Remote email/license verification idea for digital software upgrader - code-access-security

I have a wordpress theme that I support and upgrade frequently.
It contains a built in upgrader routine that takes a zip file containing the updated files and extracts to the theme directory, overwriting the old files.
I'd like to add a license verification routine to this upgrader routine that asks for the users's email address and password, then does a remote call to my member's database and verifies that the email and password are valid before allowing the routine to continue.
Is this a simple task? What approach would you take? The upgrade request will come from anywhere on the net and will have to call back to my server for the verification.
Its very similar to what WPRobot does to validate upgrades with known email addresses.

Your suggested method is just security through obscurity. The user can easily remove the client-side license check. If you have to do this, a simple way is to use HTTP Basic Auth. Have the client request the zip file with their credentials, and respond with the zip (correct credentials) or 401 Authorization Required (otherwise).

Related

GitHub: SSH over HTTPS for third party app

I am a hardware guy first and software second so GitHub is not my forte.
I had Altium Designer setup with my GitHub server for version control. When GitHub forced 2FA recently it broke the link to Altium which, unfortunately doesn't have stellar GitHub integration.
There are 6 fields I am allowed to enter in Altium to point it to my (GitHub) server:
1.) Method (HTTP, HTTPS, file, svn)
2.) Server (URL)
3.) Port
4.) Repo Subfolder
5.) username
6.) Password
Again, nothing changed except moving to 2FA. Now, when I attempt to login it obviously says it could not connect to the server because Altium has no provisions to provide a token during the login process.
I read the article at GitHub here: https://docs.github.com/en/free-pro-team#latest/github/authenticating-to-github/using-ssh-over-the-https-port
But I have no idea if that will do anything for me. Is there a way to route my Altium server connection to use my SSH key outside of the Altium environment? Or perhaps another way to "whitelist" my desktop in GitHub for SSO?
GitHub has not forced 2FA on for users. That wouldn't be useful, because people could just not set up a second factor. It's possible your organization has required this, though.
However, GitHub is deprecating the use of a plain password when using Git over HTTPS in favor of a token. Using a plain password was already forbidden for users who use 2FA, since there's no place to send a 2FA code (and for automated systems, doing that would be very inconvenient).
In this case, it's easy to keep using HTTPS: just generate a personal access token (in the developer settings) with the repo scope and paste it into the password field. Git doesn't know the difference between a password and a token; they're both the same to it. This also has a bunch of other benefits:
If you change your password, the token isn't automatically cleaned up, so you don't have to change Altium Designer.
If you decide you want to revoke that token, you can do so independently of changing your password.
If you're using SSO, you need to enable that token for SSO using the drop-down before it can be used to access protected resources.

Authenticate request using authkey in geoserver

I need to implement authkey module in geoserver to enable clients to send authenticated requests. I followed the official article, and read through the Q&A from here and there, etc. These articles and answers are helpful to part of my work.
As a beginner in geoserver, it took me long time to figure out the complete answer. So I present my solution down in the case that someone has a similar work may benefit from it. In my solution, I used User property as the key provider.
It is welcome that if you have better solution, and are willing to share below.
Before implementing authkey module, I secured the layers by assigning workspaces to different users, give read/write authority to them and also set the Catalog Mode as "HIDE".
The procedure of implementing the authkey is as follows:
Download the plugin from http://geoserver.org/download/, choose your GeoServer version, and download the extension.
Extract archive to /var/lib/tomcat7/webapps/geoserver/WEB-INF/lib (This is the directory for a Linux system).
Restart tomcat7
Partly follow official article using User property as the key provider:
1). In geoserver Security => Authentication => Authentication Filters, create authkey filter. Set the "Authentication key to user mapper" as "User property". Select corresponding group. Click "Synchronize user/group service" button.
2). Modify default filter chain. Remove both basic and anonymous authentication from the chain, attach and keep authkey authentication alone. (This is the reference)
Get the UUID from Users/Groups. Now you are able to request from the client with the authkey of the respective user.
thank you for your explanation, but small problem could be fixed authkey value sent from client to server (always same value), so anyone could mimic it?
next better step would be use WebService as 'authentication key to user mapper':
application generates key and adds it to request, application api end point is already fixed in geoserver, and when geoserver communicate with that api to verify, geoserver sends that key back to api and if it is generated by application (valid) then api responds with true geoserver user.
That part of communication would be hidden (secured).

Is there a way to test verification emails using Karate?

