Jump to content

Sign in through Google


Lavo

Recommended Posts

  • Replies 375
  • Created
  • Last Reply

im back :P

a user mailed me about an error, hi logins with user/pass, his account is NOT vinculated with gmail, so he start the process but he gets the error:

This account has been, or is already, successfully linked with a Google account.



i searched the DB and found no other account with his mail address, any ideas ?

Link to comment
Share on other sites


im back :tongue:



a user mailed me about an error, hi logins with user/pass, his account is NOT vinculated with gmail, so he start the process but he gets the error:


This account has been, or is already, successfully linked with a Google account.



i searched the DB and found no other account with his mail address, any ideas ?


Not based on email, someone has his google_uid(unique identifier Google passes back for the member, think twitter and fb login id's).
the Google Account he is trying to link is already linked in IPB, accepting or allowing that to be associated to two accounts would be letting one user log in as another.
No Bueno.
Link to comment
Share on other sites

It is on the end of the google+ account profile if used, otherwise, still exists in google, just less findable easily without pinging the API.... this is why i allow the user to disassociate as well.


Pretty nice hook, thank you.



The only thing I'd love to suggest is some synchronization options like the ones for FB and Twitter. At least photo could be synchronized. Not sure about G+ latest post, but it could be as well.



importing g+ posts to status' is something i am looking at.
however, you should already be able to synchronize your forum photo with your google + profile photo.
Link to comment
Share on other sites


however, you should already be able to synchronize your forum photo with your google + profile photo.




Yes, manually. But if you look in FB and Twitter settings, you'll find some auto synchro options there. This is what I was talking about.
Link to comment
Share on other sites

I've read through this thread and all the modifications that have been made to this module.

But as of now, correct me if I'm wrong, if a current board member logs in with Google, a new IPB account is created. Their existing account that uses the same email will not be merged. Thus, existing members using Google login create a new account and an admin will have to merge them manually (if he can match them up)?

Further, it appears when a new account is created, the email the Google Login (or google api) assigns is something odd like, John Doe@38959231?

There's no setting wrong on either issue, it is what it is?

Link to comment
Share on other sites


But as of now, correct me if I'm wrong, if a current board member logs in with Google, a new IPB account is created. Their existing account that uses the same email will not be merged. Thus, existing members using Google login create a new account and an admin will have to merge them manually (if he can match them up)?




Noticed the same. Would be nice to have a merging feature, like other login methods have.
Link to comment
Share on other sites

I've been having the same problem with existing accounts. From a quick look at the member table, couldn't this hook just take the 5 Google related fields and put them into the existing member rather than create a new account? I tried editing the database manually to do this and it seems to work.

Link to comment
Share on other sites


I've read through this thread and all the modifications that have been made to this module.



But as of now, correct me if I'm wrong, if a current board member logs in with Google, a new IPB account is created. Their existing account that uses the same email will not be merged. Thus, existing members using Google login create a new account and an admin will have to merge them manually (if he can match them up)?



Further, it appears when a new account is created, the email the Google Login (or google api) assigns is something odd like, John Doe@38959231?



There's no setting wrong on either issue, it is what it is?




I've been having the same problem with existing accounts. From a quick look at the member table, couldn't this hook just take the 5 Google related fields and put them into the existing member rather than create a new account? I tried editing the database manually to do this and it seems to work.



... get them to login normally once, and visit the UCP, any associated account will not create a new account, i log into my website with this, my primary root account with no issue after association.
I am NOT going to allow the email to grant access to the account.... for soo many reasons, it was a bad move in the first place, and I regret ever ever allowing such.
At this point, allowing the email to access the account again would be opening up a big can of worms, you want to be able to associate existing accounts, it needs to be apart from the email, and doing what you suggest would be a major issue.
as the email for IPB can and does differ from the google often, you would be unlinking associated accounts and granting false authorizations.
Link to comment
Share on other sites

Yeah, that's fine man.

The prupdated user updated your code and sent me a copy. Now, when a user who already has an account signs in through Google, your mod does not make a new account. It merges the existing one if the Google email matches the email of their existing IPB account. Now, Google sign in works like the Facebook sign in that IPB makes--no duplicate members, merge when you have a match.

With 18,000 users and 100 new members a day, I just can't explain to people a zillion times a week how to merge their own account. It's an administrative nightmare.

Link to comment
Share on other sites


Yeah, that's fine man.



The prupdated user updated your code and sent me a copy. Now, when a user who already has an account signs in through Google, your mod does not make a new account. It merges the existing one if the Google email matches the email of their existing IPB account. Now, Google sign in works like the Facebook sign in that IPB makes--no duplicate members, merge when you have a match.



With 18,000 users and 100 new members a day, I just can't explain to people a zillion times a week how to merge their own account. It's an administrative nightmare.



no... it does not work like facebook.
Facebook login is not going to assume the email of the facebook user is the email of the IPB user, in fact, it stores the facebook email in a separate column.
I wish you both luck, as you have officially opened a pandora's box.
what happens when an IPB account has no gmail listed as "email" and associates the account with google, then attempts to login?
or when that google email in IPB is listed under a different account, say an ADMIN account?
Do what you will, i stopped using the email field with good reasons, facebook and twitter connect do not assume the emails are same and do, in fact, make a new user if no account is associated.
Link to comment
Share on other sites


Heres why I do not allow email connection any longer.


You could easily change your IPB email and compromise someones account, or your own.




