Merge pull request #5276 from NginxProxyManager/develop

v2.13.7
Fix upgrade problem with otplib existing secrets
2026-02-06 19:02:53 +00:00 · 2026-02-06 07:11:49 +10:00 · 2026-02-05 13:12:54 +10:00 · 2026-02-05 13:11:57 +10:00 · 2026-02-05 10:51:15 +10:00 · 2026-02-05 08:27:41 +10:00
9 changed files with 75 additions and 37 deletions
--- a/.version
+++ b/.version
@@ -1 +1 @@
-2.13.6
+2.13.7
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 <p align="center">
 	<img src="https://nginxproxymanager.com/github.png">
 	<br><br>
-	<img src="https://img.shields.io/badge/version-2.13.6-green.svg?style=for-the-badge">
+	<img src="https://img.shields.io/badge/version-2.13.7-green.svg?style=for-the-badge">
 	<a href="https://hub.docker.com/repository/docker/jc21/nginx-proxy-manager">
 		<img src="https://img.shields.io/docker/stars/jc21/nginx-proxy-manager.svg?style=for-the-badge">
 	</a>
--- a/backend/internal/2fa.js
+++ b/backend/internal/2fa.js
@@ -1,6 +1,6 @@
 import crypto from "node:crypto";
 import bcrypt from "bcrypt";
-import { generateSecret, generateURI, verify } from "otplib";
+import { createGuardrails, generateSecret, generateURI, verify } from "otplib";
 import errs from "../lib/error.js";
 import authModel from "../models/auth.js";
 import internalUser from "./user.js";
@@ -198,20 +198,30 @@ const internal2fa = {
 			return false;
 		}

-		// Try TOTP code first
-		const result = await verify({
-			token,
-			secret,
-		});
+		// Try TOTP code first, if it's 6 chars. it will throw errors if it's not 6 chars
+		// and the backup codes are 8 chars.
+		if (token.length === 6) {
+			const result = await verify({
+				token,
+				secret,
+				// These guardrails lower the minimum length requirement for secrets.
+				// In v12 of otplib the default minimum length is 10 and in v13 it is 16.
+				// Since there are 2fa secrets in the wild generated with v12 we need to allow shorter secrets
+				// so people won't be locked out when upgrading.
+				guardrails: createGuardrails({
+					MIN_SECRET_BYTES: 10,
+				}),
+			});

-		if (result.valid) {
-			return true;
+			if (result.valid) {
+				return true;
+			}
 		}

 		// Try backup codes
 		const backupCodes = auth?.meta?.backup_codes || [];
 		for (let i = 0; i < backupCodes.length; i++) {
-			const match = await bcrypt.compare(code.toUpperCase(), backupCodes[i]);
+			const match = await bcrypt.compare(token.toUpperCase(), backupCodes[i]);
 			if (match) {
 				// Remove used backup code
 				const updatedCodes = [...backupCodes];
@@ -275,7 +285,11 @@ const internal2fa = {
 	},

 	getUserPasswordAuth: async (userId) => {
-		const auth = await authModel.query().where("user_id", userId).andWhere("type", "password").first();
+		const auth = await authModel
+			.query()
+			.where("user_id", userId)
+			.andWhere("type", "password")
+			.first();

 		if (!auth) {
 			throw new errs.ItemNotFoundError("Auth not found");
--- a/backend/lib/config.js
+++ b/backend/lib/config.js
@@ -5,7 +5,7 @@ import { global as logger } from "../logger.js";
 const keysFile         = '/data/keys.json';
 const mysqlEngine      = 'mysql2';
 const postgresEngine   = 'pg';
-const sqliteClientName = 'sqlite3';
+const sqliteClientName = 'better-sqlite3';

 let instance = null;

