstreedain.com/:23:184)

Is this the same problem or should I open a separate issue?

I probably won't have time to dig through the Android .apk for a while as this is a small side project but I would be happy to accept any PRs updating the device metadata in the /script/duo-bypass file. The metadata can be captured using HTTP inspection on the android .apk found here, using this VS code tool. I would also be happy to provide my (somewhat limited) notes on manually pulling most of the metadata directly from code extracted from the .apk.

[mvevitsis]

Does this mean that this webapp no longer works? When I click the JS throws an error:

duo-bypass.js:33 Uncaught (in promise) DOMException: Failed to execute 'atob' on 'Window': The string to be decoded is not correctly encoded.

    at duoBypass (https://duo-bypass.nilsstreedain.com/duo-bypass.js:33:28)

    at HTMLButtonElement.onclick (https://duo-bypass.nilsstreedain.com/:23:184)

Is this the same problem or should I open a separate issue?

I probably won't have time to dig through the Android .apk for a few weeks as this is a small side project but I would be happy to accept any PRs updating the device metadata in the /script/duo-bypass file. The metadata can be captured using HTTP inspection on the android .apk found here, using this VS code tool. I would also be happy to provide my (somewhat limited) notes on manually pulling most of the metadata directly from code extracted from the .apk.

The script version doesn't work for me either. First of all you can't copy the image address directly anymore, so I viewed the source of the webpage and got the URL that way. The duo-bypass command runs, and generates a QR code, but after adding to Google authenticator the account name is null (not sure if that matters) and more importantly the generated codes do not work.

The supposed key is only 7 characters long, not sure if that matters

[nilsstreedain]

The script version doesn't work for me either. First of all you can't copy the image address directly anymore, so I viewed the source of the webpage and got the URL that way. The duo-bypass command runs, and generates a QR code, but after adding to Google authenticator the account name is null (not sure if that matters) and more importantly the generated codes do not work.

The supposed key is only 7 characters long, not sure if that matters

Hello @mvevitsis,
As noted previously, this is a small side project that I have not had time to work on recently with school and work. I am happy to accept contributions (see general steps in my previous message for pulling new device metadata), but can't dedicate more time to it than reviewing PRs right now, especially for an application I don't use myself (since DUO added support for passwordless auth, I no longer used this method).

I will be leaving this Issue open in case anyone wants to dive into it, or I get more time later on.

Thanks,
Nils

Edit: Also, yes I'm aware of those other issues, with invalid device data, activation fails and unexpected data is sent back to the script, causing expected values to be null and other fields to be incorrectly filled. This should be handled by the application but I did not build in this type of error safety into it originally as it was a quick project.

[mvevitsis]

The script found here
https://github.com/revalo/duo-bypass

worked for me. You could inspect this code to fix your webapp.