Prepare Login for mudlet 4.10.0

[davewiththenicehat]

Mudlet V 4.11 login will change. It will remove the current ability to automatically collected ID and password from the mudlet profile selection screen.

Update to support PR: https://github.com/Mudlet/Mudlet/pull/3952

[SlySven]

Yes, we have closed the password security hole that leaked the user's password (only, not the user name) to scripts/passwords in https://github.com/Mudlet/Mudlet/pull/3928 - which will show up in the next release 4.10.0 - however I am just finalizing https://github.com/Mudlet/Mudlet/pull/3952 which should offer a way to send the character name and password as entered on Mudlet's profile selection. Those details will be send-able as isolated texts (i.e. on their own without any other characters around them) on command and the user name can be acquired by a script/package with another new function.

For MUDs that require a custom login we will be providing a selection of fixed strings with tokens replaced with the password and optionally also the character name. Currently the only string to be offered is: connect {name} {password}

However if you require something else to be sent to the game server over the Telnet link please let us know.

[davewiththenicehat]

Thank you for letting me know about the patch being in 4.10.0 I reported the security hole. Asked for an update when it would be patched. Tried really hard to follow it. Is that patch in PTB? I am wondering if I did something to my PTB I have not received an update notice for two weeks or so.

I in no way expect the mudlet team to write anything for our special case. I have to retreive the uers' password. Send it to a web server. Receive a cookie that contains a authentication key. I then use that key for login. Interestingly it is actually more complicated then that. My estimation is that our engine appears to be incompatible with telnet encryption. This allows for an encrypted login.

The only thing our client needs is a method to stop mudlet's automatic login attempt. After that I can get ID and password from the command line.

Thank you for the reply!

[SlySven]

The only thing our client needs is a method to stop mudlet's automatic login attempt. After that I can get ID and password from the command line.

It looks like the proposal in https://github.com/Mudlet/Mudlet/pull/3952 is going to slip again and not make it into Mudlet 4.11.0 - eventually however you will want to provide a Lua doLogin() function (no arguments) that can determine the players "character name" via a getCharacterName() function.

One thing to note:

... I have to retreive the uers' password. ....

I do not anticipate we will want to providing that capability - I took a design decision to not provide a Lua function to retrieve the (possibly securely stored) character password so as to prevent a malicious package/script from stealing user's login details. As far as sending it to a web server - that might best be done with a specific C++ core addition that is enabled only with the user's consent - though the mechanics of getting that to work are a little unclear at the moment.

[PatrickDattilio]

@SlySven would it be possible to create a multi step login along the lines of

authenticate("server name", list of headers, content) - you execute the call after the user grants one time/ongoing consent?

The username/password combination we have is really a website account login, which returns an authenticated password ( a terrible and unencrypted rudimentary 2FA in clear text...), which is then used with the same username to perform the actual login.

[davewiththenicehat]

SlySven, is there a method to suppress the automated if ID and password are filled out at the connection screen? Wondering if there was a PR that split off #3952 to add that feature. I understand the concern for not wanting password access on the lua level.

Pat, John did make: https://github.com/Mudlet/Mudlet/pull/3727 For the specific purpose of TEC will work for login. Though it can't receive I think biscuits until there is qt5.15 support. Should be by the end of the year. At this point I am far less concerned about convenience of having the password at the mudlet connection window. Being stuck using cURL for authentication leaves all windows 7 users unable to use the Parthia mudlet plugin. Well unless they want to make it work. Not to mention it I have to provide cURL because I get not get to the one in the system directory. Even old installations of windows 10 may not work.