Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Concern #35

Open
AVapps opened this issue Jan 29, 2014 · 6 comments
Open

Security Concern #35

AVapps opened this issue Jan 29, 2014 · 6 comments

Comments

@AVapps
Copy link

AVapps commented Jan 29, 2014

This plugin uses a redirection (to /opauth-complete) to let you handle authenticated users data and try to identify them against your database. Thus anyone sending a post request with consistent auth response data ( existing 'uid' in database, 'validated' => true ) will login successfully !

A possible solution to this issue would be to call (from OpatuhController) a protected "_callback" function defined in AppController. Another would be to use CakePHP 2.1+ EventSystem to dispatch an 'Opauth.complete' event with auth data as parameter.
@gentunian
Copy link

I'm worried about the same thing. How to resolve this issue? Can you elaborate a bit deeper?

@Suven
Copy link

Suven commented Jul 4, 2014

Really sad to see such a great plugin no longer maintained.
@Jahdrien Your idea with the protected callback seems fine and should be the default way.

I will fork and try to implement the suggested changes later this day and would be happy to have your second sight/feedback.

@ceeram
Copy link
Collaborator

ceeram commented Jul 4, 2014

Focus is on opauth 1.0 where this plugin would be redundant.
Op 4 jul. 2014 08:30 schreef "Sven" notifications@github.com:

Really sad to see such a great plugin no longer maintained.
@Jahdrien https://github.com/Jahdrien Your idea with the protected
callback seems fine and should be the default way.

I will fork and try to implement the suggested changes later this day and
would be happy to have your second sight/feedback.


Reply to this email directly or view it on GitHub
#35 (comment).

@Suven
Copy link

Suven commented Jul 4, 2014

Having a quick look at 1.0s documentation raises the question if this will only be compatible with Cake 3 (since the use of namespaces).

If so, this issue is big enough to receive some more attention.

@ceeram
Copy link
Collaborator

ceeram commented Jul 4, 2014

You can use namespaced libs just fine in any cakephp version
Op 4 jul. 2014 09:31 schreef "Sven" notifications@github.com:

Having a quick look at 1.0s documentation raises the question if this will
only be compatible with Cake 3 (since the use of namespaces).

If so, this issue is big enough to receive some more attention.


Reply to this email directly or view it on GitHub
#35 (comment).

@gentunian
Copy link

@ceeram for those we don't know, why this will be redundant? Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ceeram @Suven @gentunian @AVapps