Base solution for your next web application
Open Closed

Two-factor code caching #9970


User avatar
0
codescientists created

Using Version 10.0, Angular/Core

I have tested the two-factor auth (only with email) and am seeing some issues (haven't found these from searching so far).

  1. If 2FA is enabled & active for a user they can log in the first time. If they log out and log back in (with 2FA code each time) it will work. But after a while we will always get "Security code could not be sent!". I notice that the cache is set early (in TokenController.Authenticate instead of at the time where the code is generated in TokenController.SendTwoFactorAuthCode). From debug I find that the call to ITypedCache<string,TwoFactorCodeCacheItem>.Set() does NOT actually set in values in memory, past a certain point in time.
  2. I notice the cache has two different "expiration" settings. Looking in the [project]WebCoreModule.cs I can see that for the 2-factor code cache, the cache's DefaultAbsoluteExpireTime is set. In debug I can see that this is configured once on first instance of needing the 2-factor code cache. It is set to 2 minutes. So it seems like if an absolute expire time is set for the whole cache, no entries are settable or retrievable after that time. I don't know if this can be confirmed from the ABP code underlying but it seems to be what's happening. Why is DefaultSlidingExpireTimenot used instead? This seems to fix the issue, and allows a new expiration "per item" instead of one global/permanent expiration for all future cache entries. Could this be happening with other cache-based operations? I am only just getting started with our project.
  3. In the angular UI, once the code is sent, a timer indicates "90 seconds" but this is unrelated to the 2 minutes established on the API side. I can see this is hard-coded. Shouldn't the API return info about how long the code will last at the time it is generated?

1 Answer(s)