@@ -84,6 +84,7 @@ const configure = () => {
 	}

 	const envSqliteFile = process.env.DB_SQLITE_FILE || "/data/database.sqlite";
+
 	logger.info(`Using Sqlite: ${envSqliteFile}`);
 	instance = {
 		database: {
--- a/backend/package.json
+++ b/backend/package.json
@@ -17,6 +17,7 @@
 		"archiver": "^7.0.1",
 		"batchflow": "^0.4.0",
 		"bcrypt": "^6.0.0",
+		"better-sqlite3": "^12.6.2",
 		"body-parser": "^2.2.2",
 		"compression": "^1.7.4",
 		"express": "^5.2.1",
@@ -36,7 +37,7 @@
 		"proxy-agent": "^6.5.0",
 		"signale": "1.4.0",
 		"sqlite3": "^5.1.7",
-		"temp-write": "^6.0.1"
+		"temp-write": "^4.0.0"
 	},
 	"devDependencies": {
 		"@apidevtools/swagger-parser": "^12.1.0",
--- a/backend/schema/paths/tokens/2fa/post.json
+++ b/backend/schema/paths/tokens/2fa/post.json
@@ -17,7 +17,7 @@
 						},
 						"code": {
 							"minLength": 6,
-							"maxLength": 6,
+							"maxLength": 8,
 							"type": "string",
 							"example": "012345"
 						}
--- a/backend/schema/paths/users/userID/2fa/backup-codes/post.json
+++ b/backend/schema/paths/users/userID/2fa/backup-codes/post.json
@@ -16,7 +16,7 @@
 		}
 	],
 	"requestBody": {
-		"description": "Verififcation Payload",
+		"description": "Verification Payload",
 		"required": true,
 		"content": {
 			"application/json": {
@@ -25,7 +25,7 @@
 					"properties": {
 						"code": {
 							"minLength": 6,
-							"maxLength": 6,
+							"maxLength": 8,
 							"type": "string",
 							"example": "123456"
 						}
--- a/backend/schema/paths/users/userID/2fa/enable/post.json
+++ b/backend/schema/paths/users/userID/2fa/enable/post.json
@@ -16,7 +16,7 @@
 		}
 	],
 	"requestBody": {
-		"description": "Verififcation Payload",
+		"description": "Verification Payload",
 		"required": true,
 		"content": {
 			"application/json": {
@@ -25,7 +25,7 @@
 					"properties": {
 						"code": {
 							"minLength": 6,
-							"maxLength": 6,
+							"maxLength": 8,
 							"type": "string",
 							"example": "123456"
 						}
--- a/backend/yarn.lock
+++ b/backend/yarn.lock
@@ -414,6 +414,14 @@ bcrypt@^6.0.0:
    node-addon-api "^8.3.0"
    node-gyp-build "^4.8.4"

+better-sqlite3@^12.6.2:
+  version "12.6.2"
+  resolved "https://registry.yarnpkg.com/better-sqlite3/-/better-sqlite3-12.6.2.tgz#770649f28a62e543a360f3dfa1afe4cc944b1937"
+  integrity sha512-8VYKM3MjCa9WcaSAI3hzwhmyHVlH8tiGFwf0RlTsZPWJ1I5MkzjiudCo4KC4DxOaL/53A5B1sI/IbldNFDbsKA==
+  dependencies:
+    bindings "^1.5.0"
+    prebuild-install "^7.1.1"
+
 binary-extensions@^2.0.0:
  version "2.3.0"
  resolved "https://registry.yarnpkg.com/binary-extensions/-/binary-extensions-2.3.0.tgz#f6e14a97858d327252200242d4ccfe522c445522"
@@ -1246,7 +1254,7 @@ gopd@^1.2.0:
  resolved "https://registry.yarnpkg.com/gopd/-/gopd-1.2.0.tgz#89f56b8217bdbc8802bd299df6d7f1081d7e51a1"
  integrity sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==

