Feature: Extend HTTP API in Password Plugin

[omgMath]

Hi

We are about to change to a new host providing us with the whole IMAP infrastructure. As a UI we would prefer to keep Roundcube, because it works very well. We would like to enable our users to change the password and therefore would like to enable the pasword plugin. The problem is: We cannot access the database with the passwords directly, but they provide an API.

I had a look at the HTTP API here. With the current implementation we won't be able to communicate with the API, as it requires:

1. A PATCH request...
2. ..to a url containing the mailbox name (i.e. the part before the "@") ...
3. ...with a Bearer token as Authentication method
4. (and the password within a JSON body :heavy_check_mark: )

Would it be possible to implement those features? I sadly can't code PHP, I'd manage point 1, for 2 we could introduce some sort of mustache notation for $config['password_httpapi_url'] and for 3 we could extend the config?

Thanks for considering!

[mckaygerhard]

i solved using an internal script command that property communicate with the api, write a new driver plugin code @omgMath based on the https://github.com/roundcube/roundcubemail/blob/f6eb6df04622a4693f31280078ddcacde0af3c99/plugins/password/drivers/pw_usermod.php as first try of course.. then .. later..

I had a look at the HTTP API here. With the current implementation we won't be able to communicate with the API, as it requires:

of course is too basic the usermod one, cos only handles "success" (exit 0) and error (a ny other exit), but for more refined can complete, but you can take a look to the https://github.com/roundcube/roundcubemail/blob/f6eb6df04622a4693f31280078ddcacde0af3c99/plugins/password/drivers/pwned.php#L174 one to emulates and fired agains the API using curl calls

1. A PATCH request...

2. ..to a url containing the mailbox name (i.e. the part before the "@") ...

3. ...with a Bearer token as Authentication method

4. (and the password within a JSON body heavy_check_mark )

Would it be possible to implement those features? I sadly can't code PHP, I'd manage point 1, for 2 we could introduce some sort of mustache notation for $config['password_httpapi_url'] and for 3 we could extend the config?

Thanks for considering!

[omgMath]

Sorry for my late response. Let me see if I got this right: You are proposing to write a script, taking the username as an argument, then asks for the new password and with that info calls the API? This script you would define as the command in the pw_usermod driver?

Hm, yeah, I think this could work (around :sweat_smile: ). Thanks for sharing! It will take a bit until I got time to try it out though...

[omgMath]

If anyone is interested, here is the script I used:

#!/bin/bash
read -s PASSWORD
EMAIL=$1

LOGFILE=./path_to_logfile.log

MAILBOX=$(echo $EMAIL | cut -d"@" -f 1)

if [ -z "$PASSWORD" ]
    then exit 1
fi

 PAYLOAD=$(jq -n --arg key 'password' --arg value $PASSWORD '[{ key: $key, value: $value }] | from_entries')

echo "$(date) - Changing password for $MAILBOX" >> $LOGFILE
RESPONSE=$(curl -X PATCH -H "Authorization: Bearer token" -H "Content-Type: application/json" -d "$PAYLOAD" "https://myapi.com/${MAILBOX}")

case 'success-marker' in
  *"$RESPONSE"*) exit 0
esac

exit 2

configured via password_config.inc.php:

$config['password_driver'] = 'pw_usermod';
$config['password_pw_usermod_cmd'] = 'path_to_script_above.sh';
// rest of your configuration

[EML-github]

Unfortunately, this is not a great solution. I have more-or-less the same problem, in that I have to run complex code to change a user's password: the password has to be checked for complexity, the shadow file has to be locked, the user has to be found in the file, and the password has to be hashed and inserted into the file. I've done this by sending the user and the new password via HTTP API to my program, and you've sent the user and password to your script.

The problem comes if the program decides not to change the password (if the complexity check fails, for example), because you can't communicate anything useful back to the client.

pw_usermod just returns PASSWORD_ERROR. httpapi.php is even worse. I return 400 with an error explanation in the message body, and the Guzzle code just throws an exception on HTTP 400 (why?!!), and httpapi.php just returns, with an uninformative 'connection error' message. Even if the Guzzle code didn't throw an exception the remaining unexecuted httpapi code wouldn't return my message to the client.

I can't really progress without some hacking of the password code.