Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-65075

Enhance auto-login functionallity security allowing only Mobile App requests

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.6.3
    • Fix Version/s: 3.7
    • Component/s: Other
    • Labels:
    • Testing Instructions:
      Hide
      Prerequisite
      1. Moodle mobile app.
      2. Testing site running https
      3. Your Moodle mobile app should be able to connect to your Moodle website. You can either do the following:
        • Ensure that the phone with the mobile app and the web server are on the same network. Or
        • Expose the web server over the internet via ngrok (recommended, because of https requeriment).
      Test
      1. As admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings
      2. Create a new course with at least 1 module in it (it can be any module except for "label").
      3. Create a new user in the site and enrol it in that course
      4. Using the mobile app, access with the user to the site
      5. Open the module from the step 2 in the app and, once inside, open the top-right menu (3 dots) and click "Open in browser".
      6. Check that you are automatically logged-in in the site (you won't have to enter your credentials). Please notice that this can only be done once every 6 minutes, so if you want to try again you'll have to wait.
      7. Now, execute the following curl request in a terminal (using the user wstoken that you can get from the external_tokens table in the database, field "token", this is bold and underlined)

        curl 'http://wwwroot/webservice/rest/server.php?moodlewsrestformat=json' --data 'privatetoken=any&wsfunction=tool_mobile_get_autologin_key&wstoken=3af67232a7596ceb658df4db329e5ad6' --compressed | python -m "json.tool"

      1. Confirm that you receive the following exception: errorcode": "apprequired",with the message: "This functionality is only available when accessed via the Moodle mobile or desktop app."
      Show
      Prerequisite Moodle mobile app. Testing site running https Your Moodle mobile app should be able to connect to your Moodle website. You can either do the following: Ensure that the phone with the mobile app and the web server are on the same network. Or Expose the web server over the internet via ngrok (recommended, because of https requeriment). Test As admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings Create a new course with at least 1 module in it (it can be any module except for "label"). Create a new user in the site and enrol it in that course Using the mobile app, access with the user to the site Open the module from the step 2 in the app and, once inside, open the top-right menu (3 dots) and click "Open in browser". Check that you are automatically logged-in in the site (you won't have to enter your credentials). Please notice that this can only be done once every 6 minutes, so if you want to try again you'll have to wait. Now, execute the following curl request in a terminal (using the user wstoken that you can get from the external_tokens table in the database, field "token", this is bold and underlined) curl 'http:// wwwroot /webservice/rest/server.php?moodlewsrestformat=json' --data 'privatetoken=any&wsfunction=tool_mobile_get_autologin_key&wstoken= 3af67232a7596ceb658df4db329e5ad6 ' --compressed | python -m "json.tool" Confirm that you receive the following exception: errorcode": "apprequired",with the message: "This functionality is only available when accessed via the Moodle mobile or desktop app."
    • Affected Branches:
      MOODLE_36_STABLE
    • Fixed Branches:
      MOODLE_37_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-65075-master

      Description

      MDL-64281 introduces Mobile app requests detection via custom User Agent.

      We should use this new feature to enhance the existing auto-login (from the app to site) functionality so this functionality can be used only via the app (and not a normal browser) to avoid any possible XSS attack.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  20/May/19

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 6 hours, 40 minutes
                  1d 6h 40m