ViaThinkSoft thinkBug  thinkBug v0.16 beta - Build 2024-01-30
<< Zurück zur Projektauswahl | Projekt "OIDplus 2.0" - im Besucher-Modus



This bug tracker is deprecated!
If possible, please report bugs via GitHub.
Confidential bugs can be submitted via contact form.

<< Vorheriger EintragBUG#0000209Nächster Eintrag >>
Bugreport: Bug in OAuth Plugin / Sugesstions
Text / Beschreibung:

Hello,
in the files
- plugins/publicPages/810_login_google/oauth.php
- plugins/publicPages/810_login_google/oauth.php

Code:

OIDplus::getSystemUrl(false).OIDplus::webpath(__DIR__).'oauth.php'


Should be changed to

Code:

OIDplus::getSystemUrl(false).'/'.OIDplus::webpath(__DIR__).'oauth.php'


or

Code:

rtrim(OIDplus::getSystemUrl(false), '/ ').'/'.OIDplus::webpath(__DIR__).'oauth.php'


Otherwise the "/" is missing between the host and the uri part of the url and the redirect_url will not work.

- I did not test the facebook plugin

-------------
Suggestions:

1) Instead of creating one plugin per one OAuth-Provider you could try to build one plugin for multiple providers e.g. with one of the following packages:
- https://github.com/SocialConnect/auth
- https://github.com/hybridauth/hybridauth

2) Credentials and API-Keys should be protected or obfuscated or encrypted?
I'm currently testing JoomlaKeychainKeychain (its previous version using public/private keypairs) to avoid credentials in plaintext.

Viele Grüße
Till
Betroffene Komponente: Standard
Betroffene Version: 2.x
Autor: Gast
Bearbeitet von: daniel-marschall
Priorität: Niedrig
Datum: 12. Dezember 2020 03:54 Uhr
Bug#: BUG#0000209
Status: RESOLVED
Lösung: FIXED
Aufgabe gelöst seit: 20. Januar 2021
Insgesamt 3 Antwort(en) vorhanden.
Sorry, the files:
- plugins/publicPages/810_login_google/oauth.php
- plugins/publicPages/810_login_google/OIDplusPagePublicLoginGoogle.class.php
Autor: Gast
Datum: 12. Dezember 2020 03:57 Uhr
Thank you very much for your report!

getSystemUrl() shall always end with a slash, so the bug must be in getSystemUrl().
Unfortunately, I could only reproduce the bug if the base config setting EXPLICIT_ABSOLUTE_SYSTEM_URL is used.
Otherwise it seems to be impossible because the code says $res .= '/'
Is it possible that you are using EXPLICIT_ABSOLUTE_SYSTEM_URL? In that case, SVN revision 494 should fix your problem.

Thank you for your suggestions, too.

(1) To support multiple OAuth providers was already in the TODO list. I have added the URLs to the TODO entry.

(2) I think it is technically impossible to encrypt the API credentials, because the PHP script oauth.php needs to read the values.
Where should the encryption key be located?
There seem to be only 3 possibilities I can think of:
- The key is the base config SERVER_SECRET
- The key is stored in a file in the file system
- The key is stored in the database
All 3 possibilities will not be secure, because if an attacker can read config.inc.php , then they also know SERVER_SECRET, and they also have the credentials for the database, so they can get the encryption key easily.
Or is there a different possibility? Please let me know.
Autor: daniel-marschall
Datum: 12. Dezember 2020 13:14 Uhr
OP confirms that bug is fixed in the latest version
Autor: daniel-marschall
Datum: 20. Januar 2021 22:31 Uhr


thinkBug © 2004 - 2024 ViaThinkSoft
thinkBug Logo © 2008 taccon software project
thinkBug v0.16 beta - Build 2024-01-30