Umbraco-2FA
Umbraco-2FA copied to clipboard
Offroadcode
Automatically logged out after less then 2 minutes.
Hello all,
When I use this package, it throws me out of the backoffice every two minutes or so. I don't even have this plugin enabled, only installed.
When i monitor the console, I see that after it requests https://localhost:44326/umbraco/backoffice/UmbracoTrees/ContentTree/GetNodes?id=1094&application=content&tree=&isDialog=false, it gives the following 401:
)]}',
{"Message":"Authorization has been denied for this request."}
is there some kind of timeout parameter I need to set for it to not throw me out every two minutes?
Also experiencing this issue. It doesn't appear to be cookie expiration. I'll see if I can debug, but any thoughts would be appreciated!
The only thing that I can see at the moment that might be this: https://github.com/Offroadcode/Umbraco-2FA/blob/master/Umbraco2FA/Umbraco/Fortress/Startup/FortressOwinStartup.cs#L66
app.UseTwoFactorSignInCookie(global::Umbraco.Core.Constants.Security.BackOfficeTwoFactorAuthenticationType, TimeSpan.FromMinutes(5));
will try adjusting the 5 minute cookie timeout
The only thing that I can see at the moment that might be this: https://github.com/Offroadcode/Umbraco-2FA/blob/master/Umbraco2FA/Umbraco/Fortress/Startup/FortressOwinStartup.cs#L66
app.UseTwoFactorSignInCookie(global::Umbraco.Core.Constants.Security.BackOfficeTwoFactorAuthenticationType, TimeSpan.FromMinutes(5));will try adjusting the 5 minute cookie timeout
I saw that too about a week ago. But since it times out within two minutes, I don't think that is our problem.. I will also continue investigating this :)
@tommyw Did you find anything yet? I'm still searching but i cant find the problem..
@reense nope, afraid not. haven't spent a huge amount of time on it though. will hopefully be able to find a bit more time next week.
@reense I just realised that there's mean to be an umbraco2FA admin section, but when I assign it to the administrators group, it causes the back office to fall over.
So.... I'm really not sure where to go from here. Neither of the Fortress DB tables offer any settings for timeout. I think it must be something to do with the authenticate API call, and found this: https://github.com/Offroadcode/Umbraco-2FA/blob/master/Umbraco2FA/Umbraco/Fortress/Controllers/TwoFactorAuthController.cs#L70
but that's not included in the .csproj, so I guess it's old.
I'll try to get the whole solution, with the JS/grunt running locally, might provide some clues.
@tommyw Hmm, that's what I found as well. However, I'm still clueless why this issue is occurring. There is nothing in the code that suggests it automatically logs out. I think it could also be some exception that is silently occurring, and then logging out because of that. Still investigating..
Hey folks, its been pretty flat out crazy busy here at Offroadcode Towers so sorry for the lack of response.
For a little history the 2FA stuff was originally part of a bigger project which had a collection of security goodies in it that we called Fortress hence all the references. We chose to release the 2FA stuff separately but to do that we had to rip out some of the other goodies but we did it in a bit of a hurry. As a result there are some left over artefacts in there which might prove to be red herrings, sorry.
Timeout wise I can't think of anything off the top of my head but that cookie timeout would certainly be worth bumping up to see if it did anything. I'll ask around in the office this week and see what we can come up with.
Thanks for your interest in the package though and your keenness to help us get to the bottom of these issues :)
Cheers Pete, appreciate it. Would be a great addition to U7, and hopefully will be rolled into U8!
se the 2FA stuff separately but to do that we had to rip out some of the other goodies but we did it in a bit of a hurry. As a result there are some left over artefacts in there which might prove to be red herrings, sorry.
Timeout wise I can't think of anything off the top of my head but that cookie timeout would certainly be worth bumping up to see if it did anything. I'll ask around in the office this week and see what we
Great, thank you! Looking forward to hearing what your colleagues said ;)
Timed it. It's 60 seconds, and I think I know why.
Notice the expiry date on the .AspNet.UmbracoTwoFactorCookie - Unix epoch. I think the cookies aren't being sent properly by the middleware.