-graceful-fs@^4.1.2, graceful-fs@^4.2.0, graceful-fs@^4.2.11, graceful-fs@^4.2.6:
+graceful-fs@^4.1.15, graceful-fs@^4.1.2, graceful-fs@^4.2.0, graceful-fs@^4.2.6:
  version "4.2.11"
  resolved "https://registry.yarnpkg.com/graceful-fs/-/graceful-fs-4.2.11.tgz#4183e4e8bf08bb6e05bbb2f7d2e0c8f712ca40e3"
  integrity sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==
@@ -1472,16 +1480,11 @@ is-property@^1.0.2:
  resolved "https://registry.yarnpkg.com/is-property/-/is-property-1.0.2.tgz#57fe1c4e48474edd65b09911f26b1cd4095dda84"
  integrity sha512-Ks/IoX00TtClbGQr4TWXemAnktAQvYB7HzcCxDGqEZU6oCmb2INHuOoKxbtR+HFkmYWBKv/dOZtGRiAjDhj92g==

-is-stream@^2.0.1:
+is-stream@^2.0.0, is-stream@^2.0.1:
  version "2.0.1"
  resolved "https://registry.yarnpkg.com/is-stream/-/is-stream-2.0.1.tgz#fac1e3d53b97ad5a9d0ae9cef2389f5810a5c077"
  integrity sha512-hFoiJiTl63nn+kstHGBtewWSKnQLpyb155KHheA1l39uvtO9nWIop1p3udqPcUd/xbF1VLMO4n7OI6p7RbngDg==

-is-stream@^4.0.1:
-  version "4.0.1"
-  resolved "https://registry.yarnpkg.com/is-stream/-/is-stream-4.0.1.tgz#375cf891e16d2e4baec250b85926cffc14720d9b"
-  integrity sha512-Dnz92NInDqYckGEUJv689RbRiTSEHCQ7wOVeALbkOz999YpqT46yMRIGtSNl2iCL1waAZSx40+h59NV/EwzV/A==
-
 isarray@~1.0.0:
  version "1.0.0"
  resolved "https://registry.yarnpkg.com/isarray/-/isarray-1.0.0.tgz#bb935d48582cba168c06834957a54a3e07124f11"
@@ -1677,6 +1680,13 @@ lru.min@^1.1.0, lru.min@^1.1.3:
  resolved "https://registry.yarnpkg.com/lru.min/-/lru.min-1.1.3.tgz#c8c3d001dfb4cbe5b8d1f4bea207d4a320e5d76f"
  integrity sha512-Lkk/vx6ak3rYkRR0Nhu4lFUT2VDnQSxBe8Hbl7f36358p6ow8Bnvr8lrLt98H8J1aGxfhbX4Fs5tYg2+FTwr5Q==

+make-dir@^3.0.0:
+  version "3.1.0"
+  resolved "https://registry.yarnpkg.com/make-dir/-/make-dir-3.1.0.tgz#415e967046b3a7f1d185277d84aa58203726a13f"
+  integrity sha512-g3FeP20LNwhALb/6Cz6Dd4F2ngze0jz7tbzrD2wAV+o9FeNHe4rL+yK2md0J/fiSf1sa1ADhXqi5+oVwOM/eGw==
+  dependencies:
+    semver "^6.0.0"
+
 make-fetch-happen@^9.1.0:
  version "9.1.0"
  resolved "https://registry.yarnpkg.com/make-fetch-happen/-/make-fetch-happen-9.1.0.tgz#53085a09e7971433e6765f7971bf63f4e05cb968"
@@ -2492,6 +2502,11 @@ safe-buffer@~5.1.0, safe-buffer@~5.1.1:
  resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
  integrity sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==

+semver@^6.0.0:
+  version "6.3.1"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-6.3.1.tgz#556d2ef8689146e46dcea4bfdd095f3434dffcb4"
+  integrity sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==
+
 semver@^7.3.5, semver@^7.5.3, semver@^7.5.4:
  version "7.7.3"
  resolved "https://registry.yarnpkg.com/semver/-/semver-7.7.3.tgz#4b5f4143d007633a8dc671cd0a6ef9147b8bb946"
@@ -2846,19 +2861,21 @@ tarn@^3.0.2:
  resolved "https://registry.yarnpkg.com/tarn/-/tarn-3.0.2.tgz#73b6140fbb881b71559c4f8bfde3d9a4b3d27693"
  integrity sha512-51LAVKUSZSVfI05vjPESNc5vwqqZpbXCsU+/+wxlOrUjk2SnFTt97v9ZgQrD4YmxYW1Px6w2KjaDitCfkvgxMQ==

