PHPBB 3.3.8 - Verify password outside source - phpbb

I'm trying to pass in some text entered by the user (from a separate program) and check it against the hashed password in phpbb's db: phpbb_users -> user_password.
Ideally if I could copy a function from the source that does this check for me and place it into my own script, it would be perfect. Or somehow reference the functionality externally. Regardless, I'm unable to find the function(s) that does this.

Related

Ways to store Client ID and Secret securely for automated executions in Google Scripts

I'm writing a Google Script that will call an external API and pull the resulting data into a Google Sheet. The API requires a Client ID and Secret value for authorization, and I need to keep those values secure. I would also like to trigger the script to run periodically (basically, I'm trying to automate the updating of this sheet as much as possible).
I'm no data security expert, but keeping the Client ID and Secret hardcoded seems like a terrible idea. Most of the search results I've found recommend using the Properties Service to store those values, but in order to set those properties I'd have to hardcode them in the same script, correct? If so, that doesn't solve the security problem.
Other recommendations involve prompting the user to enter the credentials to authorize each run of the script. This solves the security requirement, but I want this process to be as automatic as possible. If I'm opening the script and providing my credentials each time it runs, then I may as well skip the triggered executions.
Are there any other solutions? For context, I am the only person who needs to access this script and no one else should be able to access the Client ID and Secret.
Since you are the only one who has access to the script (having View access to the spreadsheet doesn't allow users to look at the bound script), hardcoding the Client ID and Secret shouldn't be a problem. Just don't give them Edit access to the spreadsheet.
If you don't want to hard-code the data directly anyway, you have some alternatives:
Using Properties Service:
Use Properties Service, as you mentioned. You could, for example, set the Client ID by running this once (in the legacy IDE, you can set these properties manually too):
function setClientId() {
var props = PropertiesService.getScriptProperties();
props.setProperty('Client ID', '{YOUR_CLIENT_ID}');
}
Once the property was set, you can remove '{YOUR_CLIENT_ID}', or even the whole function, if you don't want to keep it hard-coded. The script could then retrieve the stored property the following way:
function getClientId() {
var props = PropertiesService.getScriptProperties();
return props.getProperty('Client ID');
}
Using library:
Another option could be to store this information in a different script, to be used as a library (see Gain access to a library):
var CLIENT_ID = "YOUR_CLIENT_ID";
var SECRET = "YOUR_SECRET";
And then import this library in your main script (see Add a library to your script project). In the sample below LIBRARY is the library Identifier name:
Code.gs (from main script):
function getData() {
const clientId = LIBRARY.CLIENT_ID;
const secret = LIBRARY.SECRET;
// ...
}
Note:
Please note that, even if you don't hard-code your data directly, anyone who can execute your script can potentially retrieve this data. For example, they could log what's returned by getClientId().
If the script has access to some data, users who can execute the script can access this data too.

