search

Scifabric / pybossa

PYBOSSA is the ultimate crowdsourcing framework (aka microtasking) to analyze or enrich data that can't be processed by machines alone.
http://pybossa.com
GNU Affero General Public License v3.0
745 stars 269 forks source link

Facebook login security / problems #635

Closed redhog closed 10 years ago

redhog commented 10 years ago

If you have an existing local user, and then try to sign in with a facebook account with the same username (or maybe email too?), it seems to reuse that user, and then fail somehow:

[Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] Traceback (most recent call last): [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] File "/srv/pybossa/lib/python2.7/site-packages/flask/app.py", line 1836, in call [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] return self.wsgi_app(environ, start_response) [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] File "/srv/pybossa/lib/python2.7/site-packages/flask/app.py", line 1820, in wsgi_app [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] response = self.make_response(self.handle_exception(e)) [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] File "/srv/pybossa/lib/python2.7/site-packages/flask/app.py", line 1403, in handle_exception [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] reraise(exc_type, exc_value, tb) [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] File "/srv/pybossa/lib/python2.7/site-packages/flask/app.py", line 1817, in wsgi_app [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] response = self.full_dispatch_request() [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] File "/srv/pybossa/lib/python2.7/site-packages/flask/app.py", line 1477, in full_dispatch_request [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] rv = self.handle_user_exception(e) [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] File "/srv/pybossa/lib/python2.7/site-packages/flask/app.py", line 1381, in handle_user_exception [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] reraise(exc_type, exc_value, tb) [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] File "/srv/pybossa/lib/python2.7/site-packages/flask/app.py", line 1475, in full_dispatch_request [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] rv = self.dispatch_request() [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] File "/srv/pybossa/lib/python2.7/site-packages/flask/app.py", line 1461, in dispatch_request [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] return self.view_functionsrule.endpoint [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] File "/srv/pybossa/lib/python2.7/site-packages/flaskoauth.py", line 433, in decorated [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] return f(((data,) + args), *_kwargs) [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] File "/srv/pybossa/pybossa/pybossa/view/facebook.py", line 70, in oauth_authorized [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] msg, method = get_user_signup_method(user) [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] File "/srv/pybossa/pybossa/pybossa/util.py", line 298, in get_user_signup_method [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] if user.info.get('google_token'): [Thu Jan 09 12:48:02 2014] [error] [client 90.231.71.3] AttributeError: 'NoneType' object has no attribute 'info'

redhog commented 10 years ago

Note: I do not have google login enabled, nor twitter, only facebook...

teleyinex commented 10 years ago

Umhhh, that should be fixed long time ago. I'll check it again, probably it is a regression. Sorry about that!

redhog commented 10 years ago

All my code is based off of v0.1.0. Maybe that's "old" now that 0.2.1 is out?

redhog commented 10 years ago

Is there any risk involved in just upgrading (doing a pull)? Have any of the database schema stuff changed?

teleyinex commented 10 years ago

Hi Egil,

I would recommend you to upgrade, as the last versions have a much better and improved backed ;-)

From the point of view of the database, you are covered. We use a tool called Alembic (from the creator of SQLAlchemy) that allows you to alter the DB to the latest changes with just one single command:

alembic upgrade head

This tool allows also to go down, or do downgrades, so you can actually revert the changes if you want. But, before doing anything, please, please, take a backup :-)

The other changes before upgrading are the following: you will need a Redis server. I added this change for two reasons:

  1. I was using Flask-Cache but they have a bug and it was not working at all (all the keys expired after 50 seconds, independently of what you configured, ugh --reported herehttps://github.com/thadeusb/flask-cache/issues/78 )
  2. Redis supports Sentinel, developed by the same team, that gives you access to High Availability + Load Balance Redis backends, or in other words: a cache that's amazing!

Thus, with all those issues in mind I decided to create my own caching system http://daniellombrana.es/blog/2013/11/26/pybossa-cache.html based on Redis + Sentinel and I'm really happy about it :-) Right now Crowdcrafting is served in average in less than 200ms thanks to this solution, and if one cache node goes down, the system autorecovers itself :-)

You will find all the documentation in docs.pybossa.com, but if you need help with it, please, ask, I'll be really happy to help you.

Finally, I would like to mention that the really last version has two really important features that "may force you" to upgrade: security fixes. Basically we have discovered that some people had fun attacking the system, that's good, it means that we are becoming "popular" ;-), so I've implemented: rate-limiting and a cookie secured system for reducing the possibilities of attacks.

Again, everything is documented and you should be fine, but let me know if you need help.

I hope now you have a better idea of what I'm doing :D

All the best,

Daniel

PS: I've also created a package called Enki that allows you to analyze your PyBossa apps much easier than before. You've all the info here: http://daniellombrana.es/blog/2013/12/16/pybossa-enki.html

On Thu, Jan 9, 2014 at 2:21 PM, Egil Möller notifications@github.comwrote:

Is there any risk involved in just upgrading (doing a pull)? Have any of the database schema stuff changed?

— Reply to this email directly or view it on GitHubhttps://github.com/PyBossa/pybossa/issues/635#issuecomment-31929885 .

Daniel Lombraña González http://daniellombrana.es :: Bloghttp://daniellombrana.es/blog/ :: @teleyinex https://twitter/teleyinex Project Lead, Lead Developer :: Crowdcrafting.org :: PyBossahttp://dev.pybossa.com Fellow :: The Shuttleworth Foundationhttp://www.shuttleworthfoundation.org/fellows/daniel-lombrana/ Senior Researcher :: Citizen Cyberscience Centrehttp://citizencyberscience.net http://citizencyberscience.net ·························································································································································· Please do NOT use proprietary file formats to share files like DOC or XLS, instead use PDF, HTML, RTF, TXT, CSV or any other format that does not impose on the user the employment of any specific software to work with the information inside the files. ·························································································································································· Por favor, NO utilice formatos de archivo propietarios para el intercambio de documentos, como DOC y XLS, sino PDF, HTML, RTF, TXT, CSV o cualquier otro que no obligue a utilizar un programa de un fabricante concreto para tratar la información contenida en él. ··························································································································································

teleyinex commented 10 years ago

I'm closing this issue, as it is old and should be fixed in the current code in master.