Update to 1.6.6: Password protection does not seem to work.

[Meuschke23]

Hi @ all In 1.6.6 Password protection does not seem to work for me. I have a simple password. In 1.6.5. This works fine.

After typing in, he says password incorrect but is logged in. It will not let me log out then. Can you help me?

[maxpozdeev]

This error occurs when you try to logout?

[Meuschke23]

This error occurs when i try to login. But then, i am logged in, see nothing (error access denied) and if i press logout, nothing happens.

I use it on a shared hosting with php 8. In 1.6.5. This works fine.

[maxpozdeev]

This error displayed on request for the lists, after successful login.

What browser and version do you use?

Can you open the sources of the page and look for the code mytinytodo.init({ token: "xxxxxxxx-zzzz-yyyy-xxxx-zzzzzzzzzzz" , Is it present (do not display the token)?

Many changes in security were implemented in v1.6.6 . Seems I need more tests before publishing. You can update the script back to v1.6.5 to make it working.

[Meuschke23]

For this moment i use v1.6.5. If i switch to v1.6.6

ill get infinite loading. Then i login:

It seems to show the token:

Does it help? I use Firefox 92.0

Many changes in security were implemented in v1.6.6 . Seems I need more tests before publishing. You can update the script back to v1.6.5 to make it working.

No problem, i can switch back to v1.6.5 in no time

[maxpozdeev]

Thank you. Infinite loading is another bug, will be fixed.

This token should be passed in MTT-Token http header with every ajax request. Seems php does not receive it. Do you know what webserver is used on your hosting?

[maxpozdeev]

Could you please edit ajax.php on line 16, add 3 lines of code for debug. To make this code:

if(isset($_GET['loadLists']))
{
    print "Token: ". access_token(). "\n";
    print_r(getallheaders());
    exit(1);
    check_token();
...

And reload the page after login. This will show error with required details. Please check for the MTT-Token header to be present and to be the same as token.

[Meuschke23]

Token: ***** Array ( [Cookie] => *****; _ga=GA1.1.249075720.1629723532; mtt-session=***** [Cache-Control] => no-cache [Pragma] => no-cache [Sec-Fetch-Site] => same-origin [Sec-Fetch-Mode] => cors [Sec-Fetch-Dest] => empty [Referer] => https://*****/ [X-Requested-With] => XMLHttpRequest [Mtt-Token] => ***** [Accept-Encoding] => gzip, deflate, br [Accept-Language] => de,en-US;q=0.7,en;q=0.3 [Accept] => application/json, text/javascript, */*; q=0.01 [User-Agent] => Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 [Connection] => close [X-Accel-Internal] => /internal-nginx-static-location [X-Real-Ip] => ***** [Host] => ***** )

The token seems to be the same and is passed with the request

Webserver is apache + nginx in a shared hosting env. Versions are unknown.

[maxpozdeev]

Thank you! Seems i see the cause of issue. Header is sent as 'MTT-Token', but php gets as 'Mtt-Token'.

Please replace the function in init.php on line 104 with this one:

function check_token()
{
    $token = access_token();
    if ($token == '') return true;
    if (!isset($_SERVER)) return true;
    if (!isset($_SERVER['HTTP_MTT_TOKEN']) || $_SERVER['HTTP_MTT_TOKEN'] != $token) {
        die("Access denied! Try to reload the page.");
    }
}

And return the changes of ajax.php made previously. Remove this lines:

print "Token: ". access_token(). "\n";
print_r(getallheaders());
exit(1);

And then load the page again.

[Meuschke23]

Apart from the infinite loading problem when I'm not logged in, this now works great. Thanks for the quick support!

[Meuschke23]

Or should i let this issue open until the bugfix is released?

[maxpozdeev]

Dont worry. Fixed in 5b3dd0d