Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Allow users to authenticate with their Drupal username and password by two ways:
- The user sticks in their hostname into their user account and the bot compares the username with the hostname when the user is making requests from the bot. Using the hostname means that sessions don't have to be created or destroyed.
- The user sends a private query to the bot "login
", and the bot checks for the IRC Drupal username, along with the Drupal password, registers a session until the user logs off, changes nicknames, their hostname is switched, etc.
I have the first authentication system up and running cleanly at http://cvs.drupal.org/viewvc.py/drupal/contributions/sandbox/robloach/mo... .
The bot_auth_authenticate
function checks the cached credentials, and then returns back the data object with an addition of the uid if the credentials match. From here, to check permissions we call user_access('ahem', $user);
. In total, it looks like this:
$user = bot_auth_authenticate($data);
if (user_access('ahem', $user)) {
// Do something
}
Comment | File | Size | Author |
---|---|---|---|
#7 | bot_auth.patch | 4.6 KB | RobLoach |
#5 | bot_auth.patch | 5.37 KB | RobLoach |
#4 | bot_auth.patch | 4.03 KB | RobLoach |
#3 | bot_auth.patch | 3.46 KB | RobLoach |
#1 | bot_auth.patch | 2.8 KB | RobLoach |
Comments
Comment #1
RobLoachThings left:
The user sticks in their hostname into their user account and the bot compares the username with the hostname when the user is making requests from the bot. Using the hostname means that sessions don't have to be created or destroyed.Comment #2
RobLoachbot_auth_user should be bot_user.
Comment #3
RobLoachThe provided patch allows authentication without setting your hostname. The way this works is that you send a message to the bot "login ". This will compare your IRC username with the provided password to the Drupal database, and authenticate the IRC hostname with your account.
When successful, your Drupal account will have the updated hostname, which will then authenticate correctly when calling
bot_authenticate($data)
. Users only sometimes share the same hostname when they're on the same connection. Ways to make this more secure are fixed by implementing the following......Comment #4
RobLoachThis patch features the "logout" feature, which removes your hostname, making your session invalid. The only insecurity with this is if a user forgets to logout before they change their name or quits and then someone on the same connection comes along, uses the same username, and talks to the bot. Although this is really unlikely to happen, it can be fixed by adding those automatic logout events. We'd have to make sure not to log out people who don't want to be automatically logged out, like when they're using a Drupal.org cloak, because that is unique to each user. Since authentication is still done on by the host, it makes it pretty secure.
Another nice to have feature that's not required is the user of alternative IRC usernames. Right now it assumes your IRC nickname is the same as the Drupal username. What if you're using MorbusIff instead of Morbus? The reason using their IRC name the same as their Drupal name is because when we're checking their authentication, it's easy to do a user_load('name' = ___). It's rather difficult to do a user_load() on something in data column of the user table. Any thoughts? We could do some regex, but that's horribly ugly. I think this is good for now.
"logout", which will remove your saved hostname.Comment #5
RobLoachThis patch adds an option in your user account setting to have it automatically log you out if you quit or change your username. It also adds the "logout" command. Are there any other events we have to register? This looks pretty good to me....
To test:
The host name is definitely the way to do this, because it is handled through nickserv, which is secure. With the automatic logout feature, if a user changes their nickname, or gets disconnected, the bot will kill their session by removing the hostname from their account. In addition to that, the only time that users will have the same hostname is if they're running under the same connection (same LAN). But, since automatic logout un-tailors the username when the nickname changes, this is not a problem. Yay! Leaving Automatic Logout disabled when you're on a unique hostname is very nice so that you don't have to login whenever you want a new session (when your hostname is a cloak).
Things to talk about:
Comment #6
RobLoachAnonymous users still have a valid user object. We have to force a check to uid 0.
Comment #7
RobLoachRemoved caching from bot_authenticate, because caching can be scary when doing secure stuff.
Comment #8
RobLoachWe've been using this for the Ping.fm IRC bot on PingFeeder.com with some pretty good success.
Comment #9
RobLoachAutomatically Logout should be toggled for all users by default. Maybe switch the logic to have it as "Remember host name" instead of "Automatically log out"?
Comment #10
Morbus IffRandom comments for the next time we can work on this:
* autologout will be compulsory; I don't to /allow/ a security hole, at all, convenience or not.
* you're currently saving things into user.data; that's deprecated. we need a new table.
* IRC nicks and usernames are not necessarily the same (ie., my Morbus Iff vs. Morbus).
Comment #11
snufkin CreditAttribution: snufkin commentedMy take on this issue:
http://cvs.drupal.org/viewvc.py/drupal/contributions/sandbox/snufkin/bot...
Provides two tables, one for storing the active user sessions (bot_sessions), the other one to store user specific settings (bot_users). I was hesitant to use global variables for storage of active sessions, so its all database update.
Session is created when user verifies his or her account on irc by pming
/msg <botname> auth <key>
to the bot. Key can be set in user profile. Configurable (default yes) if key should be the same as drupal password, if unchecked the key field value will be used.Session timestamp is updated when user does something on IRC.
Session expiration is a configuration option under bot/settings/bot_auth, defaults to 3600 seconds. After so many inactive period user will be removed from the active sessions (this relies on frequent run of bot_cron).
Feedback would be most welcome.
Comment #12
meecect CreditAttribution: meecect commented+subscribe
Comment #13
tobias CreditAttribution: tobias commented+1
Comment #14
snufkin CreditAttribution: snufkin commentedAny chance that the bot_auth code can be committed? What can i do to help you with it? Would rolling a patch help?
Comment #15
scottrigby@Rob Loach I'd love to test this out in our IRC channels, but do you have any advice about the status of this patch?
Like if you've had updated ideas, whether it should still work with current code etc?
Thanks :)
Comment #16
Morbus IffSo, I've committed a first version of bot_auth.module in 7.x-dev. It is an merging of both of your approaches.