-temp-dir@^3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/temp-dir/-/temp-dir-3.0.0.tgz#7f147b42ee41234cc6ba3138cd8e8aa2302acffa"
-  integrity sha512-nHc6S/bwIilKHNRgK/3jlhDoIHcp45YgyiwcAk46Tr0LfEqGBVpmiAyuiuxeVE44m3mXnEeVhaipLOEWmH+Njw==
+temp-dir@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/temp-dir/-/temp-dir-1.0.0.tgz#0a7c0ea26d3a39afa7e0ebea9c1fc0bc4daa011d"
+  integrity sha512-xZFXEGbG7SNC3itwBzI3RYjq/cEhBkx2hJuKGIUOcEULmkQExXiHat2z/qkISYsuR+IKumhEfKKbV5qXmhICFQ==

-temp-write@^6.0.1:
-  version "6.0.1"
-  resolved "https://registry.yarnpkg.com/temp-write/-/temp-write-6.0.1.tgz#b1ed81e80e120ba4957db3e01e010669d7c15870"
-  integrity sha512-6bj9LlNld+knzEOQvnZK6YxiPF+foOUjvG/WoWj1/Mt9c6f2kQCPsh8KZ+NyTk0AejubTQSPpx2alcswE1bF8g==
+temp-write@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/temp-write/-/temp-write-4.0.0.tgz#cd2e0825fc826ae72d201dc26eef3bf7e6fc9320"
+  integrity sha512-HIeWmj77uOOHb0QX7siN3OtwV3CTntquin6TNVg6SHOqCP3hYKmox90eeFOGaY1MqJ9WYDDjkyZrW6qS5AWpbw==
  dependencies:
-    graceful-fs "^4.2.11"
-    is-stream "^4.0.1"
-    temp-dir "^3.0.0"
+    graceful-fs "^4.1.15"
+    is-stream "^2.0.0"
+    make-dir "^3.0.0"
+    temp-dir "^1.0.0"
+    uuid "^3.3.2"

 text-decoder@^1.1.0:
  version "1.2.3"
@@ -2946,6 +2963,11 @@ util@^0.10.3:
  dependencies:
    inherits "2.0.3"

+uuid@^3.3.2:
+  version "3.4.0"
+  resolved "https://registry.yarnpkg.com/uuid/-/uuid-3.4.0.tgz#b23e4358afa8a202fe7a100af1f5f883f02007ee"
+  integrity sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==
+
 vary@^1.1.2, vary@~1.1.2:
  version "1.1.2"
  resolved "https://registry.yarnpkg.com/vary/-/vary-1.1.2.tgz#2299f02c6ded30d4a5961b0b9f74524a18f634fc"
Author	SHA1	Message	Date
jc21	47b367d61e	Merge pull request #5276 from NginxProxyManager/develop v2.13.7	2026-02-06 07:11:49 +10:00
Jamie Curnow	d19f5c1960	Fix upgrade problem with otplib existing secrets All checks were successful Close stale issues and PRs / stale (push) Successful in 39s Details	2026-02-05 13:12:54 +10:00
Jamie Curnow	77662b4e7f	Use better-sqlite3 package for sqlite databases	2026-02-05 13:11:57 +10:00
Jamie Curnow	c88de65d3a	Fix #5274 2fa backup codes not validating properly	2026-02-05 10:51:15 +10:00
jc21	ac4efd2333	Merge branch 'master' into develop	2026-02-05 08:27:41 +10:00
Jamie Curnow	eab38d8934	Bump version	2026-02-05 08:26:49 +10:00
jc21	f3efaae320	Merge pull request #5141 from NginxProxyManager/develop v2.13.6	2026-01-14 14:30:49 +10:00
@@ -1 +1 @@
 .13.6
 .13.7