cakephp-opauth icon indicating copy to clipboard operation
cakephp-opauth copied to clipboard
verified publisher icon uzyn

Security Concern

Open AVapps opened this issue 11 years ago • 6 comments

This plugin uses a redirection (to /opauth-complete) to let you handle authenticated users data and try to identify them against your database. Thus anyone sending a post request with consistent auth response data ( existing 'uid' in database, 'validated' => true ) will login successfully !

A possible solution to this issue would be to call (from OpatuhController) a protected "_callback" function defined in AppController. Another would be to use CakePHP 2.1+ EventSystem to dispatch an 'Opauth.complete' event with auth data as parameter.

AVapps avatar Jan 29 '14 10:01 AVapps

I'm worried about the same thing. How to resolve this issue? Can you elaborate a bit deeper?

gentunian avatar Jul 03 '14 23:07 gentunian

Really sad to see such a great plugin no longer maintained. @Jahdrien Your idea with the protected callback seems fine and should be the default way.

I will fork and try to implement the suggested changes later this day and would be happy to have your second sight/feedback.

Suven avatar Jul 04 '14 06:07 Suven

Focus is on opauth 1.0 where this plugin would be redundant. Op 4 jul. 2014 08:30 schreef "Sven" [email protected]:

Really sad to see such a great plugin no longer maintained. @Jahdrien https://github.com/Jahdrien Your idea with the protected callback seems fine and should be the default way.

I will fork and try to implement the suggested changes later this day and would be happy to have your second sight/feedback.

— Reply to this email directly or view it on GitHub https://github.com/uzyn/cakephp-opauth/issues/35#issuecomment-48012704.

ceeram avatar Jul 04 '14 07:07 ceeram

Having a quick look at 1.0s documentation raises the question if this will only be compatible with Cake 3 (since the use of namespaces).

If so, this issue is big enough to receive some more attention.

Suven avatar Jul 04 '14 07:07 Suven

You can use namespaced libs just fine in any cakephp version Op 4 jul. 2014 09:31 schreef "Sven" [email protected]:

Having a quick look at 1.0s documentation raises the question if this will only be compatible with Cake 3 (since the use of namespaces).

If so, this issue is big enough to receive some more attention.

— Reply to this email directly or view it on GitHub https://github.com/uzyn/cakephp-opauth/issues/35#issuecomment-48015971.

ceeram avatar Jul 04 '14 07:07 ceeram

@ceeram for those we don't know, why this will be redundant? Thanks.

gentunian avatar Jul 05 '14 19:07 gentunian