Page 1 of 1

Login with API Key in parameter

Posted: Apr 21, 2018 3:34 pm
by TomR
We want to login from an external application into MantisBT.

I looked at the SampleAuth plugin to accomplish that.
The plugins is working fine, except it poses a security risc. If you guess a username, one can login without problems with someone elses account.
I wonder what would be a feasible use case for this plugin, apart from some 'guessing game' :D

So my idea was to use an API per user to automaticly login.

Therefor I added following lines in the plugin:

Lines already in plugin

Code: Select all

		$t_username = $p_args['username'];
		$t_user_id = $p_args['user_id'];		
Added lines after above lines

Code: Select all

		$t_user_id = (int)api_token_get_user( $p_args['username'] );		
		$t_username = user_get_username( $t_user_id );
In that case I have the same situation as before BUT wit API key checked against an user.

However this is not working and I can not get my head around how to solve this.

Any help appreciated.

Tom
MantisBT 2.12.0

Re: Login with API Key in parameter

Posted: Apr 22, 2018 5:15 am
by TomR
I guess I am really missing something here 8O

I want to use https://mymantisbturl/?username=xxx from an external application.
Really need no authorization as I will check if the originate from our cloud environment ( that works ).
But definitely want to separate users


Why is it showing me the default login login_page.php with username filled in here ( username also 'enabled' as the button 'Login' ).
I expected I would be rerouted to the login.php page from the plugin right-away.
I should not be able to change the user in the default login_page.php, I want to be redirected to login of plugin.

However then it is still a security issue with guessing an existing username in the URL.
So I still want to use an API key for that.

I guess I am missing the point of the plugin somehow. :(
Anybody who can enlighten me? :wink:

Tom

Re: Login with API Key in parameter

Posted: Apr 26, 2018 8:59 am
by TomR
Friendly 'bump'. :)

Anyone who can help me get in the right direction?

Re: Login with API Key in parameter

Posted: May 29, 2018 7:34 am
by TomR
Another friendly bump. :D

Can anyone help me out. This is stopping us to migrate to version 2.x.x.

How can we achive auto-login ( with parameters username en password in v1.2.x ) in v2.x.x.
No LDAP available :(

Re: Login with API Key in parameter

Posted: Jun 01, 2018 12:23 pm
by mushu
We use the LDAP plugin, and I know you don't have LDAP available, but you might want to grab it and look at the code. It is pretty simple to understand how it works, and you might be able to refactor the code for your purpose. You will need to edit the code and increase the "mantis core" version number to have it work. We use 2.7.0 in production and have 2.14.0 on the test box and this LDAP module works flawlessly.