dynamic credential allocation in aa client 11.3.2

I need to use credential for log in to a system in AA for a bot that may run on different machines with a technical user for the system associated to each machine/bot.
Lets say the system is Stackoverflow.
Lets say I have two Virtual Machines,named:VM1, VM2
I name my credentials "Stackoverflow-VM1", "Stackoverflow-VM2" and want the automation to dynamically access those credentials, so that running on VM1 the automation will always use the VM1 credential.
I cannot find out how to use such a machine-dynamic access in AA while this is easy to do in other automation softwares and credential vault seems to be pretty useless without this functionality, especially with the extra concept of lockers...Any help?
Already tried:
1) The credential variables in AA will look like this from the client: $Stackoverflow-VM1(username)$, so i tried to simply write (not using the F2 variable list): $Stackoverflow-$Machine$(username)$ into the Set Text field but that results in the string "$Stackoverflow-VM1(username)$" written into the corresponding text field, which is consistent with the AA documentation:
https://docs.automationanywhere.com/bundle/enterprise-v11.3/page/topics/aae-client/bot-creator/using-variables/credential-variables.html
"Credential variables contained in the Credential Lockers can be seen and accessed only from the Insert Variables window."
2) I tried to create different lockers, where VM1 will only see "Stackoverflow-Locker-VM1" and a corresponding locker for VM2 exists. Now if i could create credentials with the same name but different content in each locker i could easily do this, but i cannot create identically named credentials, since they are aware of each other and not only defined in the context of a locker.
3) This page suggests its not possible: https://apeople.automationanywhere.com/s/question/0D56F00005dy3Ri/can-we-able-to-use-credential-vault-dynamically-?language=en_US
but its a 8 month old thread and possibly it has changed now. Everything suggested in this thread is not possible in terms of scalability.
Thankful for any input,
Thank you.
First thing I would suggest that you should always use F2 to fetch the variable list.
Returning to the question, to me, it seems that you have a system where you want to log in using different devices (bot runners) using different credentials.
It is possible by creating provided credentials values.
When you create an attribute for any credential, there is an option to mark the value as provided. That way, the associated users will get the credential request.
Each user will have to provide their own set of values. The bot can be created using those credentials. At run time, based on the user who is logged in, appropriate values will be fetched.
Disclaimer: I work for Automation Anywhere.

How to authenticate exist-db users in RESTXQ

(complete rephrase - since no answer):
I am developing an exist-db application with user authentication and RESTXQ. My users log in via the login:set-user function from the login module. Here a snippet from the controller:
import module namespace login="http://exist-db.org/xquery/login" at "resource:org/exist/xquery/modules/persistentlogin/login.xql";
declare variable $local:login_domain := "org.exist-db.superApp";
declare variable $local:user := $local:login_domain || '.user';
let $logout := request:get-parameter("logout", ())
let $set-user := login:set-user($local:login_domain, (), false())
this works perfectly fine. If I call e.g. xmldb:get-current-user() anywhere within an app:function() I get the currently logged in username.
I also have a RESTXQ module with a couple of functions to be dynamically called via URL by AJAX requests. Some of these actions (deleting xml-elements in the data, adding new collections...) are rather critical. I don't want guests (or users with the wrong rights) to be able to just call these RESTXQ URLs to manipulate the data - so RESTXQ must be secured and it should doublecheck: is the currently logged in user allowed to modify specific resources/collections?
If I call e.g. xmldb:get-current-user() in any RESTXQ function, I always get "guest", all the security manager (sm) functions also indicate that within RESTXQ there is no knowledge about the current user login. Only if I do something like xmldb:login("/db","username","password") in each RESTXQ function, RESTXQ seems to know someone is logged in, but usernames and passwords should not constantly be passed back and forth via URL - yet without passing this data in, RESTXQ functions don't seem to know about it (right?).
So how do I make sure, RESTXQ lets only authenticated users change data (without users having to authenticate multiple times and without having to pass the authentication data to RESTXQ on each request)?.
example use-case:
I want a RESTXQ function that gets a search-string ($text) and a collection-path ($path) as input, now it checks for all xml files in $path: If the currently logged-in-user (must be authenticated!) has writing-access to the file, delete all nodes that contain $text and return some JSON response to the user...
I have multiple such functions, (move, delete and add data, add new collections... ), they work nicely except for the bold part: I do not get this If in. Any ideas?
PS: this topic on the eXist mailing list asks the same question. Here #adamretter sugests to restrict the RESTXQ module file itself, so users get prompted to (re-)authenticate when a function is called - even if they already used the persistent log-in. This is what I don't like:
I don't want my users to have to log in multiple times (that's the idea of getting things as dynamic as possible - e.g. by using RESTXQ)
the prompted login (for executing RESTXQ) and the previous login (persitent) via the login-module can differ now!
even if the user logs out within the the application, RESTXQ is still granted access because that prompted authentication knows nothing about the logout. If a new user logs (not in the prompt, but via the login-module) she still has access to RESTXQ, because this is not re-prompted (and I don't know how to "logout" this prompted, seemingly parallel second login).
I can restrict the whole RESTXQ module this way, but I still don't know how to ask within a RESTXQ function: "what access rights does current user have on resource A, B, C...
Hoping that this will help others:
When making an AJAX-request, add a header:
[...]
headers: {'Authorization': 'Basic ' + btoa(username + ':' + password)},
[...]
This will log the user in with the given credentials (if correct). In your RESTXQ function you can then access the user's details via sm:id():
declare namespace sm = "http://exist-db.org/xquery/securitymanager";
[...]
let $username := xs:string(sm:id()//sm:real//sm:username)
You should use the info under sm:real as a setuid or setgid may mask the real values.
Note that the login information are not stored so you need to send them with every AJAX request you make.
The RESTXQ API is stateless. So you need to authenticate on each request. This intentionally the case and is done by design so that each RESTXQ call can work in isolation efficiently.
This isn't unusual as other APIs such as Amazon's S3 also require such authentication to be provided on each request.
How your users authenticate to RESTXQ and how you prompt them for the request credentials (and possibly reuse those) is outside the scope of the RESTXQ API, and instead is considered to be a client issue that you need to solve in your own application.

