Author Topic: When using intermediate 'authenticator': invalid request no data was saved (Read 15440 times)

twisterbr · « **on:** October 13, 2011, 09:12:48 AM »

Hi.

I implemented a php script that authenticate the mail account in my local mysql and do some checkings to redirect the user to the scpecific web server where the account is hosted (i have roundcube installed in 3 servers)... I used this script in 0.5 and was working well... but after I migrate to 0.6, when I try to login I receive the message:
invalid request! no data was saved.

I guess this has to do with some vars not being called by my script... So I ask: what were the changes made in 0.6 related to the form variables, that I'm probably forgetting to call?

I use the following to authenticate:
echo "http://roundcube-" . $row[0] . ".domain.com.br/index.php' method=POST>";
echo "";
echo "";
echo "";
echo "";

sorry for my english..

SKaero · « **Reply #1 on:** October 14, 2011, 12:07:18 PM »

It sounds like your missing your $args['cookiecheck'] = false; or $args['valid'] = true; in your authenticate function.

twisterbr · « **Reply #2 on:** October 17, 2011, 11:17:00 AM »

Quote from: skaero;36927

It sounds like your missing your $args['cookiecheck'] = false; or $args['valid'] = true; in your authenticate function.

You mean like this for example?

it didn't work =(

Actually I don't remember using these 2 vars when I was with the v0.5.... don't know if it's different on 0.6

SKaero · « **Reply #3 on:** October 17, 2011, 12:55:16 PM »

No that needs to be in the auto login plugin.

twisterbr · « **Reply #4 on:** October 17, 2011, 12:56:39 PM »

Just to add something...

I am passing the vars (_user, _pass, _action, _task) from my html authenticator so the roundcube's index.php can authenticate. It gets the vars from the POST I sent and authenticate... so the only thing I need is to pass the correct variables for authentication... i'm missing something... any ideas??

SKaero · « **Reply #5 on:** October 17, 2011, 01:19:12 PM »

You need to have a RoundCube plugin in order for it to except that data, there is an example here: autologon.php in trunk/plugins/autologon

twisterbr · « **Reply #6 on:** October 17, 2011, 01:47:21 PM »

Quote from: skaero;36947

You need to have a RoundCube plugin in order for it to except that data, there is an example here: autologon.php in trunk/plugins/autologon

Thank you for your help. But I didn't changed the plugin, I'm still using it without any modification... I just pass the vars through an alternative file, which is my php authenticator that has the form action pointing to the index.php (untouched) in roundcube's root.... So my authenticator only have the job of sending the vars so the index.php can actually log the user in.

sorry if i'm 'misexpressing' my issue...

twisterbr · « **Reply #7 on:** October 17, 2011, 02:23:14 PM »

Basically my script is just like this:

SKaero · « **Reply #8 on:** October 17, 2011, 02:28:54 PM »

I understand the problem but you can't just post the username and password to RoundCube anymore. For security you have to have an auto login plugin with $args['cookiecheck'] = false; and $args['valid'] = true; in the authenticate function to allow RoundCube to use the post data.

rluch · « **Reply #9 on:** October 25, 2011, 05:20:21 PM »

I am having this issue as well. My setup/files is described here: [PHP] RoundCube 0.6 - Pastebin.com

I am including the http_authentication as plugin in my main.inc.php.
The http_authentication.php-script has:
$args['cookiecheck'] = false; and $args['valid'] = true;

Still, I get this "invalid request no data was saved" error when logging in from the remote form.
This exact setup worked with the previous install (0.5.4, I think!).

Hope someone can help me out!

rosali · « **Reply #10 on:** October 26, 2011, 02:16:22 AM »

I think you have to remove the following code from the authenticate hook:

40 // Allow entering other user data in login form,
41    // e.g. after log out (#1487953)
42    if (!empty($args['user'])) {
43    return $args;
44    }

EDIT:

Alternativeliy you could move ...

51 $args['cookiecheck'] = false;
52    $args['valid'] = true;

... to top of authenticate hook.

rluch · « **Reply #11 on:** October 26, 2011, 03:39:25 PM »

Moving the checks to the top worked perfectly! Thanks a bunch rosali!

AFAIK, this change defeats the CSRF protection.
Is there a way to keep CSRF active for all domains/referrers expect the one we use for the external login forms?

rosali · « **Reply #12 on:** October 27, 2011, 01:05:28 AM »

You could pass a variable from the external login form (f.e. ) and check this in the authenticate hook:

40 // Allow entering other user data in login form,
41    // e.g. after log out (#1487953)
42    if (!empty($args['user']) && isset($_POST['_external']) {
43 $args['cookiecheck'] = false;
44    $args['valid'] = true;
45    return $args;
46    }

rluch · « **Reply #13 on:** October 27, 2011, 03:46:47 PM »

Quote from: rosali;37086

You could pass a variable from the external login form (f.e. ) and check this in the authenticate hook:

40 // Allow entering other user data in login form,
41    // e.g. after log out (#1487953)
42    if (!empty($args['user']) && isset($_POST['_external']) {
43 $args['cookiecheck'] = false;
44    $args['valid'] = true;
45    return $args;
46    }

Once again thank you for your awesome answer, Rosali.
After some brainstorming, I have concluded that no matter how you try to implement CSRF protection in this example, it can either be spoofed (fx. referrer validation) or otherwise bypassed (hidden inputs, can just be copied) by a potential attacker.
Hope this helps someone! Also, please correct me if this conclusion is straight up wrong

rosali · « **Reply #14 on:** October 27, 2011, 11:07:44 PM »

The conclusion is wrong. Roundcube processes only forms and AJAX requests which contain a unique token which is generated by Roundcube.