Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-56905

Cannot get private token in different devices using SSO (tool/mobile/launch.php)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.2
    • Fix Version/s: 3.2
    • Component/s: Authentication
    • Labels:
    • Testing Instructions:
      Hide
      1. You need a site under https to test this, you can mock the is_https function and return true always.
      2. You need a new user account in the site (not admin).
      3. As admin, enable Mobile services and set typeoflogin in Admin/Plugins/Web Service/Mobile to log in via browser. Once you're done, logout.
      4. Make sure that you are not logged in the site.
      5. In Chrome, open the developer tools and then enable the "Mobile device emulation" tool (is an icon that displays a phone/tablet, it's usually in the top left corner of the Developer tools).
      6. In the dropdown at the top, select Iphone or iPad. This will change the user-agent, it is important to use iPhone or iPad because it will help with the debugging.
      7. Point the browser to /admin/tool/mobile/launch.php?service=moodle_mobile_app&passport=abc, you should be redirected to /login/index.php. Login with the account created in 2 and then you should be redirected back to admin/tool/mobile/launch.php
      8. Check that you see a screen with a link saying "Please, click here if the app does not open automatically". If you inspect the link you will see that points to moodlemobile://token=A_BASE64_STRING
      9. Using an online tool like https://www.base64decode.org/ decode the A_BASE64_STRING
      10. You will see a string separated by :::. In the Moodle database, table external_tokens, you should check that the second part of the string is the token, and the third part is the private token.
      11. Now, logout again in the browser where you were testing. Repeat the process starting at step 5 and check that you receive again the private token.
      12. Now, do a normal log-in in the browser (still in iPhone mode), and then point the browser to /admin/tool/mobile/launch.php?service=moodle_mobile_app&passport=abc. Check that this time you aren't asked to login and you don't see the private token (because the private token is returned only when has been created or the user just logged in before accessing launch.php).
      13. If you repeat the process but using the admin account, you should not receive the private token.
      14. If you repeat the steps in a site not using https (with a new user account) you should not receive the private token.
      Show
      You need a site under https to test this, you can mock the is_https function and return true always. You need a new user account in the site (not admin). As admin, enable Mobile services and set typeoflogin in Admin/Plugins/Web Service/Mobile to log in via browser. Once you're done, logout. Make sure that you are not logged in the site. In Chrome, open the developer tools and then enable the "Mobile device emulation" tool (is an icon that displays a phone/tablet, it's usually in the top left corner of the Developer tools). In the dropdown at the top, select Iphone or iPad. This will change the user-agent, it is important to use iPhone or iPad because it will help with the debugging. Point the browser to /admin/tool/mobile/launch.php?service=moodle_mobile_app&passport=abc , you should be redirected to /login/index.php . Login with the account created in 2 and then you should be redirected back to admin/tool/mobile/launch.php Check that you see a screen with a link saying " Please, click here if the app does not open automatically ". If you inspect the link you will see that points to moodlemobile://token=A_BASE64_STRING Using an online tool like https://www.base64decode.org/ decode the A_BASE64_STRING You will see a string separated by :::. In the Moodle database, table external_tokens, you should check that the second part of the string is the token, and the third part is the private token. Now, logout again in the browser where you were testing. Repeat the process starting at step 5 and check that you receive again the private token. Now, do a normal log-in in the browser (still in iPhone mode), and then point the browser to /admin/tool/mobile/launch.php?service=moodle_mobile_app&passport=abc . Check that this time you aren't asked to login and you don't see the private token (because the private token is returned only when has been created or the user just logged in before accessing launch.php). If you repeat the process but using the admin account, you should not receive the private token. If you repeat the steps in a site not using https (with a new user account) you should not receive the private token.
    • Affected Branches:
      MOODLE_32_STABLE
    • Fixed Branches:
      MOODLE_32_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-56905-master

      Description

      The launch.php script has a condition to return the private token only if the token has just been created. I think this is too restrictive, since it will disable the auto-login feature in the app in the following cases:

      1. A user deletes a site and adds it again.
      2. A user re-installs the app.
      3. A user changes his device.
      4. A user has more than one device to use the Mobile app.

      In all the cases above the user will be unable to use the auto-login feature since the token is created once every 3 months.

      It's important to have some restriction for security reasons, but we should fix this since the current one isn't good enough for the app.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jleyva Juan Leyva
              Reporter:
              dpalou Dani Palou
              Peer reviewer:
              Dani Palou
              Integrator:
              David Monllaó
              Tester:
              Adrian Greeve
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                5/Dec/16