Security changes coming in Sugar 7.8

Matthew Marum —  November 15, 2016

Important security changes in Sugar 7.8

As we near the release of Sugar 7.8, we wanted to update the Sugar Developer community on a couple of important security changes that are coming in this release.

The oauth_token URL parameter is disabled by default

A convenience feature that allowed an OAuth 2.0 access token to be passed via the oauth_token URL parameter instead of using the OAuth-Token HTTP header is no longer supported in Sugar 7.8. The examples in the Sugar Developer Guide always used the OAuth-Token HTTP header – but a few people had discovered they could pass the oauth_token as a URL parameter on their own.

If you have been using it, you should know that this feature has been disabled by default due to security concerns. The practice of passing and accepting session identifiers via URL parameters is against OWASP guidelines.

For reference: Session Management Cheat Sheet – OWASP

This example is no longer allowed by default

GET /sugar/rest/v10/Contacts?oauth_token={GUID} HTTP/1.1
Host: localhost:8080
Content-Type: application/json
Cache-Control: no-cache

This example continues to work and is preferred

GET /sugar/rest/v10/Contacts HTTP/1.1
Host: localhost:8080
Content-Type: application/json
OAuth-Token: {GUID}
Cache-Control: no-cache

If you want to enable this feature again, then you can use a new SugarConfig setting called allow_oauth_via_get. When the config setting is true, this will permit the oauth_token URL parameter to be used to pass access tokens.

$sugar_config['allow_oauth_via_get'] = true;

CSRF Tokens are now enforced by default

In a previous post on CSRF tokens in Sugar 7.7, we indicated that CSRF authentication would be enabled by default in future Sugar versions.

Well in Sugar 7.8, the $sugar_config[‘csrf’][‘soft_fail_form’] setting will default to false and the $sugar_config[‘csrf’][‘opt_in’] setting has been removed. This means that CSRF tokens are now enabled by default as of Sugar 7.8

For more details on Sugar’s CSRF implementation, please review the original post on this blog.

HTML forms used in BWC modules need to be authenticated in order to continue to function. If necessary, Sugar Developers can temporarily set the following configuration variable to disable enforcement of CSRF tokens.

$sugar_config['csrf']['soft_fail_form'] = true;

The above setting will generate FATAL messages in the sugarcrm.log file whenever a CSRF authentication failure occurs.

Sugar Developers and Administrators should resist the temptation to use soft fail mode in production instances.

Matthew Marum


Matt is the Director of Developer Advocacy for SugarCRM. Previously he was an Engineer on Sugar 7 and a Solutions Architect for the OEM program. He is also an avid trail runner, Boston Marathon qualifier and a karaoke aficionado.

3 responses to Security changes coming in Sugar 7.8


    Hi Matthew, How this can be done for app.api.fileDownload? I am trying to download a PDF but the oauth fails all the time ends with {“error”:”need_login”,”error_message”:”No valid authentication for user.”}


    How can i use it here `api.fileDownload(api.buildURL(“Quotes/” + model.get(“id”) + “/pdf/download?OAuth-Token=” + api.getOAuthToken()), {`