Troubleshoot "That code is invalid or expired" Error When Connecting an Authenticator App to Heroku
The Problem: Frustrating Authentication Failure
You're trying to connect your authenticator app (like Google Authenticator or Authy) to your Heroku app, but you keep getting the message "That code is invalid or expired. Try another." It's frustrating! You've double-checked the code, and everything seems to be in order.
Scenario: Setting Up Two-Factor Authentication on Heroku
Let's say you're setting up two-factor authentication (2FA) for your Heroku app using a third-party library like otplib
. You've followed the instructions, configured your app, and generated a QR code for your authenticator app.
from otplib import *
from otplib.hotp import HOTP
from otplib.totp import TOTP
import base64
import pyotp
# ... (rest of your code)
key = base64.b32encode(os.urandom(10)).decode('utf-8')
totp = TOTP(key)
uri = totp.provisioning_uri(name='your-heroku-app', issuer_name='Your Company')
# Generate the QR code
# ...
# Retrieve the one-time code from the authenticator app
user_input = input("Enter the code from your authenticator app: ")
# ...
But when you enter the code from your authenticator app, you get the dreaded "That code is invalid or expired" error.
Unveiling the Culprits: Common Causes and Solutions
Here are the most likely culprits behind this error:
-
Incorrect Code Entry: The most common reason is simply a typo when entering the code from your authenticator app. Double-check for any mistakes.
-
Expired Code: One-time codes typically expire after a short period (usually around 30 seconds). If you take too long to enter the code, it might have expired.
-
Time Synchronization Issues: Your device and the server running your Heroku app must be accurately synchronized with the same time source. If there's a time difference, the code will be invalid.
-
Incorrect Secret Key: The secret key you use to generate the QR code for your authenticator app is crucial. Make sure you're using the correct key when verifying the code on the server side.
-
Incorrect Code Generation Algorithm: Ensure that the authenticator app and the server-side code are using the same algorithm (HOTP or TOTP) to generate and verify the code.
-
Network Issues: A temporary network issue could cause the code to be invalid or the server to not receive it correctly. Try refreshing the page or re-entering the code.
Troubleshooting Tips
- Check the Time: Ensure your device and the server have the correct time.
- Verify the Secret Key: Double-check that you're using the correct secret key both on the client and server sides.
- Re-generate the QR Code: If you're unsure about the secret key, try re-generating the QR code and adding it to your authenticator app.
- Test with a Known Code: If possible, try generating a known code on the server-side and manually enter it into your authenticator app. If this works, the issue is likely related to the code generation process.
- Inspect Network Traffic: Use developer tools to inspect the network traffic and see if there are any errors during the code verification process.
Additional Considerations
- Time-Based One-Time Password (TOTP): TOTP codes are time-sensitive and require synchronized time between the device and the server.
- HTOP: HOTP codes don't rely on time and can be used for offline verification, but they require the server to keep track of the counter for each user.
Final Thoughts
While the "That code is invalid or expired" error can be frustrating, by understanding the common causes and following these troubleshooting steps, you can resolve it and successfully implement two-factor authentication for your Heroku app. Remember to double-check your setup, time synchronization, and secret key. With a little attention to detail, you can enjoy the added security of 2FA.