From: Gianluca S. <gi...@gm...> - 2013-12-16 10:08:11
|
I am finalizing a plugin which offers an entry point for an external cron job to trigger its main procedure. Since I was not keen about adding login/password pairs at each call to the plugin's URL, I devised another authorization scheme based on a shared secret (API key) that is needed to compose the final URL to call. In short, the client needs to augment the request with a 'key' parameter with an arbitrary string and an authorization signature which is the md5sum of $shared_key+$key. If this does not match, the call is refused. However, I needed to run the script as some user, so I am resorting to using the auth_attempt_script_login() function to pretend a predefined user actually logged in. Now a couple questions. Do you see any better method of authenticating a user without using their login/password in the request parameters? Do you think it would be useful to generalize this access method bringing it into core to improve security on the (SOAP) API calls? Regards Gianluca -- Gianluca Sforna http://morefedora.blogspot.com http://identi.ca/giallu - http://twitter.com/giallu |
From: Manilal K M <ma...@ej...> - 2013-12-16 10:56:56
|
----- Original Message ----- > From: "Gianluca Sforna" <gi...@gm...> > To: "developer discussions" <man...@li...> > Sent: Monday, December 16, 2013 3:37:44 PM > Subject: [mantisbt-dev] Scripted access to mantis functions > > Do you see any better method of authenticating a user without using > their login/password in the request parameters? I am currently working on an application which implements Podio API. I really liked the options they provide to authenticate users with/without password. https://developers.podio.com/authentication May be the *App authentication flow* is the one you are looking for. > > Do you think it would be useful to generalize this access method > bringing it into core to improve security on the (SOAP) API calls? Yes, I would really like to see an implementation of authentication without using username/password in the core. This would give a solid integration method for Mantis and we can easily access mantis through third party applications irrespective of the authentication method they use. regards Manilal |
From: Victor B. <vb...@gm...> - 2013-12-18 01:32:22
|
There are several API examples in services like AWS, Twitter, Netflix, etc. Common patterns include: 1. Use of shared secret - not a password. 2. Make sure that the request was not altered - shared secret + request = digest. 3. Make sure that the request can't be replayed - timestamp within N minutes and timestamp is included in digest. 4. Use of OAUTH when it makes sense. 5. Use of REST over SOAP - better mobility support. Based on the readme, you seem to have 1 and part of 2 covered, but not the rest. On Mon, Dec 16, 2013 at 2:07 AM, Gianluca Sforna <gi...@gm...> wrote: > I am finalizing a plugin which offers an entry point for an external > cron job to trigger its main procedure. > > Since I was not keen about adding login/password pairs at each call to > the plugin's URL, I devised another authorization scheme based on a > shared secret (API key) that is needed to compose the final URL to > call. > > In short, the client needs to augment the request with a 'key' > parameter with an arbitrary string and an authorization signature > which is the md5sum of $shared_key+$key. If this does not match, the > call is refused. > > However, I needed to run the script as some user, so I am resorting to > using the > auth_attempt_script_login() function to pretend a predefined user > actually logged in. > > Now a couple questions. > > Do you see any better method of authenticating a user without using > their login/password in the request parameters? > > Do you think it would be useful to generalize this access method > bringing it into core to improve security on the (SOAP) API calls? > > Regards > > Gianluca > > > -- > Gianluca Sforna > > http://morefedora.blogspot.com > http://identi.ca/giallu - http://twitter.com/giallu > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics > Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > mantisbt-dev mailing list > man...@li... > https://lists.sourceforge.net/lists/listinfo/mantisbt-dev > |
From: Gianluca S. <gi...@gm...> - 2013-12-19 08:11:06
|
On Wed, Dec 18, 2013 at 2:32 AM, Victor Boctor <vb...@gm...> wrote: > There are several API examples in services like AWS, Twitter, Netflix, etc. > Common patterns include: > > 1. Use of shared secret - not a password. > 2. Make sure that the request was not altered - shared secret + request = > digest. > 3. Make sure that the request can't be replayed - timestamp within N minutes > and timestamp is included in digest. > 4. Use of OAUTH when it makes sense. > 5. Use of REST over SOAP - better mobility support. > > Based on the readme, you seem to have 1 and part of 2 covered, but not the > rest. Yeah, right now that seems the best balance between security and ease of use. 3. is somewhat covered (a setting decides how often you can call the function, timestamp of last call i saved in DB) 4 and 5 would be probably nice to have in mantis, though OAUTH would probably be overkill for this plugin Thanks G. -- Gianluca Sforna http://morefedora.blogspot.com http://identi.ca/giallu - http://twitter.com/giallu |
From: Manilal K M <ma...@ej...> - 2014-01-22 05:06:29
|
----- Original Message ----- > From: "Gianluca Sforna" <gi...@gm...> > To: "developer discussions" <man...@li...> > Sent: Monday, December 16, 2013 3:37:44 PM > Subject: [mantisbt-dev] Scripted access to mantis functions > > I am finalizing a plugin which offers an entry point for an external > cron job to trigger its main procedure. Hello Giallu, Could you please share the code of this plugin (read only is enough). We have a similar requirement and trying to develop a plugin for the same. regards Manilal |