Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-65547

Enable login into the mobile app via QR in the web user profile

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      Prerequisite
      1. Moodle site configured to use https (e.g. using ngrok with $CFG->sslproxy set to true)
      2. Mobile device with a QR code reader app
      Automatic login via QR code as admin
      1. As an admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings
      2. Enable "QR code for automatic login" in the QR code access setting via Site admin > Mobile app -> Mobile authentication
      3. Go to your user profile via the top-right menu
      4. Check that in the Mobile app section you see a message indicating that "For security reasons login via QR code is not allowed to site administrators of if you are logged in as another user."
      5. Confirm that there is no button to view the QR code for automatic login.
      Automatic login via QR code as admin logging as another user
      1. Continuing as admin from the previous section, open the profile page of another user.
      2. Under "Administration", click "Log in as"
      3. Open the user menu and go to the user's profile.
      4. Confirm that you see the message "For security reasons login via QR code is not allowed to site administrators of if you are logged in as another user."
      5. Confirm that there is no button to view the QR code for automatic login.
      Automatic login via QR code as a non-admin user
      1. Now, login into the Moodle site with a non-admin user account
      2. Go to the user profile page.
      3. Confirm that you can see the "View QR code" button in the "Mobile app" section of your profile page.
      4. Click the "View QR code" button and scan the QR code with a phone
      5. Copy the scanned text result somewhere in your computer
      6. Open the console and execute this new curl request (let's call this "tool_mobile_get_tokens_for_qr_login"). Replacing SITE_URL and YOUR_QR_LOGIN_KEY with the value of the qrlogin parameter from the scanned text and USERID with the id of the user the code was generated for.

        curl 'SITE_URL/lib/ajax/service.php' -A "MoodleMobile" --data-binary '[{"index":0,"methodname":"tool_mobile_get_tokens_for_qr_login","args":{"qrloginkey": "YOUR_QR_LOGIN_KEY", "userid": "USERID"}}]' | python -m "json.tool"
        

      7. Confirm that:
        • In the response for the curl request you see three fields: token, privatetoken and warnings
        • Warning is empty
        • token and privatetoken are not empty
      8. Open the console and execute this new curl request (let's call this "core_webservice_get_site_info"), replacing the SITE_URL and TOKEN with value of the token field from the previous curl request

        curl 'SITE_URL/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=core_webservice_get_site_info&wstoken=TOKEN' | python -m "json.tool"
        

      9. Confirm that you see information about the site (site name, version) among other fields in the response.
      Test time limit
      1. Wait 11 minutes
      2. Execute the "tool_mobile_get_tokens_for_qr_login" CURL request
      3. Confirm that you see an expired token error
      Test with Automatic QR code login set, but site is in HTTP.
      1. With "QR code access" still set to "QR code with automatic login".
      2. Set your site to run on HTTP instead of HTTPS.
      3. Log in as a non-admin user and go to your profile page.
      4. Confirm that you don't see the "View QR code" button.
      Test QR codes with just the URL
      1. Log in as an admin and enable "QR code with the site address" in the QR code access setting via Site admin > Mobile app -> Mobilie authentication
      2. Now go to your user profile and check that you see the QR code without having to click on a "View QR code button"
      3. Scan the QR code.
      4. Check that the text scanned is: "moodlemobile://YOUR_SITE_URL"
      Show
      Prerequisite Moodle site configured to use https (e.g. using ngrok with $CFG->sslproxy set to true) Mobile device with a QR code reader app Automatic login via QR code as admin As an admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings Enable "QR code for automatic login" in the QR code access setting via Site admin > Mobile app -> Mobile authentication Go to your user profile via the top-right menu Check that in the Mobile app section you see a message indicating that "For security reasons login via QR code is not allowed to site administrators of if you are logged in as another user." Confirm that there is no button to view the QR code for automatic login. Automatic login via QR code as admin logging as another user Continuing as admin from the previous section, open the profile page of another user. Under " Administration ", click " Log in as " Open the user menu and go to the user's profile. Confirm that you see the message " For security reasons login via QR code is not allowed to site administrators of if you are logged in as another user. " Confirm that there is no button to view the QR code for automatic login. Automatic login via QR code as a non-admin user Now, login into the Moodle site with a non-admin user account Go to the user profile page. Confirm that you can see the "View QR code" button in the " Mobile app " section of your profile page. Click the "View QR code" button and scan the QR code with a phone Copy the scanned text result somewhere in your computer Open the console and execute this new curl request (let's call this " tool_mobile_get_tokens_for_qr_login "). Replacing SITE_URL and YOUR_QR_LOGIN_KEY with the value of the qrlogin parameter from the scanned text and USERID with the id of the user the code was generated for. curl 'SITE_URL/lib/ajax/service.php' -A "MoodleMobile" --data-binary '[{"index":0,"methodname":"tool_mobile_get_tokens_for_qr_login","args":{"qrloginkey": "YOUR_QR_LOGIN_KEY", "userid": "USERID"}}]' | python -m "json.tool" Confirm that: In the response for the curl request you see three fields: token, privatetoken and warnings Warning is empty token and privatetoken are not empty Open the console and execute this new curl request (let's call this " core_webservice_get_site_info "), replacing the SITE_URL and TOKEN with value of the token field from the previous curl request curl 'SITE_URL/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=core_webservice_get_site_info&wstoken=TOKEN' | python -m "json.tool" Confirm that you see information about the site (site name, version) among other fields in the response. Test time limit Wait 11 minutes Execute the " tool_mobile_get_tokens_for_qr_login " CURL request Confirm that you see an expired token error Test with Automatic QR code login set, but site is in HTTP. With " QR code access " still set to " QR code with automatic login ". Set your site to run on HTTP instead of HTTPS. Log in as a non-admin user and go to your profile page. Confirm that you don't see the " View QR code " button. Test QR codes with just the URL Log in as an admin and enable "QR code with the site address" in the QR code access setting via Site admin > Mobile app -> Mobilie authentication Now go to your user profile and check that you see the QR code without having to click on a "View QR code button" Scan the QR code. Check that the text scanned is: "moodlemobile://YOUR_SITE_URL"
    • Affected Branches:
      MOODLE_36_STABLE
    • Fixed Branches:
      MOODLE_39_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-65547-master

      Description

      It would be cool to simplify the way the users can login into a Moodle site via the app using a similar approach to what WhatsApp do with WhatsApp web.

      Overall idea would be:

      • If mobile services are enabled and this feature is not disabled (we'll add an option), in the user profile we generate a QR code for a URL that will auto-login the user in the app (the URL will have the user token)
      • Using the Moodle App (or a standard QR reader if the app is installed) the user will be able to scan the QR code to log-in

      Security questions:

      • Should the QR code should be valid only for a certain time? (maybe the user left his session open in a shared computer)
      • Should we encode (encryption is not possible) the token/private token that will be part of the URL used to generate the QR code?

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jleyva Juan Leyva
              Reporter:
              jleyva Juan Leyva
              Peer reviewer:
              Pau Ferrer
              Integrator:
              Jun Pataleta
              Tester:
              Anna Carissa Sadia
              Participants:
              Component watchers:
              Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                15/Jun/20

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 3 days, 4 hours, 31 minutes
                  3d 4h 31m