Trouble authenticating to the Journalist Interface on Qubes staging instance

I have set up a staging instance with Qubes. Everything seems to work, except that I am unable to authenticate to the journalist interface. After adding an admin account on the App Server, and successfully loading the ATHS for the journalist interface, the form still fails to authenticate me with my credentials. I am shown a Login Error instructing me to wait until my 2FA code changes before trying again.

Details

I created an admin account with

$ python manage.py add-admin

on the App Server VM, as described here. I followed the prompts, using TOTP for 2FA and declining HOTP. There was no error reported from the manage script. Once it was done, I loaded the journalist interface successfully and entered the information into the form, but the authentication still fails. (I also tried creating a non-admin user, and I had the same problem).

Maybe relevant: To access the journalist interface ATHS I created a Debian AppVM, installed the latest stable version of the Tor Browser Bundle on it, and set it up to access the ATHS as described here from the line beginning “To use the Journalist Interface.” To copy install_files/ansible-base/app-journalist.auth_private from sd-dev to the Debian VM, I used qvm-copy as in the Whonix instructions. I am able to access the journalist interface fine from the Debian VM once all this was done, but I am not able to authenticate to it, as I mentioned. Is it possible that I must create a Tails VM instead of the Debian one I’m using?

OK, the problem here was caused by authenticating using the Tor Browser’s inbuilt mechanism for getting the shared secret (which is a little popup box under the URL bar), rather than using the secret from the onion_auth directory. For more on that, see here: “If you are generating a private key for an onion site, the user does not necessarily need to edit Tor Browser’s torrc. It is possible to enter the private key directly in the Tor Browser interface.”

Anyway, there was a typo. in my configuration that was preventing the secret from being read from the file correctly, but I didn’t get any errors about that, all I got was a failed log in attempt. This confused me, and led to unnecessary gymnastics in an attempt to fix things.

tl;dr lesson: when accessing the journalist interface ATHS, be sure that you authenticate using the file in the onion_auth directory—if Tor Browser prompts you and enter the secret in manually, it will work for loading the page, but you won’t be able to log in, even if you supply the correct credentials.

Hi David,
Sorry for the delay, glad you got this figured out. We also have some documentation on this step: https://docs.securedrop.org/en/stable/development/qubes_staging.html?highlight=onion_auth#in-the-whonix-gateway
Let us know if you have any further questions!

rowen