Allow users to authenticate with their Drupal username and password by two ways:

  1. The user sticks in their hostname into their user account and the bot compares the username with the hostname when the user is making requests from the bot. Using the hostname means that sessions don't have to be created or destroyed.
  2. The user sends a private query to the bot "login
    ", and the bot checks for the IRC Drupal username, along with the Drupal password, registers a session until the user logs off, changes nicknames, their hostname is switched, etc.

I have the first authentication system up and running cleanly at http://cvs.drupal.org/viewvc.py/drupal/contributions/sandbox/robloach/mo... .

The bot_auth_authenticate function checks the cached credentials, and then returns back the data object with an addition of the uid if the credentials match. From here, to check permissions we call user_access('ahem', $user);. In total, it looks like this:

$user = bot_auth_authenticate($data);
if (user_access('ahem', $user)) {
  // Do something
}
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

RobLoach’s picture

Status: Patch (to be ported) » Needs work
FileSize
2.8 KB

Things left:

  1. The user sticks in their hostname into their user account and the bot compares the username with the hostname when the user is making requests from the bot. Using the hostname means that sessions don't have to be created or destroyed.
  2. The user sends a private query to the bot "login [password]", and the bot checks for the IRC Drupal username, along with the Drupal password, registers a session until the user logs off, changes nicknames, their hostname is switched, etc. This is a big task, and we might think about just taking a look at it later on.
  3. Make some of the modules use the authentication system?
RobLoach’s picture

bot_auth_user should be bot_user.

RobLoach’s picture

FileSize
3.46 KB

The provided patch allows authentication without setting your hostname. The way this works is that you send a message to the bot "login ". This will compare your IRC username with the provided password to the Drupal database, and authenticate the IRC hostname with your account.

Joey: login notmypassword
Druplicon: Login failed.
Joey: login mypassword
Druplicon: Login successful.

When successful, your Drupal account will have the updated hostname, which will then authenticate correctly when calling bot_authenticate($data). Users only sometimes share the same hostname when they're on the same connection. Ways to make this more secure are fixed by implementing the following......

  1. "logout", which will remove your saved hostname.
  2. Register the other IRC events (part, quit, change nickname, etc) to force a removal of the hostname, only if you authenticated with "login". If you didn't authenticate with login, then it is assumed that you're using a custom hostname (like a Drupal.org cloak)
RobLoach’s picture

FileSize
4.03 KB

This patch features the "logout" feature, which removes your hostname, making your session invalid. The only insecurity with this is if a user forgets to logout before they change their name or quits and then someone on the same connection comes along, uses the same username, and talks to the bot. Although this is really unlikely to happen, it can be fixed by adding those automatic logout events. We'd have to make sure not to log out people who don't want to be automatically logged out, like when they're using a Drupal.org cloak, because that is unique to each user. Since authentication is still done on by the host, it makes it pretty secure.

Another nice to have feature that's not required is the user of alternative IRC usernames. Right now it assumes your IRC nickname is the same as the Drupal username. What if you're using MorbusIff instead of Morbus? The reason using their IRC name the same as their Drupal name is because when we're checking their authentication, it's easy to do a user_load('name' = ___). It's rather difficult to do a user_load() on something in data column of the user table. Any thoughts? We could do some regex, but that's horribly ugly. I think this is good for now.

  1. "logout", which will remove your saved hostname.
  2. Register the other IRC events (part, quit, change nickname, etc) to force a removal of the hostname, only if you authenticated with "login". If you didn't authenticate with login, then it is assumed that you're using a custom hostname (like a Drupal.org cloak).... Not required, but nice.
  3. Alternative nicknames?..... Not required, but nice.
RobLoach’s picture

Status: Needs work » Needs review
FileSize
5.37 KB

This patch adds an option in your user account setting to have it automatically log you out if you quit or change your username. It also adds the "logout" command. Are there any other events we have to register? This looks pretty good to me....

To test:

  1. Apply the patch and restart your bot
  2. Edit your user account and see the new hostname and automatic logout features. Change them if you want, not required if you don't know your IRC hostname.
  3. In IRC, send a message to the bot.... /msg MyBot login.......
  4. If you put in your hostname, and your Drupal username is the same as your IRC nickname, you won't have to put in a password because the hostname is secured to your username. This should log you in. If you didn't put in your hostname, it will tell you to use "login < password >".
  5. When you do login, it should say you logged in successfully. Go back to the website and edit your account. You'll see that your hostname is registered with your new session hostname.
  6. Edit your account, and enable Automatic Logout.
  7. Close your IRC client, without logging out of the Bot and wait a second.
  8. Re-Edit your website account and see that your hostname is no longer tailored to your account (it's empty).
  9. Play around with the Bot's login and logout features..... "login < password >", "logout", "login".... and don't forget to dance!