Upon further investigation, basically Umbraco's backoffice has a bespoke cookie manager class, which determines whether Umbraco's auth middleware needs to be invoked when authorising requests. The UseTwoFactorSignInCookie uses the default CookieAuthenticationOptions class, which is very sparse and doesn't contain anything to do with paths (here's where we get to the crux). As a result, the cookie times out cause it's both the wrong path options, and the wrong cookie manager.
I'm hoping to have this fixed soon as a result using Umbraco's own cookie middleware settings, but it's taking some time as now Umbraco is refusing to accept that the 2FA provider is registered. Once I've debugged that, I should have a PR ready soon.
Hey @benjaminhowarth1 , I have the same issue here and I am looking forward to your PR. When do you think it will be ready? Thanks a lot
Having the same issue as stated above, being logged out of the backoffice after about a minute. When can we expect this bug to be fixed?
Sorry folks, it's been put on my backburner for a little while. I'll see what I can do about it this week.
@benjaminhowarth1 have you had any time to fix this bug? I want to implement this package for a client but in the current state it's a no go for us.
Hello @benjaminhowarth1 - do you have an update on this issue? This is an issue that is stopping us from completing a project. Is there a commercial support contract that you offer for this package and if so we are interested in that. Please let me know if that is a viable option and that case, I can reach out to you directly.
Thank you.
Hi folks, I'm taking another look at this tonight. @naresh-msc commercial support for OSS components is always appreciated, do feel free to drop me a line about helping to financially support the project going forward :)
Benjamin - Thank you for the efforts to fix this issue. Please let me know if we can setup some type of support contract for this component and we can look into it.
Thank you.
From: Benjamin Howarth [email protected] Sent: Tuesday, February 19, 2019 11:37 AM To: Offroadcode/Umbraco-2FA [email protected] Cc: Naresh Kumar Narendran [email protected]; Mention [email protected] Subject: Re: [Offroadcode/Umbraco-2FA] Automatically logged out after less then 2 minutes. (#16)
Hi folks, I'm taking another look at this tonight. @naresh-mschttps://github.com/naresh-msc commercial support for OSS components is always appreciated, do feel free to drop me a line about helping to financially support the project going forward :)
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/Offroadcode/Umbraco-2FA/issues/16#issuecomment-465209221, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AKKjLHfpkTbyfvbB1gE9BfaPo84BLAhFks5vPCgkgaJpZM4Yb6ia.
Hey all, I found some nice standalone project here - https://github.com/nul800sebastiaan/YubiKey2Factor but with some bugs, so I fork it and remove all the unnecessary code (yubik key), you are welcome to give it a review. My fork- https://github.com/ng-soft/umbraco-2fa-with-google-authenticator (old name https://github.com/ng-soft/YubiKey2Factor)
Hi folks, I'm taking another look at this tonight. @naresh-msc commercial support for OSS components is always appreciated, do feel free to drop me a line about helping to financially support the project going forward :)
@benjaminhowarth1 Do you have any update yet?
@ng-soft I looked at your repo. It would be much nicer to have just the dll's\code we would need for our own install's.
@kgiszewski, That true, but I tried to do it as a standalone solution that all you have to do is just download it without any installation. I guess that to do it as a plugin is a much better approach, but this it would take some time. In the meantime, all you have to do is copy the 2FactorAuthentication folder into your solution and it should work too without a lot of configurations.
@ng-soft I forked your repo, made some updates (copy\pasted\updated some namings\namespaces) and it so far works fabulously.
I grabbed the 2Factor folder plus the App_Plugins one too.
Installed GoogleAuthenticator via nuget and it "just worked".
I'm gonna kick the tires today on it, but seems you've made my day 👍
Has any progress been made to rectify the user timeout issue? Or perhaps a recommended work around. Current the plugin is unusable. Thanks
Thanks very much @ng-soft, I will try your forked repo https://github.com/ng-soft/umbraco-2fa-with-google-authenticator as a workaround. Is there any update on the progress of the issue for this plugin however?