catalyst / moodle-auth_basic

Moodle Basic Authentication, easily test using curl, webpage test, page speed etc
https://moodle.org/plugins/auth_basic
7 stars 6 forks source link

Feature/Security - Extend IP Whitelist functionality to all logins #14

Open aspark21 opened 4 years ago

aspark21 commented 4 years ago

As far as I can tell, this authentication method bypasses the Login Token (https://docs.moodle.org/dev/Login_token) security feature. Seems like it could make brute-forcing passwords slightly easier.

Interested by this plugin for the crawler tool, nothing else. So ideally this plugin, should only be available to a single account (the crawler tool account) or the IP of the server(s) which run the scheduled tasks/cron.

I can see the IP Whitelist setting is only used in relation to the master password option.

I think there should be an option to have an IP Whitelist for any use of this auth plugin, the real question is wether this should be a separate whitelist from the master password whitelist.

brendanheywood commented 4 years ago

As the ip whitelist has no use in a prod site, I think it would be fine to enforce it, if set, for both the normal passwords and the master passwords across the board without the need for a new option.

Pull requests welcome