friendica oAuth authenticate for SPIP CMS
I installed a friendica instance (say "friendica.site") and a SPIP website (a CMS : cf spip.net ) and its mastodon plugin ( git.spip.net/spip-contrib-exte… )
Using that plugin, I can send messages to the friendica instance, but i need the plugin to oAuth into friendica for further features.
So as to do so, I installed the oauthprovider addon github.com/bmillwood/friendica…
When declaring the account in SPIP-plugin config page, i'm redireted to friendica.site and asked whether i accept oAuth. I agree. The newly accepted "SpipToMastodon" app appears in the addon config page friendica.site/admin/addon/oauthprovider : everything seems ok.
Then there is a redirect toward the SPIP plugin config page, and an error happens, because the process tries to fetch the following url : friendica.site/api/v1/accounts/verify_credentials?access_token=64ee5f2etc...
and friendica's `getUserIdByAuth` method fails with error « Unauthorized / This API requires login » and sends a 401 http code back... The spip-plugin fails.
I see that when trying that url directly in the browser, it asks for an interactive http login and password !!! When i enter my login and password, i then get a nice json with my user datas.
When trying that url on mastodon sites in the browser (with adapted access_tokens), i do not have to interactively enter my login and password = the feedback url is immediately accepted and json data is provided.
It looks like the access_token enables this for mastodon, but not for friendica.
In friendica's code, the PHPDOC says « An addon indicates successful login by setting 'authenticated' to non-zero value and returning a user record » relating to `Hook::callAll('authenticate', $addon_auth);`. Is this some kind of pipelined operation that the oauthprovider addon should implement, using the access_token ?
On the SPIP plugin side, is there something to be done so the plugin accomodates friendica verify_credentials page ?
Friendica Developers à partagé.
Michael Vogel
en réponse à JLuc • • •JLuc
en réponse à Michael Vogel • •Well I searched and found a documentation wiki.friendi.ca/docs/api-authe… and followed a link !
It's not required ? OK I deactivated the plugin and tried without it : the behaviour is exactly the same
Is there a page where i can see now the list of authorized apps possibly along with their client id and secret ids ? Or maybe this is the specific role of that addon...
But same also is the issue when accessing friendica.site/api/v1/accounts/verify_credentials?access_token=64ee5f2etc...
I see the SPIP-plugin sends the access_token in the query of this url, but also in the header of the request, with an "Authorization: Bearer 64ee5f2etc..." (value of the access_token).
Strangely, the error message "This API requires login" that is fed back with the 401 error comes from the `getUserIdByAuth` function that is defined in BasicAuth.php file.
« BasicAuth » ?!
Friendica Developers à partagé.
Michael Vogel
en réponse à JLuc • • •/settings/oauthon your machine.JLuc aime.
JLuc
en réponse à JLuc • •In `BaseApi::getCurrentApplication`, BasicAuth is called because `OAuth::getTokenByBearer` fails (because both `$_SERVER['HTTP_AUTHORIZATION']` and `$_SERVER['REDIRECT_REMOTE_USER']` are empty)
BUT when editing `OAuth::getTokenByBearer` so it uses `$_GET[access_token]` in the $condition for `DBA::selectFirst ('application-view'` ... it works !!!!
Friendica Developers à partagé.
JLuc
en réponse à JLuc • •Progress on the issue :
- according to oAuth spec datatracker.ietf.org/doc/html/… , the bearer access_token « SHOULD NOT be passed in page URLs (for example, as query string parameters). Instead, bearer tokens SHOULD be passed in HTTP message headers or message bodies for which confidentiality measures are taken. Browsers, web servers, and other software may not adequately secure URLs in the browser history, web server logs, and other data structures. If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations. »
Friendica does this right. It looks like Mastodon wrongly accepts the token as en url argument. (Suprising, isnt ?)
I will propose a fix for SPIP plugin so it can pass the access_token in Authorization header, for both friendica, mastodon and hopefully other creatures of the fediverse.
#friendica #mastodon #spip #security
Friendica Developers à partagé.
JLuc
en réponse à JLuc • •It is now compatible with friendica and other fediverse creatures that use mastodon API @Michael Vogel
Friendica Developers à partagé.