I just tried what you suggested. I logged in as a normal member. I tried to change the email in IPBoard to my admin email address. IPBoard would not let me: That email address is already in use. Based on what you said, I figured IPBoard would let me. And I could login through Google and hijack my admin account? Then again, if IPBoard allowed you to change your email to another member's email, there would be big security issues regardless.

Did you intend something else? If so, spell it out exactly the steps so I can see what you're talking about and follow what your saying. if I can reproduce a security hole, I'll abandon the idea.

Thanks,
Josh
Link to comment
Share on other sites


I just tried what you suggested. I logged in as a normal member. I tried to change the email in IPBoard to my admin email address. IPBoard would not let me: [color=#80001C][font=helvetica, arial, sans-serif][background=rgb(243, 227, 230)]That email address is already in use. [/background][/font][/color]Based on what you said, I figured IPBoard would let me. And I could login through Google and hijack my admin account? Then again, if IPBoard allowed you to change your email to another member's email, there would be big security issues regardless.



Did you intend something else? If so, spell it out exactly the steps so I can see what you're talking about and follow what your saying. if I can reproduce a security hole, I'll abandon the idea.



Thanks,


Josh



Wrong end.
Google account is not explicitly tied to the email.
https://accounts.goo.../0/EditUserInfo
not only such, but you can have multiple emails listed, as well as change the primary.
so, I, for instance, could go change my email to yours, not even a google one.
the google authentication itself is sound.
My reasoning is this in a nutshell.
if IPB for its own security reasons, has FB and Twitter connect emails separate for those same reasons, why oh why should I allow such to occur?
FYI, I am still beating myself upside the head silly for allowing it in the first place.
Link to comment
Share on other sites


Wrong end.


Google account is not explicitly tied to the email.


https://accounts.goo.../0/EditUserInfo

not only such, but you can have multiple emails listed, as well as change the primary.


so, I, for instance, could go change my email to yours, not even a google one.


the google authentication itself is sound.


My reasoning is this in a nutshell.


if IPB for its own security reasons, has FB and Twitter connect emails separate for those same reasons, why oh why should I allow such to occur?


FYI, I am still beating myself upside the head silly for allowing it in the first place.




Ok, I went to the Google link you provided. And the resulting screenshot is below. The primary email is not editable, so how can anything on this screen be changed? Specifically, how can the email be changed to someone else's to then allow the user to login through IPB and jack an account?

post-208680-0-28850500-1337142882_thumb.
Link to comment
Share on other sites


Ok, I went to the Google link you provided. And the resulting screenshot is below. The primary email is not editable, so how can anything on this screen be changed? Specifically, how can the email be changed to someone else's to then allow the user to login through IPB and jack an account?



post-208680-0-28850500-1337142882_thumb.

Sign up for Google+ with a non gmail email. :unsure: i suppose that would be why I can edit mine.
Link to comment
Share on other sites


Sign up for Google+ with a non gmail email. :unsure: i suppose that would be why I can edit mine.




I did as you said. When I try to add a new email (non gmail), it will let me. But it makes me confirm I have access to the email account first. That prevents what you describe as a security breach, does it not?

It also won't let me add my gmail address at all, as it says an account with that name is
is already associated with another Google Account.
Link to comment
Share on other sites

beyond done.
Frankly, and truthfully, I violated the best practices allowing email in the first Place.

  • Security and reliable identification. Using identifiers that are unique to the account instead of an email address allows RPs to reliably identify a unique account holder without having to worry about the implications of recycled or out-of-date email addresses. Identifiers like email addresses don't provide sufficient information to identify individuals in the long term because users may change their email address or lose access to it. Additionally, email service providers may close a user's email account or recycle the username. Basically, the johndoe@example.com you knew 2 years ago might not be the same johndoe@example.com today, which is why using synthetic identifiers is so important to security.


Do as you please.... note that I simply cannot and will not support such a modification to this Login Module any longer, and I never should have in the first place.
Truthfully, was a bug, period.
Link to comment
Share on other sites


beyond done.


Frankly, and truthfully, I violated the best practices allowing email in the first Place.



Do as you please.... note that I simply cannot and will not support such a modification to this Login Module any longer, and I never should have in the first place.


Truthfully, was a bug, period.




I just started using this last night, so I didn't know anything about a previous bug. I suggested this not because of a previous feature but because it so obviously needs it. Again, if you can show me a security glitch, one that's reproducible and not speculation, I'm all ears. :smile: But apparently, the security issue you mention is just theory? I can't reproduce or demonstrate your security theory at all, can you?
Link to comment
Share on other sites

look... this already completely bypasses the password of IPB routing through google.
It looks like a benign bit, but you REALLY did not read the subtext there.
email accounts, especially google accounts, come and go and get recycled.
I'm saying the exact same lurking issue stands.
If the user loses access to the email by any means, the google userid is the only thing stopping the account, now viably a recycled email, being hijacked.

Link to comment
Share on other sites

If the google user loses his account, it's recycled, and someone new signs up for it, the new owner could just reset the IPBoard password through the IPBoard website. And then gain access to someone else's account. That's a glitch? All forum software runs on the basis that the owner controls and will continue to control his email account. This does not demonstrate a new security glitch that doesn't already exist.

Link to comment
Share on other sites


If the google user loses his account, it's recycled, and someone new signs up for it, the new owner could just reset the IPBoard password through the IPBoard website. That's a glitch?



no, they could not, at least not through this login module or my doing, viably yes, but thats above this login module's scope.
hence the google userid... they theoretically might be able to coerce IPB, but not this login module to simply login immediately.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...