Release Support => Pending Issues => Topic started by: twisterbr on October 13, 2011, 09:12:48 AM
Title: When using intermediate 'authenticator': invalid request no data was saved
Post by: twisterbr on October 13, 2011, 09:12:48 AM
Hi.
I implemented a php script that authenticate the mail account in my local mysql and do some checkings to redirect the user to the scpecific web server where the account is hosted (i have roundcube installed in 3 servers)... I used this script in 0.5 and was working well... but after I migrate to 0.6, when I try to login I receive the message: invalid request! no data was saved.
I guess this has to do with some vars not being called by my script... So I ask: what were the changes made in 0.6 related to the form variables, that I'm probably forgetting to call?
I use the following to authenticate: echo "
Title: When using intermediate 'authenticator': invalid request no data was saved
Post by: SKaero on October 14, 2011, 12:07:18 PM
It sounds like your missing your $args['cookiecheck'] = false; or $args['valid'] = true; in your authenticate function.
Title: When using intermediate 'authenticator': invalid request no data was saved
Post by: twisterbr on October 17, 2011, 11:17:00 AM
Quote from: skaero;36927
It sounds like your missing your $args['cookiecheck'] = false; or $args['valid'] = true; in your authenticate function.
You mean like this for example?
it didn't work =(
Actually I don't remember using these 2 vars when I was with the v0.5.... don't know if it's different on 0.6
Title: When using intermediate 'authenticator': invalid request no data was saved
Post by: SKaero on October 17, 2011, 12:55:16 PM
No that needs to be in the auto login plugin.
Title: When using intermediate 'authenticator': invalid request no data was saved
Post by: twisterbr on October 17, 2011, 12:56:39 PM
Just to add something...
I am passing the vars (_user, _pass, _action, _task) from my html authenticator so the roundcube's index.php can authenticate. It gets the vars from the POST I sent and authenticate... so the only thing I need is to pass the correct variables for authentication... i'm missing something... any ideas??
Title: When using intermediate 'authenticator': invalid request no data was saved
Post by: SKaero on October 17, 2011, 01:19:12 PM
You need to have a RoundCube plugin in order for it to except that data, there is an example here: autologon.php in trunk/plugins/autologon (http://trac.roundcube.net/browser/trunk/plugins/autologon/autologon.php)
Title: When using intermediate 'authenticator': invalid request no data was saved
Post by: twisterbr on October 17, 2011, 01:47:21 PM
Quote from: skaero;36947
You need to have a RoundCube plugin in order for it to except that data, there is an example here: autologon.php in trunk/plugins/autologon (http://trac.roundcube.net/browser/trunk/plugins/autologon/autologon.php)
Thank you for your help. But I didn't changed the plugin, I'm still using it without any modification... I just pass the vars through an alternative file, which is my php authenticator that has the form action pointing to the index.php (untouched) in roundcube's root.... So my authenticator only have the job of sending the vars so the index.php can actually log the user in.
sorry if i'm 'misexpressing' my issue...
Title: When using intermediate 'authenticator': invalid request no data was saved
Post by: twisterbr on October 17, 2011, 02:23:14 PM
Basically my script is just like this:
Title: When using intermediate 'authenticator': invalid request no data was saved
Post by: SKaero on October 17, 2011, 02:28:54 PM
I understand the problem but you can't just post the username and password to RoundCube anymore. For security you have to have an auto login plugin with $args['cookiecheck'] = false; and $args['valid'] = true; in the authenticate function to allow RoundCube to use the post data.
Title: When using intermediate 'authenticator': invalid request no data was saved
Post by: rluch on October 25, 2011, 05:20:21 PM
I am having this issue as well. My setup/files is described here: [PHP] RoundCube 0.6 - Pastebin.com (http://pastebin.com/9JBEZKZd)
I am including the http_authentication as plugin in my main.inc.php. The http_authentication.php-script has: $args['cookiecheck'] = false; and $args['valid'] = true;
Still, I get this "invalid request no data was saved" error when logging in from the remote form. This exact setup worked with the previous install (0.5.4, I think!).
Hope someone can help me out!
Title: When using intermediate 'authenticator': invalid request no data was saved
Post by: rosali on October 26, 2011, 02:16:22 AM
I think you have to remove the following code from the authenticate hook:
40 // Allow entering other user data in login form, 41 // e.g. after log out (#1487953) 42 if (!empty($args['user'])) { 43 return $args; 44 }
Title: When using intermediate 'authenticator': invalid request no data was saved
Post by: rluch on October 26, 2011, 03:39:25 PM
Moving the checks to the top worked perfectly! Thanks a bunch rosali!
AFAIK, this change defeats the CSRF protection. Is there a way to keep CSRF active for all domains/referrers expect the one we use for the external login forms?
Title: When using intermediate 'authenticator': invalid request no data was saved
Post by: rosali on October 27, 2011, 01:05:28 AM
You could pass a variable from the external login form (f.e. ) and check this in the authenticate hook:
40 // Allow entering other user data in login form, 41 // e.g. after log out (#1487953) 42 if (!empty($args['user']) && isset($_POST['_external']) { 43 $args['cookiecheck'] = false; 44 $args['valid'] = true; 45 return $args; 46 }
Title: When using intermediate 'authenticator': invalid request no data was saved
Post by: rluch on October 27, 2011, 03:46:47 PM
Quote from: rosali;37086
You could pass a variable from the external login form (f.e. ) and check this in the authenticate hook:
40 // Allow entering other user data in login form, 41 // e.g. after log out (#1487953) 42 if (!empty($args['user']) && isset($_POST['_external']) { 43 $args['cookiecheck'] = false; 44 $args['valid'] = true; 45 return $args; 46 }
Once again thank you for your awesome answer, Rosali. After some brainstorming, I have concluded that no matter how you try to implement CSRF protection in this example, it can either be spoofed (fx. referrer validation) or otherwise bypassed (hidden inputs, can just be copied) by a potential attacker. Hope this helps someone! Also, please correct me if this conclusion is straight up wrong :)
Title: When using intermediate 'authenticator': invalid request no data was saved
Post by: rosali on October 27, 2011, 11:07:44 PM
The conclusion is wrong. Roundcube processes only forms and AJAX requests which contain a unique token which is generated by Roundcube.
Title: When using intermediate 'authenticator': invalid request no data was saved
Post by: stalker150 on November 18, 2011, 09:38:58 AM
There's no way enabling the external form login without changing the authenticate hook? I have to get my Roundcubemail "update-secure" and as I can see in the new beta version the authenticate hook will be overwritten with the next update so the changes on the http_authentication.php in the plugin folder will be lost.
//EDIT: Wait ... I can just copy the http_authentication.php in a new plugin folder, rename it and it's safe I guess. We can drop this question.
Quote from: rosali;37086
You could pass a variable from the external login form (f.e. ) and check this in the authenticate hook: [...]
Quote from: rosali;37098
The conclusion is wrong. Roundcube processes only forms and AJAX requests which contain a unique token which is generated by Roundcube.
Is it as safe as it where before ... without the http_authentication plugin enabled? What about the CSRF-protection? Is that enabled after all?
//EDIT²: Okay just found out ... $args['valid'] = true; disables the CSRF-check so it's insecure I guess.