Jump to content

Community

Lavo

Sign in through Google

Recommended Posts

They could get any forum software to give them the password, if the original owner loses his email.

Bottom Line: Modifying your module to merge member records when the email exists already does not introduce any security breach that is not already inherent in email based forum or content management software, such as IPBoard, vBulletin, Drupal, Joomla, Wordpress, and virutally every other one I can think of. :smile:

Share this post


Link to post
Share on other sites

They could get any forum software to give them the password, if the original owner loses his email.



Bottom Line: Modifying your module to merge member records when the email exists already does not introduce any security breach that is not already inherent in email based accounts, such as IPBoard, vBulletin, Drupal, Joomla, Wordpress, and virutally every other one I can think of. :smile:



Except it makes the assumption you allow email logins at all.
I stated do as you please.... for good mehal I provide a full-fledged api, for all it matters, one can do what they wish with it, up to and including pulling data from a users account/apps when they are offline.
I am simply being responsible with what I produce from it regarding proper practices.

Share this post


Link to post
Share on other sites

Allow email logins? You mean, disable the password reset functionality in IPBoard so that if someone loses their gmail account, and a new person gets it, that new person can't reset the old person's IPBoard password? That's what your saying can happen now, right?

Share this post


Link to post
Share on other sites

Allow email logins? You mean, disable the password reset functionality in IPBoard so that if someone loses their gmail account, and a new person gets it, that new person can't reset the old person's IPBoard password? That's what your saying can happen now, right?



I am saying that me allowing the email to have keys to login regardless directly violates several settings already in existence in the first place regarding whether to force login through username and whether to allow email login at all, and directly violates the whole point of a separate login module from email-based login, we are not authenticating an email, we are authenticating the google account.

Share this post


Link to post
Share on other sites

Thanks, Marcher.

If anyone wants the modification to prevent existing users from creating a brand new account (as opposed to using their existing account) when they use this Google sign-in add-on, just let me know via PM and I'll send it to you.

Share this post


Link to post
Share on other sites

Thanks, Marcher.



If anyone wants the modification to prevent existing users from creating a brand new account (as opposed to using their existing account) when they use this Google sign-in add-on, just let me know via PM and I'll send it to you.



.... nutz on it.. I highly doubt said code actually updates the user properly with the info from google anyway.
in further news, I discovered a bug due to not specifying members_created_remote='1'
both are fixed, enjoy.
also... may want to run this query:

UPDATE members SET members_created_remote = '1' WHERE google_uid IS NOT NULL;


what would occur without that is disastrous, the user could not change their password from the UCP, and in essence, would need a pass reset.... I missed a vital line in my create call. >_<
Said query will resolve that for the users that have freshly registered since 1.0.5... I am unable to think of a cleaner query frankly.... that will hit all users that either registered or linked since 1.0.5.0 :unsure:

Share this post


Link to post
Share on other sites

Beyond truly caring, too many hoops for them by far, too many yelps from yall, too much to deal with.
as a note, it checks the google_uid FIRST.
then tries email as a fall-back. therefore a linked account with a different email will trump an unlinked account with the gmail.
And you still gotta make it past google's login there Dave, GL with that :ph34r: .

Share this post


Link to post
Share on other sites

I could not figure it out either, seemed to be the oddest damn thing, but it did work still which made it harder to nail down.
was thinking something in the order of install may have been key (did google first then steam few days later) but never did try that on test board.
ah well its all magic anyways and the spell worked this time :D

Share this post


Link to post
Share on other sites

I'll update tonight.


will it allow me to hijack a board?



:smile: :smile: :D :tongue:



Only if IPBoard's email password recovery is enabled.Then someone who lost their gmail and someone else registered it, they could recover a user's password through IPBoard's email recovery system...or so I've heard (w00t)

Share this post


Link to post
Share on other sites

Most sites are now email verification - to say that if someone get's hold of their gmail is very weak.

The same would be true of hotmail or even gmail or even fredsmith.com email address using the regular email login.

So not to include it for this app is daft and pointless.

Share this post


Link to post
Share on other sites

I don't get it. I have done everything but nottings changings. It's all the time this error: "The redirect URI in the request: http://jorum.nl/interface/board/google.php did not match a registered redirect URI" ..

Share this post


Link to post
Share on other sites

I don't get it. I have done everything but nottings changings. It's all the time this error: "The redirect URI in the request:

http://jorum.nl/inte...oard/google.php

did not match a registered redirect URI" ..



http://community.invisionpower.com/topic/361879-download-sign-in-through-google/#entry2261537
did you go to the API Console, add a web application and add the 2 redirect URI's for this Modification to function?

Share this post


Link to post
Share on other sites

I don't get it. I have done everything but nottings changings. It's all the time this error: "The redirect URI in the request:

http://jorum.nl/inte...oard/google.php

did not match a registered redirect URI" ..




Me too


http://community.inv...e/#entry2261537

did you go to the API Console, add a web application and add the 2 redirect URI's for this Modification to function?




I already read this and check, but error still there

Share this post


Link to post
Share on other sites

Me too





I already read this and check, but error still there



do me this favor, both of you... paste me the Redirect URI Lines from your google API console, and your board url after ensuring the client_id and client_secret match between the system settings and the API console.... in code tags please and thank you.

Share this post


Link to post
Share on other sites

these are mine, mine works fine

https://www.davemacleod.net/forums/interface/board/google.php

https://www.davemacleod.net/forums/interface/board/linkgoogle.php

http://www.davemacleod.net/forums/interface/board/linkgoogle.php

http://www.davemacleod.net/forums/interface/board/google.php

board url is

http://www.davemacleod.net/forums/

and sign in is

https://www.davemacleod.net/forums/index.php?app=core&module=global§ion=login

Share this post


Link to post
Share on other sites

Redirect URIs


https://www.depeche-mode.be/oauth2callback

Javascript origins


https://www.depeche-mode.be/

IPs


http://www.depeche-mode.be/forums/interface/board/google.php

http://www.depeche-mode.be/forums/interface/board/linkgoogle.php

https://www.depeche-mode.be/forums/interface/board/google.php

https://www.depeche-mode.be/forums/interface/board/linkgoogle.php



I add the Client ID and the Client Secret in my ACP

But, what about API key ?

Share this post


Link to post
Share on other sites

Redirect URIs



https://www.depeche-mode.be/oauth2callback

Javascript origins


https://www.depeche-mode.be/

IPs


http://www.depeche-mode.be/forums/interface/board/google.php

http://www.depeche-mode.be/forums/interface/board/linkgoogle.php

https://www.depeche-mode.be/forums/interface/board/google.php

https://www.depeche-mode.be/forums/interface/board/linkgoogle.php

I add the Client ID and the Client Secret in my ACP But, what about API key ?

Facepalm.. theres your problem. Redirect URIs


http://www.depeche-mode.be/forums/interface/board/google.php

http://www.depeche-mode.be/forums/interface/board/linkgoogle.php

https://www.depeche-mode.be/forums/interface/board/google.php

https://www.depeche-mode.be/forums/interface/board/linkgoogle.php

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. See more about cookies and our Privacy Policy