Multi-Factor Authentication error on Top version 3.2.1-1-16749

[Yuri Groger]

Hi All,

When I enabling the MFA and trying to add "Recovery codes", "Email" or "TOTP" to any user I am getting error:

2025-08-05 19:59:22 | Error   | 5     | sodium_crypto_secretbox(): Argument #3 ($key) must be SODIUM_CRYPTO_SECRETBOX_KEYBYTES bytes long | IssueLog |||
2025-08-05 19:59:22 | Error   | 5     | CreateCodes failed | MFA |||
array (
  'error' => 'sodium_crypto_secretbox(): Argument #3 ($key) must be SODIUM_CRYPTO_SECRETBOX_KEYBYTES bytes long',
  'stack' => '#0 /path-to-instance//core/simplecrypt.class.inc.php(325): sodium_crypto_secretbox()
#1 /path-to-instance//core/simplecrypt.class.inc.php(121): SimpleCryptSodiumEngine->Encrypt()
#2 /path-to-instance//core/attributedef.class.inc.php(4330): SimpleCrypt->Encrypt()
#3 /path-to-instance//core/dbobject.class.php(3160): AttributeEncryptedString->GetSQLValues()
#4 /path-to-instance//core/dbobject.class.php(3452): DBObject->DBInsertSingleTable()
#5 /path-to-instance//application/cmdbabstract.class.inc.php(4538): DBObject->DBInsertNoReload()
#6 /path-to-instance//core/dbobject.class.php(3236): cmdbAbstractObject->DBInsertNoReload()
#7 /path-to-instance//env-production/combodo-mfa-recovery-codes/src/Service/MFAUserSettingsRecoveryCodesService.php(55): DBObject->DBInsert()
#8 /path-to-instance//env-production/combodo-mfa-recovery-codes/src/Service/MFAUserSettingsRecoveryCodesService.php(147): Combodo\\iTop\\MFARecoveryCodes\\Service\\MFAUserSettingsRecoveryCodesService->CreateCodes()
#9 /path-to-instance//env-production/combodo-mfa-recovery-codes/src/Controller/MFARecoveryCodesMyAccountController.php(31): Combodo\\iTop\\MFARecoveryCodes\\Service\\MFAUserSettingsRecoveryCodesService->RebuildCodes()
#10 /path-to-instance//sources/Application/TwigBase/Controller/Controller.php(236): Combodo\\iTop\\MFARecoveryCodes\\Controller\\MFARecoveryCodesMyAccountController->OperationMFARecoveryCodesView()
#11 /path-to-instance//sources/Application/TwigBase/Controller/Controller.php(175): Combodo\\iTop\\Application\\TwigBase\\Controller\\Controller->CallOperation()
#12 /path-to-instance//env-production/combodo-mfa-recovery-codes/index.php(21): Combodo\\iTop\\Application\\TwigBase\\Controller\\Controller->HandleOperation()
#13 /path-to-instance//pages/exec.php(102): require_once()
#14 {main}',
)
2025-08-05 19:59:23 | Error   | 5     | CreateCodes failed | IssueLog |||

Any thoughts?
Thanks

[Stephen Abello]

Hi Yuri,

MFA extension uses an encrypted attribute to store sensitive data.
You probably have a mismatch between your encryption_library and you encryption_key in the configuration file.

Check this documentation to generate a key that'll be valid with sodium.

Beware, if you already have encrypted values (AttributeEncryptedString attributes or AttributeEncryptedPassword) you might suffer data loss and need to follow the migration procedure (That seems unlikely as you key does not match your library in the first place, but better be safe!)

I hope this helps,
Stephen

[Yuri Groger]

Hi Stephen,

Thank you. Working now!

Regards
Yuri