The host name is definitely the way to do this, because it is handled through nickserv, which is secure. With the automatic logout feature, if a user changes their nickname, or gets disconnected, the bot will kill their session by removing the hostname from their account. In addition to that, the only time that users will have the same hostname is if they're running under the same connection (same LAN). But, since automatic logout un-tailors the username when the nickname changes, this is not a problem. Yay! Leaving Automatic Logout disabled when you're on a unique hostname is very nice so that you don't have to login whenever you want a new session (when your hostname is a cloak).

Things to talk about:

  1. Someone has to look at the code and give it a code review, it all looks good to me!
  2. Automatic logout enabled by default?
  3. What other events should we register for automatic logout?
RobLoach’s picture

Status: Needs review » Needs work

Anonymous users still have a valid user object. We have to force a check to uid 0.

RobLoach’s picture

Assigned: Unassigned » RobLoach
Status: Needs work » Needs review
FileSize
4.6 KB

Removed caching from bot_authenticate, because caching can be scary when doing secure stuff.

RobLoach’s picture

We've been using this for the Ping.fm IRC bot on PingFeeder.com with some pretty good success.

RobLoach’s picture

Status: Needs review » Needs work

Automatically Logout should be toggled for all users by default. Maybe switch the logic to have it as "Remember host name" instead of "Automatically log out"?

Morbus Iff’s picture

Random comments for the next time we can work on this:

* autologout will be compulsory; I don't to /allow/ a security hole, at all, convenience or not.
* you're currently saving things into user.data; that's deprecated. we need a new table.
* IRC nicks and usernames are not necessarily the same (ie., my Morbus Iff vs. Morbus).

snufkin’s picture

My take on this issue:

http://cvs.drupal.org/viewvc.py/drupal/contributions/sandbox/snufkin/bot...

Provides two tables, one for storing the active user sessions (bot_sessions), the other one to store user specific settings (bot_users). I was hesitant to use global variables for storage of active sessions, so its all database update.

Session is created when user verifies his or her account on irc by pming /msg <botname> auth <key> to the bot. Key can be set in user profile. Configurable (default yes) if key should be the same as drupal password, if unchecked the key field value will be used.

Session timestamp is updated when user does something on IRC.

Session expiration is a configuration option under bot/settings/bot_auth, defaults to 3600 seconds. After so many inactive period user will be removed from the active sessions (this relies on frequent run of bot_cron).

Feedback would be most welcome.

meecect’s picture

+subscribe

tobias’s picture

+1

snufkin’s picture

Any chance that the bot_auth code can be committed? What can i do to help you with it? Would rolling a patch help?

scottrigby’s picture

@Rob Loach I'd love to test this out in our IRC channels, but do you have any advice about the status of this patch?
Like if you've had updated ideas, whether it should still work with current code etc?
Thanks :)

Morbus Iff’s picture

Version: 6.x-1.x-dev » 7.x-1.x-dev
Status: Needs work » Fixed

So, I've committed a first version of bot_auth.module in 7.x-dev. It is an merging of both of your approaches.

  • @RobLoach: I ended up agreeing with you: using $data->host was the stronger approach. I ended up saying, well, Drupal itself maintains its own {sessions} with the IP address, and that suffers all the same things I was worried about with hostname.
  • @snufkin: I used your {bot_sessions} table (revised to get rid of unnecessary columns) and your nickchange logic. I also agreed that this should be its own little module and not part of bot.module core.
  • I've removed all the UI. There's no talk about setting your hostname (too complicated for IRC newbs), no IRC-only authentication key (I don't need another password to remember), no "auto-logout" (should be a default), no "tell us your nick" (we know this!), nothing. I'm firmly in the camp of "things should just work" and most IRC bots have gotten by just fine over the years without a website or form submission.
  • To login, you use your own Drupal username and account: /msg BOTNAME USERNAME/PASSWORD. My username on IRC (Morbus) is rarely the same as my actual username on a Drupal site (Morbus Iff). Mine's an even odder case cos I use spaces, which makes parsing more difficult (login Morbus Iff Whee - which is the password?) I considered commas (drupal_explode_tags() would make parsing easy), but ultimately decided with the / as it felt more natural. With that said, it'll break if a password contains a / in it.
  • Logging out happens automatically, either when you QUIT from the server or when your session has been active for more than an hour. User activity does not reset your session (per @snufkin's code): sessions last an hour and that's it, regardless. If you want to renew your session, just login (to the bot) again. I will likely change this in the next commit - I'm not hugely happy with it, and I have a new project that requires a session to be up all the time if the user is logged in (regardless of their activity or not).
  • @Robloach's pattern for bot_authenticate() was duplicated in bot_auth_nick_authed().

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.