thinkBug v0.16 beta - Build 2024-01-30

<< Zurück zur Projektauswahl | Projekt "OIDplus 2.0" - im Besucher-Modus

This bug tracker is deprecated! If possible, please report bugs via GitHub. Confidential bugs can be submitted via contact form.

<< Vorheriger Eintrag BUG#0000209 Nächster Eintrag >>

Bugreport: Bug in OAuth Plugin / Sugesstions Text / Beschreibung: Hello, in the files - plugins/publicPages/810_login_google/oauth.php - plugins/publicPages/810_login_google/oauth.php Code: OIDplus::getSystemUrl(false).OIDplus::webpath(__DIR__).'oauth.php' Should be changed to Code: OIDplus::getSystemUrl(false).'/'.OIDplus::webpath(__DIR__).'oauth.php' or Code: rtrim(OIDplus::getSystemUrl(false), '/ ').'/'.OIDplus::webpath(__DIR__).'oauth.php' Otherwise the "/" is missing between the host and the uri part of the url and the redirect_url will not work. - I did not test the facebook plugin ------------- Suggestions: 1) Instead of creating one plugin per one OAuth-Provider you could try to build one plugin for multiple providers e.g. with one of the following packages: - https://github.com/SocialConnect/auth - https://github.com/hybridauth/hybridauth 2) Credentials and API-Keys should be protected or obfuscated or encrypted? I'm currently testing JoomlaKeychainKeychain (its previous version using public/private keypairs) to avoid credentials in plaintext. Viele Grüße Till Betroffene Komponente: Standard Betroffene Version: 2.x Autor: Gast Bearbeitet von: daniel-marschall Priorität: Niedrig Datum: 12. Dezember 2020 03:54 Uhr Bug#: BUG#0000209 Status: RESOLVED Lösung: FIXED Aufgabe gelöst seit: 20. Januar 2021

Insgesamt 3 Antwort(en) vorhanden.

Sorry, the files: - plugins/publicPages/810_login_google/oauth.php - plugins/publicPages/810_login_google/OIDplusPagePublicLoginGoogle.class.php Autor: Gast Datum: 12. Dezember 2020 03:57 Uhr

Thank you very much for your report! getSystemUrl() shall always end with a slash, so the bug must be in getSystemUrl(). Unfortunately, I could only reproduce the bug if the base config setting EXPLICIT_ABSOLUTE_SYSTEM_URL is used. Otherwise it seems to be impossible because the code says $res .= '/' Is it possible that you are using EXPLICIT_ABSOLUTE_SYSTEM_URL? In that case, SVN revision 494 should fix your problem. Thank you for your suggestions, too. (1) To support multiple OAuth providers was already in the TODO list. I have added the URLs to the TODO entry. (2) I think it is technically impossible to encrypt the API credentials, because the PHP script oauth.php needs to read the values. Where should the encryption key be located? There seem to be only 3 possibilities I can think of: - The key is the base config SERVER_SECRET - The key is stored in a file in the file system - The key is stored in the database All 3 possibilities will not be secure, because if an attacker can read config.inc.php , then they also know SERVER_SECRET, and they also have the credentials for the database, so they can get the encryption key easily. Or is there a different possibility? Please let me know. Autor: daniel-marschall Datum: 12. Dezember 2020 13:14 Uhr

OP confirms that bug is fixed in the latest version Autor: daniel-marschall Datum: 20. Januar 2021 22:31 Uhr

thinkBug © 2004 - 2025 ViaThinkSoft
thinkBug Logo © 2008 taccon software project
thinkBug v0.16 ^beta - Build 2024-01-30