Seafile Pro 8.0.3 2FA broken?

I observed some potential errors with 2FA in Seafile Server Pro 8.0.3.

First, I had problems connecting with SeaDrive Client (2.0.13) from macOS. I had had the SeaDrive Client working for months over several server upgrades (7.x.x => 8.0.3) without problems or disconnects. Then, all of a sudden, it got disconnected, and when I tried to re-login, it kept asking for a 2FA code over and over again.

The logs showed:
… after entering user name and PW:
request failed for https://seafile..../api2/auth-token/: {"non_field_errors":["Two factor auth token is missing."]}

… and then after entering 2FA code in the prompt:
request failed for https://seafile..../api2/auth-token/: {"non_field_errors":["Two factor auth token is invalid."]}

… strangely enough. I tried re-installing SeaDrive and removing the user config folder ~/.seadrive, without success. I also tried one of the 10 static backup codes that are generated when 2FA is enabled, didn’t work either.

Then, I disabled 2FA for that user on the server. SeaDrive connected successfully. Ok, seemed like a bug of the SeaDrive client, I thought.

But when I re-enabled 2FA for that user, problems got worse. The 10 new static backup codes that were shown were all printed with a leading b' and trailing ', so Python bytes encoding, I assume.
Bildschirmfoto 2021-05-03 um 21.10.14

I logged out from that user and tried to re-logging in the browser using one of the static codes, with and without the b'...', neither worked.
Luckily, the temporary numeric 2FA code worked, otherwise my user would’ve been locked-out.

So, it looks to me as if there is a serious bug in Seafile Pro 8.0.3 that leads to wrong static 2FA codes being generated / printed to the user. I the 2FA device is lost / not available / destroyed / whatever, the account is locked out.

We will check the problem later.

In the meantime, I did a clean installation of Seafile Pro 8.0.3 on Ubuntu 20.04 using the auto install script. I can confirm that the problem also occurs in this fresh instance: Backup codes are generated with enclosing b' ... ' and do not work upon login (neither with nor without the enclosing). Numeric codes work.

I can confirm this problem with TOTP backup codes still exists in Seafile Pro 8.0.4.

My backup code works fine with 8.0.4 docker based install.

Enter username and password, click on ‘Enter two factor backup code’ at the bottom of the Two Factor Authentication prompt, enter code including ‘b’, i.e b'o55dv2cb'
Each code only works once.

Are you supposed to be able to paste the backup codes into this window? Because if so, then it doesn’t work in the community edition either. I’ve just generated new codes and they don’t work either.

The seahub log has this line each time:

2021-07-17 15:48:37,762 [WARNING] django.request:222 log_response Bad Request: /api2/auth-token/