weechat-matrix icon indicating copy to clipboard operation
weechat-matrix copied to clipboard
verified publisher icon poljar

SSO helper script could store the token for less hassle

Open mqp opened this issue 6 years ago • 2 comments

It seems like it would be a better user experience to store the SSO login token on disk, and then require re-authentication via a browser only if the stored token is missing, invalid, or expired. Since browsers happily store these tokens, it doesn't seem like people should be unhappy from a security point of view about this outcome.

Relatedly, we could also make it more convenient for people to supply the login token manually, if they don't prefer to use the SSO helper script.

I would be happy to implement this if it's a change you endorse.

mqp avatar Sep 18 '19 23:09 mqp

Sure, sounds like a good idea. Beware though that you would also need to store/restore the user id of our user since that info is as well provided by a login. It might make sense to take a look if we can use Weechats /secure storage plugin to store the token.

Logouts are already handled so not much would need to happen there if a token expires.

Supplying the token manually is fine as well, the link could also be opened automatically, for example:

  • Check if we're inside of tmux/screen session, if yes spawn a new pane that runs a CLI browser.
  • If we're not inside tmux open the link using your local $BROWSER

Anyways, feel free to implement this, I don't have any objections around this.

poljar avatar Sep 19 '19 08:09 poljar

FWIW, I'm currently using the following patch for a homeserver that has only SSO login enabled and regular password login disabled:

diff --git a/matrix/server.py b/matrix/server.py
index dda861e..9291940 100644
--- a/matrix/server.py
+++ b/matrix/server.py
@@ -1334,7 +1334,15 @@ class MatrixServer(object):
     def _handle_login_info(self, response):
         if ("m.login.sso" in response.flows
                 and (not self.config.username or not self.config.password)):
-            self.start_login_sso()
+            access_token = W.info_get_hashtable("secured_data", None).get(f"matrix.server.{self.name}.access_token")
+            if access_token is None:
+                self.start_login_sso()
+            else:
+                response.user_id = self.config.username
+                response.device_id = self.device_id
+                response.access_token = access_token
+                self.client._handle_login(response)
+                self.login()
         elif "m.login.password" in response.flows:
             self.login()
         else:
@@ -1342,6 +1350,9 @@ class MatrixServer(object):
             self.disconnect()

     def _handle_login(self, response):
+        W.prnt(self.server_buffer, "Use the following command to store the access token:")
+        W.prnt(self.server_buffer, f"/secure set matrix.server.{self.name}.access_token {response.access_token}")
+
         self.access_token = response.access_token
         self.user_id = response.user_id
         self.client.access_token = response.access_token

It displays the access token after a successful SSO login so that you can add it to the /secure storage for the next time WeeChat is started. For this to work, matrix.server.<name>.username must contain the full user ID of the form [email protected] instead of only the localpart username.

In its current form, the patch feels a bit too rough to be submitted as a proper pull request, but it might at least be a starting point in order to get the login flow with an access token right.

diabonas avatar Sep 01 '21 09:09 diabonas