Closed Fumesover closed 5 years ago
@Fumesover then maybe use mktemp to avoid conflicts on multi user systems?
@fbartels and how do we save the path ?
However, using the username can be the solution (ex: /tmp/codimd-cookies-$USER.txt
)
yes, you would still need to have a config file in ~ which would have the path to the cookie. not really elegant indeed.
btw. I did a checkout of your repo and for me the login fails. I setup a user with a less complex password, but even here it fails. the file ~/.codimd-key.conf is not created by running codimd-cli
13:50 $ env CODIMD_SERVER='https://codimd.9wd.eu' bash -x bin/codimd login test test1234
++ basename bin/codimd
+ codi_cli=codimd
+ help_str='
Options:
$ codimd import /path/to/your/content.md
qhmNmwmxSmK1H2oJmkKBQQ # returns note id on success
$ codimd publish qhmNmwmxSmK1H2oJmkKBQQ
/s/S1ok9no3f # returns published note url
$ codimd export --pdf qhmNmwmxSmK1H2oJmkKBQQ output.pdf
$ codimd export --md qhmNmwmxSmK1H2oJmkKBQQ output.md
$ codimd export --html qhmNmwmxSmK1H2oJmkKBQQ output.html
$ codimd export --slides qhmNmwmxSmK1H2oJmkKBQQ output.zip
$ codimd login email@example.net p4sW0rD
$ codimd profile
You are logged in as email with id x[...]x.
$ codimd history
ID Name
0nAp3YRyTlyQ-N3N7lCk-w Note_1
qhmNmwmxSmK1H2oJmkKBQQ Note_2
$ codimd delete 0nAp3YRyTlyQ-N3N7lCk-w
$ codimd logout
Example:
$ env CODIMD_SERVER='\''https://codimd.example.com'\'' codimd import /path/to/your/content.md
'
+ CODIMD_SERVER=https://codimd.9wd.eu
+ CODIMD_COOKIES_FILE='~/.codimd-key.conf'
+ [[ login == \i\m\p\o\r\t ]]
+ [[ login == \p\u\b\l\i\s\h ]]
+ [[ login == \e\x\p\o\r\t ]]
+ [[ login == \l\o\g\i\n ]]
+ authenticate test test1234
+ [[ -z test ]]
+ [[ -z test1234 ]]
+ curl -c '~/.codimd-key.conf' -XPOST -d 'email=test&password=test1234' https://codimd.9wd.eu/login
++ is_authenticated
+++ curl -b '~/.codimd-key.conf' https://codimd.9wd.eu/me
++ STATUS='{"status":"forbidden"}'
+++ echo '{"status":"forbidden"}'
+++ jq -r .status
++ '[' forbidden == ok ']'
++ echo 1
+ [[ -n 1 ]]
+ echo 'Logged in https://codimd.9wd.eu as test successfully.'
Logged in https://codimd.9wd.eu as test successfully.
@fbartels using $HOME instead of ~ seems to correct it
now that file is actually filled, but login still fails:
14:21 $ env CODIMD_SERVER='https://codimd.9wd.eu' bash -x bin/codimd login test test1234
++ basename bin/codimd
+ codi_cli=codimd
+ help_str='
Options:
$ codimd import /path/to/your/content.md
qhmNmwmxSmK1H2oJmkKBQQ # returns note id on success
$ codimd publish qhmNmwmxSmK1H2oJmkKBQQ
/s/S1ok9no3f # returns published note url
$ codimd export --pdf qhmNmwmxSmK1H2oJmkKBQQ output.pdf
$ codimd export --md qhmNmwmxSmK1H2oJmkKBQQ output.md
$ codimd export --html qhmNmwmxSmK1H2oJmkKBQQ output.html
$ codimd export --slides qhmNmwmxSmK1H2oJmkKBQQ output.zip
$ codimd login email@example.net p4sW0rD
$ codimd profile
You are logged in as email with id x[...]x.
$ codimd history
ID Name
0nAp3YRyTlyQ-N3N7lCk-w Note_1
qhmNmwmxSmK1H2oJmkKBQQ Note_2
$ codimd delete 0nAp3YRyTlyQ-N3N7lCk-w
$ codimd logout
Example:
$ env CODIMD_SERVER='\''https://codimd.example.com'\'' codimd import /path/to/your/content.md
'
+ CODIMD_SERVER=https://codimd.9wd.eu
+ CODIMD_COOKIES_FILE=/home/fbartels/.codimd-key.conf
+ [[ login == \i\m\p\o\r\t ]]
+ [[ login == \p\u\b\l\i\s\h ]]
+ [[ login == \e\x\p\o\r\t ]]
+ [[ login == \l\o\g\i\n ]]
+ authenticate test test1234
+ [[ -z test ]]
+ [[ -z test1234 ]]
+ curl -c /home/fbartels/.codimd-key.conf -XPOST -d 'email=test&password=test1234' https://codimd.9wd.eu/login
++ is_authenticated
+++ curl -b /home/fbartels/.codimd-key.conf https://codimd.9wd.eu/me
++ STATUS='{"status":"forbidden"}'
+++ echo '{"status":"forbidden"}'
+++ jq -r .status
++ '[' forbidden == ok ']'
++ echo 1
+ [[ -n 1 ]]
+ echo 'Logged in https://codimd.9wd.eu as test successfully.'
Logged in https://codimd.9wd.eu as test successfully.
Oh ! It's because you are using ldap @fbartels, my code only works for email login actually
But replacing email
by username
in line 79 and /login
by /auth/ldap
in line 80 make the trick
Maybe it will be possible to add something like --ldap option for this kind of login
Yes, it is indeed an ldap backend. I did not expect that this will lead to different auth endpoints.
Maybe there could be an automatic fallback?
This is a 3rd party integration, I don't think integrating it as an automatic fallback is relevant
I agree that leaving a cookie in a local file is less ideal than somewhere like a keychain, but I also don't think it's the end of the world, as it's a pattern used by other tools for sensitive keys.
E.g. It's common to store AWS keys in ~/.aws/credentials
and SSH private keys in ~/.ssh/id_rsa.key
, and those are arguably much more critical from a security standpoint than a codimd cookie.
As long as the permissions limit the cookie file to only the current user (I think we should add that to the bash script), I'm ok with it.
yes, looking at the code again, a better option would be to have a dedicated "ldap" parameter and a dedicated auth function for it.
since all the other stuff is just checking with the stored cookie if the session is still valid you could have multiple auth functions
Now there is support for email & ldap and it will be easy to add other protocols
Sorry @fbartels, I hadn't seen your PR, and I think making it modular as I did would be easier to maintain
Having a text file somewhere in your filesystem is also exactly what browsers were doing for years. Today Firefox and Chrome store this in an SQLite database - still in your profile folder. No difference at all with regard to security. (Firefox: Profile directory cookies.sqlite
/ Chrome: User Data/Default/cookies
(no extension) if you want to take a look)
Okay so actually the default is ~/.codimd-key.conf
@pirate is that okay for merge ?
I would like to propose something like the XDG Base Directory Spec, in this case ~/.config/codimd-cli/key.conf
($XDG_CONFIG_HOME
(many unixoids) or %APPDATA%
(Win)).
Base reason is, that I don't particularly like all that clutter in my home directory.
Yeah, I'd be fine with either of ~/.config/codimd-cli/api-key.conf
, ~/.config/codimd-cli/key.conf
, or ~/.codimd-key.conf
as the default.
So, now the default is ~/.config/codimd-cli/key.conf
I corrected the spelling issues, but I'm not sure that leaving cookie in a static file by default is a good idea @pirate