Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-56737

Private token is not correctly handled in tool/mobile/launch.php

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.2
    • Fix Version/s: 3.2
    • Component/s: Web Services
    • Labels:
    • Testing Instructions:
      Hide
      1. You need a site under https to test this, you can mock the is_https function and return true always
      2. You need a new user account in the site
      3. As admin, enable Mobile services and set typeoflogin in Admin/Plugins/Web Service/Mobile to log in via browser and logout
      4. Ensure that you are not logged in the site
      5. In Chrome, enable the developer tools, and then switch to the "Mobile device emulation" tool, is an icon that displays a phone/tablet, then you can select Iphone or iPad, this will change the user-agent. Is important to use iPhone or iPad because it will help with the debugging.
      6. Point the browser to admin/tool/mobile/launch.php?service=moodle_mobile_app&passport=abc, you should be redirected to /login/index.php. Login with the account created in 2 and then you should be redirected back to admin/tool/mobile/launch.php
      7. Check that you see a screen with a link saying "Please, click here if the app does not open automatically", if you inspect the link you will see that points to moodlemobile://token=A_BASE64_STRING
      8. Using an online tool like https://www.base64decode.org/ decode the A_BASE64_STRING
      9. You will see a string separated by :::. In the Moodle database, table external_tokens, you should check that the second part of the string is the token, and the third part is the private token
      10. Repeat the process and check that this time you don't receive the private token (the private token is only returned the first time the token is created)
      11. If you repeat the steps but using the admin account, you should not receive the private token
      12. If you repeat the steps in a site not using https (with a new user account) you should not receive the private token
      Show
      You need a site under https to test this, you can mock the is_https function and return true always You need a new user account in the site As admin, enable Mobile services and set typeoflogin in Admin/Plugins/Web Service/Mobile to log in via browser and logout Ensure that you are not logged in the site In Chrome, enable the developer tools, and then switch to the "Mobile device emulation" tool, is an icon that displays a phone/tablet, then you can select Iphone or iPad, this will change the user-agent. Is important to use iPhone or iPad because it will help with the debugging. Point the browser to admin/tool/mobile/launch.php?service=moodle_mobile_app&passport=abc, you should be redirected to /login/index.php. Login with the account created in 2 and then you should be redirected back to admin/tool/mobile/launch.php Check that you see a screen with a link saying "Please, click here if the app does not open automatically", if you inspect the link you will see that points to moodlemobile://token=A_BASE64_STRING Using an online tool like https://www.base64decode.org/ decode the A_BASE64_STRING You will see a string separated by :::. In the Moodle database, table external_tokens, you should check that the second part of the string is the token, and the third part is the private token Repeat the process and check that this time you don't receive the private token (the private token is only returned the first time the token is created) If you repeat the steps but using the admin account, you should not receive the private token If you repeat the steps in a site not using https (with a new user account) you should not receive the private token
    • Affected Branches:
      MOODLE_32_STABLE
    • Fixed Branches:
      MOODLE_32_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-56737-master

      Description

      When we added support for private tokens we did some changes in login/token.php that should be reflected in tool/mobile/launch.php:

      • Remove the private token from the $token object so is not available in the log storage systems and via events
      • Return the private token the first time is generated

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  5/Dec/16