Persona login disable

[interstar]

I'm also having trouble with Persona login. (Running recently downloaded version on my WebFaction.) It may be related to https://github.com/WardCunningham/wiki/issues/36

Now I can live with this as, in practice, I could run a copy of this wiki on my local machine (where editing works) and sync the pages up to my public server.

However, I don't want someone else managing to grab the ownership if it turns out there's something specifically wrong with my Persona. So is there a way to lock the public server so no-one can grab it if I can't?

cheers

Phil

[interstar]

FTR I just get a pop-up that says "Unable to log you in." And one of the responses I'm getting back seems to be

{"status":"failure","reason":"audience mismatch: port mismatch"}

WebFaction is another hosting which does a port redirect behind the scenes.

[paul90]

It sounds as if the url parameter is not being set correctly. The default value will be incorrect, so this parameter needs to be set.

url should be set to the url that is used to access the site - and not to what the wiki server is listening to internally.

When a site is claimed the persona.identity file is created in the status directory within the data directory. It simply contains the email address of the person claiming the site.

[interstar]

You mean just start wiki with a --url parameter on the command line?

[interstar]

Should that have the http:// etc?

[paul90]

Yes, so for example if your site was www.example.com you would use http://www.example.com

BUT if your accessing it using https, you would use https://www.example.com

If you are using the standard ports, 80 (or 433 for https), then they are not needed. If however a different port is being used that is also needed. Remember this is the port that is exposed the the world, not the one the server is listening to internally.

If you can access the site using either http or https then use the one you will be using when you want to login.

Yes, this is set using the --url parameter on the command line, or you could put in a config.json file.

Paul

phil jones mailto:notifications@github.com 16 December 2013 21:39

Should that have the http:// etc?

— Reply to this email directly or view it on GitHub https://github.com/WardCunningham/wiki/issues/46#issuecomment-30703482.

phil jones mailto:notifications@github.com 16 December 2013 19:08

I'm also having trouble with Persona login. (Running recently downloaded version on my WebFaction.) It may be related to #36 https://github.com/WardCunningham/wiki/issues/36

Now I can live with this as, in practice, I could run a copy of this wiki on my local machine (where editing works) and sync the pages up to my public server.

However, I don't want someone else managing to grab the ownership if it turns out there's something specifically wrong with my Persona. So is there a way to lock the public server so no-one can grab it if I can't?

cheers

Phil

— Reply to this email directly or view it on GitHub https://github.com/WardCunningham/wiki/issues/46.

[WardCunningham]

I wonder if a server can learn the domain name it is serving by reading the headers of the request(s) that arrive there? I don't think there are many places where the server needs to know its own name but persona is currently one. The url rewriting that happens when you come in with no page specified, or a .html suffixed page name is another.

[paul90]

Not a good idea to take anything that the browser provides, the following is from the Persona > Security considerations.

Do not trust the Host header sent by the user's browser. Do not trust an explicit parameter sent by the user's browser, but generated by your JavaScript using, e.g. document.location.

If you trust the user's browser to tell you the audience, then it becomes possible for a malicious web site to reuse assertions for its web site to log into your web site

[WardCunningham]

Oh. Good points. Thanks for bringing this to my attention.

[interstar]

BTW : I raised https://github.com/WardCunningham/Smallest-Federated-Wiki/issues/407 in reference to some of the fiddling I'm having to do around this. I assume that repository is still the place for general feature requests?