Authentication

Things left:

1. The user sticks in their hostname into their user account and the bot compares the username with the hostname when the user is making requests from the bot. Using the hostname means that sessions don't have to be created or destroyed.
2. The user sends a private query to the bot "login [password]", and the bot checks for the IRC Drupal username, along with the Drupal password, registers a session until the user logs off, changes nicknames, their hostname is switched, etc. This is a big task, and we might think about just taking a look at it later on.
3. Make some of the modules use the authentication system?

bot_auth_user should be bot_user.

The provided patch allows authentication without setting your hostname. The way this works is that you send a message to the bot "login ". This will compare your IRC username with the provided password to the Drupal database, and authenticate the IRC hostname with your account.

Joey: login notmypassword
Druplicon: Login failed.
Joey: login mypassword
Druplicon: Login successful.

When successful, your Drupal account will have the updated hostname, which will then authenticate correctly when calling bot_authenticate($data). Users only sometimes share the same hostname when they're on the same connection. Ways to make this more secure are fixed by implementing the following......

1. "logout", which will remove your saved hostname.
2. Register the other IRC events (part, quit, change nickname, etc) to force a removal of the hostname, only if you authenticated with "login". If you didn't authenticate with login, then it is assumed that you're using a custom hostname (like a Drupal.org cloak)

This patch features the "logout" feature, which removes your hostname, making your session invalid. The only insecurity with this is if a user forgets to logout before they change their name or quits and then someone on the same connection comes along, uses the same username, and talks to the bot. Although this is really unlikely to happen, it can be fixed by adding those automatic logout events. We'd have to make sure not to log out people who don't want to be automatically logged out, like when they're using a Drupal.org cloak, because that is unique to each user. Since authentication is still done on by the host, it makes it pretty secure.

Another nice to have feature that's not required is the user of alternative IRC usernames. Right now it assumes your IRC nickname is the same as the Drupal username. What if you're using MorbusIff instead of Morbus? The reason using their IRC name the same as their Drupal name is because when we're checking their authentication, it's easy to do a user_load('name' = ___). It's rather difficult to do a user_load() on something in data column of the user table. Any thoughts? We could do some regex, but that's horribly ugly. I think this is good for now.

1. "logout", which will remove your saved hostname.
2. Register the other IRC events (part, quit, change nickname, etc) to force a removal of the hostname, only if you authenticated with "login". If you didn't authenticate with login, then it is assumed that you're using a custom hostname (like a Drupal.org cloak).... Not required, but nice.
3. Alternative nicknames?..... Not required, but nice.

This patch adds an option in your user account setting to have it automatically log you out if you quit or change your username. It also adds the "logout" command. Are there any other events we have to register? This looks pretty good to me....

To test:

1. Apply the patch and restart your bot
2. Edit your user account and see the new hostname and automatic logout features. Change them if you want, not required if you don't know your IRC hostname.
3. In IRC, send a message to the bot.... /msg MyBot login.......
4. If you put in your hostname, and your Drupal username is the same as your IRC nickname, you won't have to put in a password because the hostname is secured to your username. This should log you in. If you didn't put in your hostname, it will tell you to use "login < password >".
5. When you do login, it should say you logged in successfully. Go back to the website and edit your account. You'll see that your hostname is registered with your new session hostname.
6. Edit your account, and enable Automatic Logout.
7. Close your IRC client, without logging out of the Bot and wait a second.
8. Re-Edit your website account and see that your hostname is no longer tailored to your account (it's empty).
9. Play around with the Bot's login and logout features..... "login < password >", "logout", "login".... and don't forget to dance!

The host name is definitely the way to do this, because it is handled through nickserv, which is secure. With the automatic logout feature, if a user changes their nickname, or gets disconnected, the bot will kill their session by removing the hostname from their account. In addition to that, the only time that users will have the same hostname is if they're running under the same connection (same LAN). But, since automatic logout un-tailors the username when the nickname changes, this is not a problem. Yay! Leaving Automatic Logout disabled when you're on a unique hostname is very nice so that you don't have to login whenever you want a new session (when your hostname is a cloak).

Things to talk about:

1. Someone has to look at the code and give it a code review, it all looks good to me!
2. Automatic logout enabled by default?
3. What other events should we register for automatic logout?

Anonymous users still have a valid user object. We have to force a check to uid 0.

Removed caching from bot_authenticate, because caching can be scary when doing secure stuff.

We've been using this for the Ping.fm IRC bot on PingFeeder.com with some pretty good success.

Automatically Logout should be toggled for all users by default. Maybe switch the logic to have it as "Remember host name" instead of "Automatically log out"?

Random comments for the next time we can work on this:

* autologout will be compulsory; I don't to /allow/ a security hole, at all, convenience or not.
* you're currently saving things into user.data; that's deprecated. we need a new table.
* IRC nicks and usernames are not necessarily the same (ie., my Morbus Iff vs. Morbus).

My take on this issue:

http://cvs.drupal.org/viewvc.py/drupal/contributions/sandbox/snufkin/bot...

Provides two tables, one for storing the active user sessions (bot_sessions), the other one to store user specific settings (bot_users). I was hesitant to use global variables for storage of active sessions, so its all database update.

Session is created when user verifies his or her account on irc by pming /msg <botname> auth <key> to the bot. Key can be set in user profile. Configurable (default yes) if key should be the same as drupal password, if unchecked the key field value will be used.

Session timestamp is updated when user does something on IRC.

Session expiration is a configuration option under bot/settings/bot_auth, defaults to 3600 seconds. After so many inactive period user will be removed from the active sessions (this relies on frequent run of bot_cron).

Feedback would be most welcome.