Re: [SM-PLUGINS] CardDAV Addressbook plugin

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Mon, June 7, 2021 05:32, Paul Lesniewski wrote:
> On Tue, June 1, 2021 7:56 pm, Alexey Shpakovsky via squirrelmail-plugins
wrote:
>> It looks like there are only three of us interested in this plugin,

> On mailing lists there are always people reading but not responding, or
people who may see your posts at a later date, which makes it valuable to
have such conversations here.

Sounds reasonable! Then let me paste here (slightly amended) email which I
sent privately.

First, few notes on compatibility:
---------------------------------

* The carddavclient library that this plugin is using requires something
like php 7.1 or 7.4, and I doubt I can decrease its requirements :)

* I'm currently using and testing this plugin in SquirrelMail 1.2.23 SVN
(recent snapshot), but it should be easy to adapt to other versions, if
someone finds a compatibility issue.

Then, my biggest question:
-------------------------

What are your opinions about mapping of vcard fields (name, org, title,
notes, address, phone, etc - there are plenty of them) to SquirrelMail
address book fields (name, nickname, info)?

Note that SquirrelMail uses "nickname" field as unique key to identify
address book entries when editing/deleting them: when user clicks a button
to delete an address, SquirrelMail tells addressbook backend: "please
delete user with this nickname". For CardDAV servers, such unique keys are
otherwise meaningless URIs.

Also SquirrelMail supports only one email address per contact, while vcard
can have multiple.

So I came up with this otherwise strange idea: add an option (checkbox)
whether addressbook is writeable, and make field contents depend on it:

* when addressbook is in read-only mode, "nickname" field in SquirrelMail
shows content of "organisation" field in vcard.

* when addressbook is write-enabled, "nickname" field contains vcard URI,
and "info" field contains value of "organisation" field from vcard (which
you actually can edit).

Moreover, when addressbook is in read-only mode, each vcard is repeated as
many times as there are email addresses in it, and also "info" field has
different phone numbers (but you can't edit them).

Sounds messy, but works nice in my case :)

I of course would like to hear other opinions: how do __you__ think it
should be done or how would you like to see it?

Installation instructions:
-------------------------

Described in the repo readme, but TL;DR version is:

* download or clone that repo

* extract it into "abook_carddav" subdir in your plugins directory

* open "discover" page at
{your.squirrelmail.installation}/plugins/abook_carddav/discover.php - for
example, if your main squirrelmail page URL looks like this:
https://mail.example.com/src/webmail.php
then URL of the "discover" page is this:
https://mail.example.com/plugins/abook_carddav/discover.php

* If everything goes well, it should show you a form with three fields.
Exact content of first one depends on your CardDAV server setup, but in
some cases it's enough to provide just hostname, in other cases you can
provide full URL to dav endpoint - for example, in case of Baikal server
running on https://baikal.example.com:8000/, discovery URL is
https://baikal.example.com:8000/dav.php . Valid username and password are
required to find addressbooks available to a specific user.

* after submitting that form, scroll to the very bottom. If you see a
number greater than 0 after "Addressbooks discovered:" - you're lucky :)

In my case, I have this:

Addressbooks discovered: 1
* Name: Default addressbook
  Addressbook URI:
https://baikal.example.com:8000/dav.php/addressbooks/alexey/default/
  Base URL: https://baikal.example.com:8000

(where "default" is addressbook name)

* After that, enable the plugin if you haven't done so yet, and enter
Addressbook URI together with Base URL and you username/password into
relevant fields at the bottom of Options - Display Preferences page.

Note about password storage:
---------------------------

This plugin has three options regarding password storage:

* use same password for CardDav account as for IMAP (usually it's the
password you enter to login to SquirrelMail) - obviously it's the best
option from the password storage point of view, but only if your CardDav
and IMAP accounts have the same password (note that usernames might
differ).

* _encrypt_ your CardDav password using your IMAP password - probably the
best option in all other cases, but remember that you will have to
re-enter your CardDav password (for it to be re-encrypted) in case your
IMAP password changes. _Encryption_ used here is basically XORing CardDav
password with sha256 checksum of IMAP password and storing the result.

* No encryption, CardDav password is stored in your prefs file in plain text.

Obviously, in last case if someone gets hold of your prefs file (malicious
server admin, php script, or via backups) - they can read your CardDav
password from it.

In second case, in addition to copy of your prefs file, they need to know
your IMAP password - and then they can find out your CardDav password.

If anyone has a better (more secure) idea of password storage - please let
me know!

Also, when user switches from first option ("use IMAP password") to last
one ("store password in plaintext") - their IMAP password appears in prefs
file in plain text. Fixing this is first item on my list.

Some more notes:
---------------

* Currently, CardDav server/account is configured by each user
individually, although it should be pretty easy to add an option of
admin-specified "global" or per-user CardDav server/account.

* Also, it should be pretty simple to implement multiple CardDav address
books (just call add_account function multiple times with different
arguments), but I don't have good idea how to implement it UI-wise.

Thoughts, comments?

Alexey.