Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-74862

Allow to disable QR login IP restriction checks

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Minor
    • 4.1
    • 4.0.1, 4.0.3
    • Other
    • MOODLE_400_STABLE
    • MOODLE_401_STABLE
    • MDL-74862-master
    • Hide
      Prerequisite
      1. Moodle site configured to use https (e.g. using ngrok with $CFG->sslproxy set to true)
      2. To avoid issues with Moodle detecting your local IP instead of your remote IP, please set the following admin setting: getremoteaddrconf (Logged IP address source) to HTTP_X_FORWARDED_FOR, REMOTE_ADDR
      3. Mobile device with a QR code reader app
      4. You will have to use a WIFI and mobile data connection (different IPs) or find a way to use a VPN to change your IP at some time
      5. As the site admin, ensure that Mobile services are enabled in Site administration > Advanced features
      6. As the site admin, ensure that the Mobile app > Mobile app authentication > QR code access setting is set to QR code with automatic login
      7. As the site admin, ensure that the Mobile app > Mobile app authentication > "QR authentication same IP check" is enabled
      Test IP mismatch error
      1. Now, login into the Moodle site with a non-admin user account
      2. Go to the user profile page.
      3. Confirm that you can see the "View QR code" button in the "Mobile app" section of your profile page.
      4. Confirm that the message above the "View QR code" button says at the end "The QR code will expire in 10 mins."
      5. Click the "View QR code" button and scan the QR code with a phone
      6. Copy the scanned text result somewhere on your computer
      7. Now, using a different IP, open the console and execute this curl request replacing SITE_URL and YOUR_QR_LOGIN_KEY with the value of the qrlogin parameter from the scanned text and USERID with the id of the user the code was generated for.

         curl 'SITE_URL/lib/ajax/service.php' -A "MoodleMobile" --data-binary '[{"index":0,"methodname":"tool_mobile_get_tokens_for_qr_login","args":{"qrloginkey": "YOUR_QR_LOGIN_KEY", "userid": "USERID"}}]' | python -m "json.tool"
        

      8. Confirm that:
        • You receive an exception/error 'ipmismatch'
      Test IP ignored
      1. As the site admin, go to Mobile app > Mobile app authentication and disable the "QR authentication same IP check" setting
      2. Repeat steps 1 to 7 from the previous section
      3. After executing the curl request confirm that:
        • You don't see any errors now
        • You receive a token and private token as part of the response and no warnings
      Show
      Prerequisite Moodle site configured to use https (e.g. using ngrok with $CFG->sslproxy set to true) To avoid issues with Moodle detecting your local IP instead of your remote IP, please set the following admin setting: getremoteaddrconf (Logged IP address source) to HTTP_X_FORWARDED_FOR, REMOTE_ADDR Mobile device with a QR code reader app You will have to use a WIFI and mobile data connection (different IPs) or find a way to use a VPN to change your IP at some time As the site admin, ensure that Mobile services are enabled in Site administration > Advanced features As the site admin, ensure that the Mobile app > Mobile app authentication > QR code access setting is set to QR code with automatic login As the site admin, ensure that the Mobile app > Mobile app authentication > "QR authentication same IP check" is enabled Test IP mismatch error Now, login into the Moodle site with a non-admin user account Go to the user profile page. Confirm that you can see the "View QR code" button in the " Mobile app " section of your profile page. Confirm that the message above the "View QR code" button says at the end "The QR code will expire in 10 mins." Click the "View QR code" button and scan the QR code with a phone Copy the scanned text result somewhere on your computer Now, using a different IP, open the console and execute this curl request replacing SITE_URL and YOUR_QR_LOGIN_KEY with the value of the qrlogin parameter from the scanned text and USERID with the id of the user the code was generated for. curl 'SITE_URL/lib/ajax/service.php' -A "MoodleMobile" --data-binary '[{"index":0,"methodname":"tool_mobile_get_tokens_for_qr_login","args":{"qrloginkey": "YOUR_QR_LOGIN_KEY", "userid": "USERID"}}]' | python -m "json.tool" Confirm that: You receive an exception/error 'ipmismatch' Test IP ignored As the site admin, go to Mobile app > Mobile app authentication and disable the "QR authentication same IP check" setting Repeat steps 1 to 7 from the previous section After executing the curl request confirm that: You don't see any errors now You receive a token and private token as part of the response and no warnings

    Description

      The QR login via the mobile app functionality does some security checks such as setting a max time of 10 minutes for the QR code to be valid and checking that the same IP is used when generating the QR code and when scanning it.

      The last is creating problems in these scenarios:

      • Computer providing ipv6 address but Android device using ipv4 so the check will always fail
      • Institutions providing different WiFi access (so different IPs) for computers and mobile devices
      • Institutions providing network access via ethernet to computers under a different IP than for mobile devices

      Adding an additional setting to disable this will allow these particular institutions to use this feature while still allowing existing institutions use the current functionality

      Attachments

        1. image-2022-09-01-17-18-15-517.png
          image-2022-09-01-17-18-15-517.png
          119 kB
        2. image-2022-09-01-17-19-16-686.png
          image-2022-09-01-17-19-16-686.png
          150 kB
        3. ipmismatch.png
          ipmismatch.png
          88 kB
        4. noerror.png
          noerror.png
          57 kB

        Activity

          People

            jleyva Juan Leyva
            jleyva Juan Leyva
            Rodrigo Mady Rodrigo Mady
            Sara Arjona (@sarjona) Sara Arjona (@sarjona)
            Sara Arjona (@sarjona) Sara Arjona (@sarjona)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 4 hours, 11 minutes
                1d 4h 11m

                Clockify

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.