The problem I have is that I need to test if user verification is working. We generate a verification token, and an email is sent to the user. Whenever the user clicks on it, it checks if the verification token has expired. I've tried mocking this, but it just won't work. We have an endpoint to verify a user, but we still need the verification token, which is not available on any endpoint.
I think this article may help you: https://www.testingexcellence.com/automated-api-testing-emails-karate/
To summarize:
use the API at http://qamail.ala.se/ to create a test mailbox
initiate the flow that sends the e-mail
use the API to "read" the e-mail and grab the token
EDIT: looks like the link is dead. but you should be able to find similar offerings on the internet. since the source-code seems to be available, it may make sense for you to host this e-mail server somewhere so that it can receive e-mail from whichever system is the sender

htpaswrd vs cPanel password protection

I've been comparing a tool called Coffee Cup Website Access Mangaer, which generates htpaswrd files and assists in multi user management, against cPanel's password protection functionality.
With the cPanel functionality, when accessing the directory I receive a browser warning "Warning this server is requesting your username and password be sent in an insecure manner..." because the passwords are sent in plain text and vunerable to pack sniffing.
But with credentials created with the coffee cup product I get no such warning. It is hashing the passwords, but presumably it's vulnerable in the same way as cPanel passwords.
#User Password File - 05/01/2012 15:14:56
username:$1$sa$Wo.g/ovtw8B//SAgNBbFP1
username:$1$sa$mSD/s4oNRerHapqlNkL321
I had always assumed cPanel was just creating htpaswrd files just like this program, and can find no information as to what the difference between the two might be.
Any thoughts appreciated as always.
As long as you use HTTP and not HTTPS, the password will be sent in plain text at some point. I don't know what authentication shceme does cPanel use, but maybe cPanel is defaulting to http while the other option isn't, which would explain the difference.

How to use LDAP credentials offline?

I would like to use an LDAP server (probably Apache directory) to manage logins and credentials for an application. From time to time the application needs to work offline (on a laptop) without a connection to the LDAP server.
What is the best way to replicate the credentials localy?
I have already thought about:
Using Mitosis to replicate the LDAP server on the laptop.
But it would be a quite "heavy" and complicated solution. Moreover Mitosis seems not be be finished yet.
Exporting the credentials as LDIF file that could be stored on the laptop.
But I would need a way to check that the LDIF file actually comes from the LDAP server (The file should include a kind of signature). Moreover I would like to reject LDIF files that haven't be updated for more than a week. It would be nice if I could avoid implementing signing and age check myself.
Any other ideas or tools that could help me?
Edited Edit: I had a look at Kerberos because the documentation of the Java-Kerberos-API seems to say that it is possible to use a cached ticket in a local cache and I thought this might be a solution for me. Moreover Kerberos can be added as plugin to Apache Directory.
But the Kerberos cache stores decrypted tickets (aiming at sharing them with other applications). I would need the crypted version of the ticket to be able to check the user password during an offline session. Conclusion: Kerberos doesn't offer a simple solution to my problem.
Knowing that it will be probably ok if the user have to log on once online before being able to log on offline, consider the following algorithm:
user provides your application with a (username + password)
application attempts to contact LDAP for authentication
working online? (e.g. connection successful)
application authenticates against LDAP using (username + password)
authentication succesful?
application stores or updates hash(password) as (cached_credentials) for (username) into local secure storage
application proceeds as authenticated [[STOP]]
authentication failed?
application proceeds as non-authenticated (incorrect credentials) [[STOP]]
working offline? (e.g. network error)
application attempts retrieve (cached_credentials) for (username) from local secure storage
(cached_credentials) exists AND more recent than (1 week)?
application compares (cached_credentials) against hash(password)
match?
application proceeds as authenticated [[STOP]]
no match?
application proceeds as non-authenticated (incorrect credentials) [[STOP]]
(cached_credentials) does not exist OR less recent than (1 week)?
application proceeds as non-authenticated (network error) [[STOP]]
This is (or was, IIRC), by the way, the same model employed by Windows NT+ for user authentication against domain controllers. Upon login an attempt is made to authenticate against the domain controller and create or update the local (cached) version of the user profile. If the domain controller is not available, the user is prompted to proceed with authentication against the credentials captured in the local (cached) profile (if one exists.)
EDIT
Yes, this is, in spirit, the same solution as copying an ldif file locally, except that you do not have to parse ldif when you're offline. :)
It is understood that you can store any additional attributes (permissions, etc.) in your cache
It is also understood that 'secure storage' is at least signed. :) You can do this easily enough with a SHA-1 hash and a secret, or you can use full-fledged cryptographic providers available on your platform (or in Java, if using Java.) You do not need to crypt it as long as no secret information is stored inside.
Here is the solution I decided to use (I have already described it in an edit to my question, but I would like to able to accept an answer to "close" the question):
As I have not found another solution, I decided to use an LDIF export, add a timestamp as comment at the beginning of the file and then sign the file. To sign the file I calculate an hash value (SHA-1) of the file + a secret key. The signature is added as comment at the beginning of the file. To check the signature I remove the first line of the signed file and recalculate the hash value.