Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-71907

Mobile app QR code login assumes IPv4 NAT

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.9.7, 3.10.4, 3.11
    • Fix Version/s: None
    • Component/s: Administration

      Description

      The code implemented by MDL-65547 assumes that users will have their computer and their mobile device accessing the Moodle instance from the same public IP (usually, the same WiFi network, with only NATted IPv4).

      https://github.com/moodle/moodle/blob/master/admin/tool/mobile/classes/api.php#L383

          public static function get_qrlogin_key() {
              global $USER;
              // Delete previous keys.
              delete_user_key('tool_mobile', $USER->id);
       
              // Create a new key.
              $iprestriction = getremoteaddr(null);
              $validuntil = time() + self::LOGIN_QR_KEY_TTL;
              return create_user_key('tool_mobile', $USER->id, null, $iprestriction, $validuntil);
          }
      

      So the QR login doesn't work in any of the following situations:

      • computer and smartphone on WiFi providing native IPv6 (they'll get different IPs)
      • computer and smartphone on WiFi providing native IPv6, but Android doesn't use IPv6 (so the computer gets a unique IPv6, and the smartphone gets the NATted IPv4)
      • computer on WiFi, smartphone over WWAN
      • computer/tablet on WWAN, smartphone over WiFi
      • etc

      In other words, the requirement for the opened Moodle session to appear to be from the same IP as the mobile device connecting with the mobile app doesn't work, and should be changed.

      I'd propose to shorten the token duration to 2 minutes, and lift the IP restriction.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            odyx Didier Raboud
            Participants:
            Component watchers:
            Andrew Lyons, Dongsheng Cai, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: