Use License Key instead of Client Area Credentials in upgrad

[aia]

Please, use License Key instead of Invision Client Area Credentials in upgrading process on step two.

Really tired of using Invision Client Area Credentials every time.

[MADMAN32395]

Why though? What happens if you admin multiple sites? I would need to log into client area here to get the key and punch that into the site pending update. 

Personally better option is just rid of the IPS credential prompt, validate the saved key, upgrade against that, then use local site creds to finish the update.

[ADKGamers]

If there were 2 options of License Key or Login Credentials, I'd much rather use Login Credentials.

[aia]

16 hours ago, MADMAN32395 said:

Why though? What happens if you admin multiple sites? I would need to log into client area here to get the key and punch that into the site pending update. 

No you would need not, because your license key is already stored in your forums DB so you will automatically skip this step when your license is active.

Maybe initial message was not clear enough, so: suggestion is not "to ask" a licence key on 2nd step, suggestion is "use licence key" as auth key for download in order to skip 2nd step at all.

[MADMAN32395]

2 minutes ago, Mr 13 said:

No you would need not, because your license key is already stored in your forums DB so you will automatically skip this step when your license is active.

Oh basically the other half of my post lol

[aia]

1 minute ago, MADMAN32395 said:

Oh basically the other half of my post lol

Second part is exactly what i suggested, 1-st is just misunderstanding

[ADKGamers]

haha yes, definitely misunderstanding.  I'm all for that suggestion then 

[Aiwa]

I would much rather a simpler upgrade process also, but you have to look at what this is doing. 

1) Anyone with access to your AdminCP, without proper restrictions in place, would have access to your license key.  What's to stop a rouge admin from taking your license key and using it on another site?  I know IPS does their best to keep track of your installed site URL, but it's likely not fool proof and something they are trying to improve.  I know I saw a lot of topics lately about license URL's not exactly matching what's in the client area and it causing some confusion.

2) The software itself is behind their credential system.  In years past you would have to log into your IPS client area to download the suite, upload it to your server, and then start the upgrade.  They have integrated that into a single process where the files themselves are STILL behind your IPS login credentials, just accessible from your ACP instead of you having to come to your IPS client area to download the files.  Your ACP now downloads the files for you.

I've not tested this, but you might be able to bypass the IPS login via your ACP if you first come to your IPS client area, download the suite, and upload it to your server.  

TLDR; It's not the upgrade process that's behind your IPS credentials, it's the downloading of the software.

[MADMAN32395]

On 1/31/2018 at 10:01 AM, Aiwa said:

I've not tested this, but you might be able to bypass the IPS login via your ACP if you first come to your IPS client area, download the suite, and upload it to your server.

Yea, the classic way still works.

On 1/31/2018 at 10:01 AM, Aiwa said:

Anyone with access to your AdminCP, without proper restrictions in place, would have access to your license key. 

There's already a permission for this... Iirc 

[Aiwa]

2 minutes ago, MADMAN32395 said:

There's already a permission for this... Iirc 

Like I said, without proper restrictions in place. 

[aia]

You don't have to show the key, whole process can be implemented without displaying of it at all.

[Aiwa]

13 minutes ago, Mr 13 said:

You don't have to show the key, whole process can be implemented without displaying of it at all.

You're missing the key piece of information here. The key is stored in your database via a setting. If someone gets that, loads it up into a new site in the same setting, would you expect it to work? The key may be valid, but who's to say it's for the right site? Would you want IPS to update the licensed URL for a key when authenticating with just that key so you now have to deal with resetting your license key and board URL if your key is misused? 

Could the process be improved, maybe. But to be fair to IPS here it keeps the source files, no matter how you get them, behind your IPS client login, not just a simple text value. 

[aia]

I'm not missing it, but it's not really a problem. It's easy to prevent downloading from duplicate installations (i can describe algorithm to IPS Devs, if they need, but i think it's not a problem for them too).

[Cemmos]

The key is already linked to the specific site. You'd need to change the URL with Invision Power, Inc. to be able to change it to another site. Which is already locked behind the same login we use to access a new patch or upgrade. I'm not really seeing what the problem is there, even with lack of attention to detail on the site administrator's end (should really test and retest permissions, and other admins should be trusted anyway).

There is the point about other admins being able to upgrade your community when using just the key (automatic credential auth). But that, again, is easily fixed just by making sure the permission is set correctly.

I personally don't mind either way. The way it works now is fine for me, but I see how the convenience is wanted.

[aia]

Downloading of upgrades based on key is not only the convenience thing, but it also provides more flexibility for further changes. For example having this we can implement automated installation of security patches so communities with active licences will not vulnerable almost immediately after fix released without admin involving.

[Aiwa]

I'd love to see your algorithm that's just as secure as getting an auth key from IPS' site directly for a downloadkey.  Feel free to PM me.

• Board URL comparison in addition to license key... Easily faked by modifying source files if you already know the URL of the site using said key. 
• Site Unique key, would now require IPS store that on their servers.  Do-able, but also available in plain text in the constants.php file.  So a bit harder to obtain than the license key, but not much.
• What other unique piece of information, not accessible to anyone other than the IPS client, or their designated alternate contacts, is available via the IPS community site even callback data, that could be used for positive authentication and not faked? 
• IP Address... Not foolproof either, and could cause further headaches with support when clients are moving servers.  Ever been locked out of the spam service because it's been used on too many IP's? It happens (or used to anyway, not sure if IPS has improved that)... So further support issues when validating by IP.  

As I said before, it's about IPS keeping their source files behind a client login.  The upgrade routine made that simple.  Is it still harder than WP, sure, because WP is free and they don't care who downloads their source files. 

• Do I agree that it would be nice to streamline the process? Yes....
• Do I think IPS needs to ensure client validation to protect their Intellectual Property and answer hard questions from any private stakeholders about how they are protecting the downloading of their source files? Yes!

You may argue, "piracy exists, so what, why make it harder for clients"... That doesn't mean IPS needs to help them by serving the source files from their own servers simply because the source files were modified to get around your special algorithm.