How do I store user defined values in wit.ai?

I am new to chatbots and using the wit.ai.
I had like to store user defined values for future use, such as Name of the user.
When the user says his name. It gets stored in a variable that can be used later.
Using entities limits me to a predefined list of names.
They have changed the getting started guide. Initially they showed the way to store user queries.
What you want to use is context object. It can store information which you want to pass on for later use. It is used to save the state of conversation.
In your story, click on Bot Executes, then an action to be executed at backend and finally type the variable name like username in the update context keys with field. This will make username available for use.

Authentication via LDAP

I'm interested in how other people code this because I'm either not understanding it properly or I'm missing something or perhaps even I'm doing it right!
First of all, this is NOT an Active Directory instance of LDAP its OpenDS which other than some syntactical differences shouldn't much matter.
So assume I have my tree structure setup something like this:
-dc=somedomain,dc=com
-uid=rootuser
-ou=Group1
-uid=username1
-uid=username2
-ou=Group2
-uid=username3
-uid=username4
In order to authenticate as the 'rootuser' I would need to pass the fully qualified Username when I create my System.DirectoryServices.DirectoryEntry object, in this case:
uid=rootuser,dc=somedomain,dc=com
but for any other user in the tree I have to know in advance what LDAP path to append to the username to have them authenticate thru. So for example this will fail:
uid=username1,dc=somedomain,dc=com
but this will work:
uid=username1,dc=somedomain,dc=com,ou=Group1
So my question is how do you handle this when you don't know at login time what specific group a user belongs to to build that path? The only way I can figure to do it is to make the initial call as 'rootuser' so I have access to the entire tree then use System.DirectoryServices.DirectorySearcher to scan it for that particular user (i.e. username1)
using (DirectorySearcher searcher = GetDirectorySearcher()) {
searcher.Filter = "(&(objectClass=person)(uid=" + userName+ "))";
SearchResult result = searcher.FindOne();
return result.GetDirectoryEntry().Path;
}
at that point I have the path for the user I want to login and I can proceed with the actual auth. Am I way off base here or is this generally how it is done?
thanks!
You build a search filter on attributes that are unique to the user, e.g. screen-name, e-mail. Make sure LDAP is configured to ensure they are unique. Then you find the corresponding entry if any, get the DN, and rebind as that user with the appropriate password. If there was no such entry you react accordingly.
You don't say what language you are using, but in JNDI that means setting the DN as the security principal, the password as the credentials, and calling LdapContext.reconnect().
SASL supports the notion of using a username to authenticate. Your directory server administrator may be able to configure the directory server to map distinguished names to identities. Given the correct mapping it is possible for a client to authenticate without knowing the distinguished name. Professional-quality directory servers support a number of different mapping mechanisms such as direct mapping, exact match, regular expression, or a custom identity mapper.