Jump to content

Sign in through Google


Lavo

Recommended Posts

They could get any forum software to give them the password, if the original owner loses his email.

Bottom Line: Modifying your module to merge member records when the email exists already does not introduce any security breach that is not already inherent in email based forum or content management software, such as IPBoard, vBulletin, Drupal, Joomla, Wordpress, and virutally every other one I can think of. :smile:

Link to comment
Share on other sites

  • Replies 375
  • Created
  • Last Reply

They could get any forum software to give them the password, if the original owner loses his email.



Bottom Line: Modifying your module to merge member records when the email exists already does not introduce any security breach that is not already inherent in email based accounts, such as IPBoard, vBulletin, Drupal, Joomla, Wordpress, and virutally every other one I can think of. :smile:



Except it makes the assumption you allow email logins at all.
I stated do as you please.... for good mehal I provide a full-fledged api, for all it matters, one can do what they wish with it, up to and including pulling data from a users account/apps when they are offline.
I am simply being responsible with what I produce from it regarding proper practices.
Link to comment
Share on other sites

Allow email logins? You mean, disable the password reset functionality in IPBoard so that if someone loses their gmail account, and a new person gets it, that new person can't reset the old person's IPBoard password? That's what your saying can happen now, right?

Link to comment
Share on other sites


Allow email logins? You mean, disable the password reset functionality in IPBoard so that if someone loses their gmail account, and a new person gets it, that new person can't reset the old person's IPBoard password? That's what your saying can happen now, right?



I am saying that me allowing the email to have keys to login regardless directly violates several settings already in existence in the first place regarding whether to force login through username and whether to allow email login at all, and directly violates the whole point of a separate login module from email-based login, we are not authenticating an email, we are authenticating the google account.
Link to comment
Share on other sites

Thanks, Marcher.

If anyone wants the modification to prevent existing users from creating a brand new account (as opposed to using their existing account) when they use this Google sign-in add-on, just let me know via PM and I'll send it to you.

Link to comment
Share on other sites


Thanks, Marcher.



If anyone wants the modification to prevent existing users from creating a brand new account (as opposed to using their existing account) when they use this Google sign-in add-on, just let me know via PM and I'll send it to you.



.... nutz on it.. I highly doubt said code actually updates the user properly with the info from google anyway.
in further news, I discovered a bug due to not specifying members_created_remote='1'
both are fixed, enjoy.
also... may want to run this query:

UPDATE members SET members_created_remote = '1' WHERE google_uid IS NOT NULL;


what would occur without that is disastrous, the user could not change their password from the UCP, and in essence, would need a pass reset.... I missed a vital line in my create call. >_<
Said query will resolve that for the users that have freshly registered since 1.0.5... I am unable to think of a cleaner query frankly.... that will hit all users that either registered or linked since 1.0.5.0 :unsure:

Link to comment
Share on other sites

Beyond truly caring, too many hoops for them by far, too many yelps from yall, too much to deal with.
as a note, it checks the google_uid FIRST.
then tries email as a fall-back. therefore a linked account with a different email will trump an unlinked account with the gmail.
And you still gotta make it past google's login there Dave, GL with that :ph34r: .

Link to comment
Share on other sites

I could not figure it out either, seemed to be the oddest damn thing, but it did work still which made it harder to nail down.
was thinking something in the order of install may have been key (did google first then steam few days later) but never did try that on test board.
ah well its all magic anyways and the spell worked this time :D

Link to comment
Share on other sites


I'll update tonight.


will it allow me to hijack a board?



:smile: :smile: :D :tongue:



Only if IPBoard's email password recovery is enabled.Then someone who lost their gmail and someone else registered it, they could recover a user's password through IPBoard's email recovery system...or so I've heard (w00t)
Link to comment
Share on other sites

Most sites are now email verification - to say that if someone get's hold of their gmail is very weak.

The same would be true of hotmail or even gmail or even fredsmith.com email address using the regular email login.

So not to include it for this app is daft and pointless.

Link to comment
Share on other sites


I don't get it. I have done everything but nottings changings. It's all the time this error: "The redirect URI in the request:

http://jorum.nl/inte...oard/google.php

did not match a registered redirect URI" ..



http://community.invisionpower.com/topic/361879-download-sign-in-through-google/#entry2261537
did you go to the API Console, add a web application and add the 2 redirect URI's for this Modification to function?
Link to comment
Share on other sites


I don't get it. I have done everything but nottings changings. It's all the time this error: "The redirect URI in the request:

http://jorum.nl/inte...oard/google.php

did not match a registered redirect URI" ..




Me too


http://community.inv...e/#entry2261537

did you go to the API Console, add a web application and add the 2 redirect URI's for this Modification to function?




I already read this and check, but error still there
Link to comment
Share on other sites

these are mine, mine works fine

https://www.davemacleod.net/forums/interface/board/google.php

https://www.davemacleod.net/forums/interface/board/linkgoogle.php

http://www.davemacleod.net/forums/interface/board/linkgoogle.php

http://www.davemacleod.net/forums/interface/board/google.php

board url is

http://www.davemacleod.net/forums/

and sign in is

https://www.davemacleod.net/forums/index.php?app=core&module=global§ion=login

Link to comment
Share on other sites

Redirect URIs


https://www.depeche-mode.be/oauth2callback

Javascript origins


https://www.depeche-mode.be/

IPs


http://www.depeche-mode.be/forums/interface/board/google.php

http://www.depeche-mode.be/forums/interface/board/linkgoogle.php

https://www.depeche-mode.be/forums/interface/board/google.php

https://www.depeche-mode.be/forums/interface/board/linkgoogle.php



I add the Client ID and the Client Secret in my ACP

But, what about API key ?

Link to comment
Share on other sites


Redirect URIs



https://www.depeche-mode.be/oauth2callback

Javascript origins


https://www.depeche-mode.be/

IPs


http://www.depeche-mode.be/forums/interface/board/google.php

http://www.depeche-mode.be/forums/interface/board/linkgoogle.php

https://www.depeche-mode.be/forums/interface/board/google.php

https://www.depeche-mode.be/forums/interface/board/linkgoogle.php

I add the Client ID and the Client Secret in my ACP But, what about API key ?

Facepalm.. theres your problem. Redirect URIs


http://www.depeche-mode.be/forums/interface/board/google.php

http://www.depeche-mode.be/forums/interface/board/linkgoogle.php

https://www.depeche-mode.be/forums/interface/board/google.php

https://www.depeche-mode.be/forums/interface/board/linkgoogle.php

Link to comment
Share on other sites

  • 5 weeks later...

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...