Two factor authentication token expiration and related suitecrm.log noise

đź’¬ General Discussion
1

I just enabled two factor authentication (2fa) on a few select users on my SuiteCRM 7.10.4/Ubuntu 16.04 instance and I found that the tokens (email codes) don’t seem to expire. This was confusing at first because I had generated a token the night before, received the email with the code, but did not use it and when I went to log in the next morning I never received another email. I had assumed that like most 2fa systems that the code would expire after some time (15 minutes, an hour, or whatever) but the email code from the night before still worked. Is there any way to make the tokens expire automatically after some specified time?

I also see a lot of noise in the suitecrm.log like:


Wed Apr 11 07:47:16 2018 [4947][316cc89c-7590-6a43-308c-57923a9221a7][FATAL] DEBUG: token is not sent yet, do we send a token to user
Wed Apr 11 07:48:21 2018 [5015][316cc89c-7590-6a43-308c-57923a9221a7][FATAL] DEBUG: token is not sent yet, do we send a token to user
Wed Apr 11 07:49:26 2018 [4801][316cc89c-7590-6a43-308c-57923a9221a7][FATAL] DEBUG: token is not sent yet, do we send a token to user
Wed Apr 11 07:50:30 2018 [4802][316cc89c-7590-6a43-308c-57923a9221a7][FATAL] DEBUG: token is not sent yet, do we send a token to user
Wed Apr 11 07:51:37 2018 [4880][316cc89c-7590-6a43-308c-57923a9221a7][FATAL] DEBUG: token is not sent yet, do we send a token to user
Wed Apr 11 07:52:43 2018 [4801][316cc89c-7590-6a43-308c-57923a9221a7][FATAL] DEBUG: token is not sent yet, do we send a token to user
Wed Apr 11 07:53:48 2018 [4798][316cc89c-7590-6a43-308c-57923a9221a7][FATAL] DEBUG: token is not sent yet, do we send a token to user
Wed Apr 11 07:57:38 2018 [4801][316cc89c-7590-6a43-308c-57923a9221a7][FATAL] DEBUG: token already sent
Wed Apr 11 07:58:06 2018 [4798][316cc89c-7590-6a43-308c-57923a9221a7][FATAL] DEBUG: token is not sent yet, do we send a token to user
Wed Apr 11 07:59:10 2018 [5015][316cc89c-7590-6a43-308c-57923a9221a7][FATAL] DEBUG: token is not sent yet, do we send a token to user

It looks like every minute that there is a token sent out but not used I get the “token is not sent yet, do we send a token to user” message and whenever a token is created I get the “token already sent” message. I don’t believe I have a “debug” setting turned on but perhaps I missed something.

2

The messages seem to be coming from here

https://github.com/salesagility/SuiteCRM/blob/master/modules/Users/authentication/SugarAuthenticate/SugarAuthenticate.php#L301-L304

and yes, they look like debug messages that shouldn’t be logged as FATAL.

I’ll look into the issue of expiration and I will get back to you.

3

Can you please open a Github issue with this?

Maybe in the title you can just mention the “2-factor auth token expiry time”, and then inside the issue briefly note that the log messages should also be made “debug” level.

Thanks for reporting.