Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-56905

Cannot get private token in different devices using SSO (tool/mobile/launch.php)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 3.2
    • 3.2
    • Authentication
    • MOODLE_32_STABLE
    • MOODLE_32_STABLE
    • MDL-56905-master
    • Hide
      1. You need a site under https to test this, you can mock the is_https function and return true always.
      2. You need a new user account in the site (not admin).
      3. As admin, enable Mobile services and set typeoflogin in Admin/Plugins/Web Service/Mobile to log in via browser. Once you're done, logout.
      4. Make sure that you are not logged in the site.
      5. In Chrome, open the developer tools and then enable the "Mobile device emulation" tool (is an icon that displays a phone/tablet, it's usually in the top left corner of the Developer tools).
      6. In the dropdown at the top, select Iphone or iPad. This will change the user-agent, it is important to use iPhone or iPad because it will help with the debugging.
      7. Point the browser to /admin/tool/mobile/launch.php?service=moodle_mobile_app&passport=abc, you should be redirected to /login/index.php. Login with the account created in 2 and then you should be redirected back to admin/tool/mobile/launch.php
      8. Check that you see a screen with a link saying "Please, click here if the app does not open automatically". If you inspect the link you will see that points to moodlemobile://token=A_BASE64_STRING
      9. Using an online tool like https://www.base64decode.org/ decode the A_BASE64_STRING
      10. You will see a string separated by :::. In the Moodle database, table external_tokens, you should check that the second part of the string is the token, and the third part is the private token.
      11. Now, logout again in the browser where you were testing. Repeat the process starting at step 5 and check that you receive again the private token.
      12. Now, do a normal log-in in the browser (still in iPhone mode), and then point the browser to /admin/tool/mobile/launch.php?service=moodle_mobile_app&passport=abc. Check that this time you aren't asked to login and you don't see the private token (because the private token is returned only when has been created or the user just logged in before accessing launch.php).
      13. If you repeat the process but using the admin account, you should not receive the private token.
      14. If you repeat the steps in a site not using https (with a new user account) you should not receive the private token.
      Show
      You need a site under https to test this, you can mock the is_https function and return true always. You need a new user account in the site (not admin). As admin, enable Mobile services and set typeoflogin in Admin/Plugins/Web Service/Mobile to log in via browser. Once you're done, logout. Make sure that you are not logged in the site. In Chrome, open the developer tools and then enable the "Mobile device emulation" tool (is an icon that displays a phone/tablet, it's usually in the top left corner of the Developer tools). In the dropdown at the top, select Iphone or iPad. This will change the user-agent, it is important to use iPhone or iPad because it will help with the debugging. Point the browser to /admin/tool/mobile/launch.php?service=moodle_mobile_app&passport=abc , you should be redirected to /login/index.php . Login with the account created in 2 and then you should be redirected back to admin/tool/mobile/launch.php Check that you see a screen with a link saying " Please, click here if the app does not open automatically ". If you inspect the link you will see that points to moodlemobile://token=A_BASE64_STRING Using an online tool like https://www.base64decode.org/ decode the A_BASE64_STRING You will see a string separated by :::. In the Moodle database, table external_tokens, you should check that the second part of the string is the token, and the third part is the private token. Now, logout again in the browser where you were testing. Repeat the process starting at step 5 and check that you receive again the private token. Now, do a normal log-in in the browser (still in iPhone mode), and then point the browser to /admin/tool/mobile/launch.php?service=moodle_mobile_app&passport=abc . Check that this time you aren't asked to login and you don't see the private token (because the private token is returned only when has been created or the user just logged in before accessing launch.php). If you repeat the process but using the admin account, you should not receive the private token. If you repeat the steps in a site not using https (with a new user account) you should not receive the private token.

      The launch.php script has a condition to return the private token only if the token has just been created. I think this is too restrictive, since it will disable the auto-login feature in the app in the following cases:

      1. A user deletes a site and adds it again.
      2. A user re-installs the app.
      3. A user changes his device.
      4. A user has more than one device to use the Mobile app.

      In all the cases above the user will be unable to use the auto-login feature since the token is created once every 3 months.

      It's important to have some restriction for security reasons, but we should fix this since the current one isn't good enough for the app.

            jleyva Juan Leyva
            dpalou Dani Palou
            Dani Palou Dani Palou
            David Monllaó David Monllaó
            Adrian Greeve Adrian Greeve
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.