Open Tony-Donoghue opened 2 years ago
Hi @Tony-Donoghue,
Confirmed in 8.0.2
Awesome, thanks for confirming and getting back to us. Appreciate it.
Hi all, just tested this using version 8.1.0 and the issue is still present and has not been resolved. Any idea when this will be fixed as I would assume this is critical for a number of users deploying SuiteCRM in live online environments? Can this be bumped in terms of priority? While you can use other 3rd party solutions (placing it behind CloudFlare's Zero Trust platform for example), many would like the service to be independent and without any 3rd party assistance. Many thanks, Tony.
Just enquiring to see if there has been any progress on fixing native 2FA or if its due to be reviewed in an upcoming release?
I assume this bug is fixed with #90.
I am not sure #90 is entirely related, but I will retest with the latest build as soon as I can and post back here with the result.
I just tried to enable 2FA on a new install with SuiteCRM v8.1.1 and PHP 7.4. I saw two problems. My session where I was logged in started showing me the loading logo in a continuous loop when I hit "save".
I opened a different browser and tried to log in there. I get the 2FA code in my email but the loading logo just keeps displaying in a loop.
I see a lot of repeated messages in the log file:
public/legacy/suitecrm.log:
Thu May 26 03:38:41 2022 [72945][16][FATAL] DEBUG: token is not sent yet, do we send a token to user
Thu May 26 03:38:41 2022 [72945][16][FATAL] DEBUG: token is not sent yet, do we send a token to user
Thu May 26 03:39:26 2022 [72937][16][FATAL] DEBUG: token is not sent yet, do we send a token to user
Thu May 26 03:39:34 2022 [72944][16][FATAL] DEBUG: token is not sent yet, do we send a token to user
Thu May 26 03:39:35 2022 [72944][16][FATAL] DEBUG: token is not sent yet, do we send a token to user
Thu May 26 03:42:12 2022 [73002][16][FATAL] DEBUG: token already sent
browser console:
If you only have 1 admin account and you enable 2FA, you probably won't be able to log in until you manually disable it in the database.
2FA still not working in 8.1.3. Same problem as kyushuadamu described above.
I spend some time to investigating it, and I found the issue. In 7.X versions otp form is render during postSessionAuthenticate, called on every page, before routing the request to the module In 8.x postSessionAuthenticate is called on /session-status request that expect a json. When I enable 2fa login, response of /session-status request, return otp form (html) and not the session status json, so the message returned is: "You have been logged out because your session has expired"
I hope to open a pull request in next few days
Any movement on this issue? We're holding off on upgrading still due to this.
Scheduled in 8.7
Trend for 2024 is to also add support for 2FA apps, Microsoft Authenticator, Google Authenticator, etc.
Issue
Had some initial issues with installation and setting up email but these have now all been resolved. The issue I am currently having, and hoping someone can point me in the right direction, is that if we use accounts without 2FA then everything works as it should and the team can log in without any problems. However, if we enable 2FA on any of the accounts, it generates the 2FA email which the users receive after correctly typing their credentials into the user interface, but instead of the user interface displaying the 2FA verification page so the user can type in the code they received by email, it logs the user out (sends them back to the username/password page) and presents a green error banner with the message “You have been logged out because your session has expired”.
As soon as we remove 2FA on the account it all works again as expected, less the 2FA email or verification webpage of course.
The same errors occur independently of clearing cache locally and on the server and also tested with different client PC’s and different browsers and all give the same result.
Not sure if related, but another annoying issue is when the user logs out, they are unable to log in again on the same browser window without an error message “Login credentials incorrect, please try again.” - if they close the browser window and try again, works without any problems.
Expected Behavior
Expected that after a successful username and password are entered, that the 2fa verification page would be displayed to allow users to add their received email 2FA code.
Actual Behavior
Returns to the login screen after correct username and password added and displays the error "You have been logged out because your session has expired".
Possible Fix
No real idea other than it may be related to session cookies or code.
Steps to Reproduce
Context
This issue will mean we are unable to deploy live, but we don't have plans for migration until April 1st so nothing so far will be delayed. I do feel this issue is fairly urgent, however, as 2FA is becoming a defacto standard for online services and as such will be an important part of anyone's security protection for such a product or service.
Your Environment
SuiteCRM 8.0.1 used Tested with various browsers including Chrome, Edge and Firefox on Windows 11 and Windows 10.