weechat-matrix icon indicating copy to clipboard operation
weechat-matrix copied to clipboard
verified publisher icon poljar

Can't use secure data for username/password fields

Open boris-stepanov opened this issue 5 years ago • 7 comments

Version

commit bd1583e2b76c0459c76ed78c86a2bd7a81c361df (May 23)

Installation method

yay -S libolm
git clone https://github.com/poljar/weechat-matrix.git
pip install -r requirements.txt
make install

Configuration

$ tail matrix.conf
[server]
matrix_org.autoconnect = off
matrix_org.address = "matrix.org"
matrix_org.port = 443
matrix_org.proxy = ""
matrix_org.ssl_verify = on
matrix_org.username = "${sec.data.matrix_org_username}"
matrix_org.password = "${sec.data.matrix_org_password}"
matrix_org.device_name = "Weechat Matrix"
matrix_org.autoreconnect_delay = 10
matrix_org.sso_helper_listening_port = 0

$ tail sec.conf
[data]
__passphrase__ = on
matrix_org_username = ... # hidden
matrix_org_password = ... # hidden

The problem

I cannot login on the server using such configuration. Everything works fine, in case of plaintext fields username/password.

2020-05-23 07:49:34	--	matrix: Logging in...
2020-05-23 07:49:34	=!=	matrix: Error: LoginError: 403 Invalid password
2020-05-23 07:49:34	--	matrix: disconnected from server

Btw, I tried to add debug prints right after the msg = "{prefix}matrix: Logging in...".format( in server.py to compare login,password fields and didn't notice anything wrong.

boris-stepanov avatar May 23 '20 20:05 boris-stepanov

Are you sure the correct password is in the secure data field? This does work as I'm using it myself.

While it's a bit hidden since we have some code generation around the config options, the evaluate=True over here means that the string gets evaluated, it's mentioned in the docs as well.

poljar avatar May 24 '20 20:05 poljar

Sorry for the delay.

Are you sure the correct password is in the secure data field?

Yes, I checked this with print(self.config.username, self.config.password) right here: https://github.com/poljar/weechat-matrix/blob/master/matrix/server.py#L882

While it's a bit hidden since we have some code generation around the config options, the evaluate=True over here means that the string gets evaluated, it's mentioned in the docs as well.

I admit that the issue could hide somewhere else. I can't debug it by myself neither grep other places where credentials are used.

boris-stepanov avatar May 30 '20 02:05 boris-stepanov

So what does the print show?

poljar avatar May 30 '20 08:05 poljar

Correct and same <user> <password> in both cases. But I can login in case of non-evaluated credentials.

boris-stepanov avatar May 30 '20 20:05 boris-stepanov

I have encountered this problem too.

https://github.com/poljar/weechat-matrix/blob/b7e502526baf5d254e7d1525339a4c61a7ae0edd/matrix/server.py#L876-L878 self.client.user is not properly evaluated when self.client.login is called although the calling function does have the correctly evaluated self.config.user. Manually overriding the value does lead to a successful login.

ghost avatar Apr 29 '21 01:04 ghost

I can login in case of non-evaluated credentials.

I can reproduce this using weechat 3.1 and the master branch as for this day.

When using the following commands, I get Invalid password

/secure passphrase mypassphrase
/secure set matrix_org_username myusername
/secure set matrix_org_password mypassword
/set matrix.server.matrix_org.username ${sec.data.matrix_org_username}
/set matrix.server.matrix_org.password ${sec.data.matrix_org_password}

gabogut239 avatar Jun 14 '21 16:06 gabogut239

Ah ok, so it seems that the problem lies in the fact that we don't get an update when the data inside the secure store changes like we do when the config option changes. This is problematic because a Client object gets created that uses the username config option and stores it.

The password on the other hand is evaluated at login time, thus using /secure for the password works.

poljar avatar Jul 03 '21 10:07 poljar