brendanheywood
commented
4 years ago As the ip whitelist has no use in a prod site, I think it would be fine to enforce it, if set, for both the normal passwords and the master passwords across the board without the need for a new option.
Pull requests welcome
As far as I can tell, this authentication method bypasses the Login Token (https://docs.moodle.org/dev/Login_token) security feature. Seems like it could make brute-forcing passwords slightly easier.
Interested by this plugin for the crawler tool, nothing else. So ideally this plugin, should only be available to a single account (the crawler tool account) or the IP of the server(s) which run the scheduled tasks/cron.
I can see the IP Whitelist setting is only used in relation to the master password option.
I think there should be an option to have an IP Whitelist for any use of this auth plugin, the real question is wether this should be a separate whitelist from the master password whitelist.