Login with API Key in parameter

Get help from other users here.

Moderators: Developer, Contributor

Post Reply
TomR
Posts: 53
Joined: Aug 01, 2006 5:22 am

Login with API Key in parameter

Post by TomR » Apr 21, 2018 3:34 pm

We want to login from an external application into MantisBT.

I looked at the SampleAuth plugin to accomplish that.
The plugins is working fine, except it poses a security risc. If you guess a username, one can login without problems with someone elses account.
I wonder what would be a feasible use case for this plugin, apart from some 'guessing game' :D

So my idea was to use an API per user to automaticly login.

Therefor I added following lines in the plugin:

Lines already in plugin

Code: Select all

		$t_username = $p_args['username'];
		$t_user_id = $p_args['user_id'];		
Added lines after above lines

Code: Select all

		$t_user_id = (int)api_token_get_user( $p_args['username'] );		
		$t_username = user_get_username( $t_user_id );
In that case I have the same situation as before BUT wit API key checked against an user.

However this is not working and I can not get my head around how to solve this.

Any help appreciated.

Tom
MantisBT 2.12.0

TomR
Posts: 53
Joined: Aug 01, 2006 5:22 am

Re: Login with API Key in parameter

Post by TomR » Apr 22, 2018 5:15 am

I guess I am really missing something here 8O

I want to use https://mymantisbturl/?username=xxx from an external application.
Really need no authorization as I will check if the originate from our cloud environment ( that works ).
But definitely want to separate users


Why is it showing me the default login login_page.php with username filled in here ( username also 'enabled' as the button 'Login' ).
I expected I would be rerouted to the login.php page from the plugin right-away.
I should not be able to change the user in the default login_page.php, I want to be redirected to login of plugin.

However then it is still a security issue with guessing an existing username in the URL.
So I still want to use an API key for that.

I guess I am missing the point of the plugin somehow. :(
Anybody who can enlighten me? :wink:

Tom
Last edited by TomR on Apr 26, 2018 9:05 am, edited 1 time in total.

TomR
Posts: 53
Joined: Aug 01, 2006 5:22 am

Re: Login with API Key in parameter

Post by TomR » Apr 26, 2018 8:59 am

Friendly 'bump'. :)

Anyone who can help me get in the right direction?

TomR
Posts: 53
Joined: Aug 01, 2006 5:22 am

Re: Login with API Key in parameter

Post by TomR » May 29, 2018 7:34 am

Another friendly bump. :D

Can anyone help me out. This is stopping us to migrate to version 2.x.x.

How can we achive auto-login ( with parameters username en password in v1.2.x ) in v2.x.x.
No LDAP available :(

mushu
Posts: 146
Joined: Jan 04, 2017 12:41 pm

Re: Login with API Key in parameter

Post by mushu » Jun 01, 2018 12:23 pm

We use the LDAP plugin, and I know you don't have LDAP available, but you might want to grab it and look at the code. It is pretty simple to understand how it works, and you might be able to refactor the code for your purpose. You will need to edit the code and increase the "mantis core" version number to have it work. We use 2.7.0 in production and have 2.14.0 on the test box and this LDAP module works flawlessly.

Post Reply