How to properly verify user authentication by cookie ?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • tothewine
    Active Community Member
    • Jan 2018
    • 373

    How to properly verify user authentication by cookie ?

    I tried to make a simple login check but I have inconsistent results when doing this...

    Code:
    $authUsername = $_COOKIE['auth-username'];
    $authPassword = $_COOKIE['auth-token'];
    $authObject = new \Espo\Core\Utils\Auth($this->getContainer());
    $isAuthenticated = $authObject->login($authUsername, $authPassword);
    I get $isAuthenticated = null for some reason

    I would really love to find a core function that retturns the login status as a boolean...
    Last edited by tothewine; 07-11-2020, 06:29 PM.
  • tothewine
    Active Community Member
    • Jan 2018
    • 373

    #2
    It seems in my case that the login is working for the normal web application but the entrypoint has the 'system' user logged in.

    Comment

    • tothewine
      Active Community Member
      • Jan 2018
      • 373

      #3
      yuri could you provide any insight on this entrypoint problem? current user is set to system even tough it is logged into espo.( $authRequired = false so that I can show a custom error to the user). I load the entrypoint in a iframe on another domain.

      Am I checking authentication the wrong way? In that case could you tell me how to do it properly?

      idk maybe the webapp is doing something different for authentication after last updates... i see there is a token-secret cookie in the php code of login but it is not available to my entrypoint. maybe it's a cors problem, but now I found that another entrypoint that is embedded directly in the espo page has this problem too.
      Last edited by tothewine; 07-13-2020, 10:55 AM.

      Comment

      • yuri
        Member
        • Mar 2014
        • 8440

        #4
        I recommend debugging. I would need to look into the code to refresh in memory how it's working. BTW for 6.0 I have refactored the auth logic a bit.
        If you find EspoCRM good, we would greatly appreciate if you could give the project a star on GitHub. We believe our work truly deserves more recognition. Thanks.

        Comment

      • tothewine
        Active Community Member
        • Jan 2018
        • 373

        #5
        By the way I just realized the behaviour of this problem when authRequired is true is a basic authentication popup, which is something I have witnessed seemingly at random since espo 5.4 in entrypoints embedded using authenticated iframes.

        I tried to compare my avatar entrypoint to the system one but avatar entrypoint accepts the request, while mine doesn't.

        I inspected the code and found out that $notStrictAuth = true for the avatar while it is not defined in my custom entrypoint class (presumably is false).

        Could you explain to me what does strict auth mean exactly?

        Update: I tried setting it to true, but I continue to get unauthorized error

        Code:
        GET https://example.com/crm/?entryPoint=rcProPic&uname=admin HTTP/1.1
        Host: example.com
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate, br
        DNT: 1
        Connection: keep-alive
        Cookie: auth-token-secret=21da1de519164c1241c191c79a119011; auth-username=admin; auth-token=f13a1b151c12191111531714811918; PHPSESSID=31615161e1d1b17181e101b1e1f18111
        Upgrade-Insecure-Requests: 1
        
        
        HTTP/1.1 302 Found
        *cut* [HR][/HR]GET https://example.com/crm/?entryPoint=rcProPic&uname=admin HTTP/1.1
        Host: example.com
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
        Accept: image/webp,*/*
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate, br
        Referer: https://example.com/
        DNT: 1
        Connection: keep-alive
        Cookie: auth-username=admin; auth-token=f13a1b151c12191111531714811918; PHPSESSID=31615161e1d1b17181e101b1e1f18111
        Cache-Control: max-age=0
        
        
        HTTP/1.1 401 Unauthorized
        Date: Thu, 23 Jul 2020 11:29:11 GMT
        Server: Apache
        Www-Authenticate: Basic realm=""
        Access-Control-Allow-Methods: POST, GET, PUT, PATCH, DELETE
        Content-Length: 0
        Keep-Alive: timeout=5, max=99
        Connection: Keep-Alive
        Content-Type: text/html;charset=UTF-8 [HR][/HR]
        The problem here is that the first request is done directly by pasting the link in the address bar while the second is done within an iframe embedded on another domain. In the second request the auth-token-secret cookie is never sent by the browser. Am I doing something wrong ?



        And is the auth-token-secret cookie relly needed for auth? Is it secure if I check the other cookies manually ?
        Last edited by tothewine; 07-23-2020, 11:44 AM.

        Comment

        • tothewine
          Active Community Member
          • Jan 2018
          • 373

          #6
          I figure the problem is not due to HTTPONLY flag being set on auth-token-secret, but rather the SameSite: Lax flag that prevents the cookie from being sent except in top-level navigation.
          I believe putting an entrypoint in a iframe tag is a pretty common use case. Is there a way to allow the cookie only for one domain? I think I can search and destroy SameSite:Lax inthe source code but then it will be creating a potential security problem... right? Do you have any idea on how to properly solve the problem of iframe authentication?

          Comment

          Working...