Reimplement ExternalLogin

the-djmaze / snappymail

Simple, modern & fast web-based email client

https://snappymail.eu

GNU Affero General Public License v3.0

1.01k stars 121 forks source link

Reimplement ExternalLogin #321

Closed strifel closed 2 years ago

strifel commented 2 years ago

Is your feature request related to a problem? Please describe. abe2af153d18db2085033590ed70c223ed9762cd removed ExternalLogin completely with no obvious way of getting it back. This removed the option of having an external service that redirects the user to Snappymail and have the user automatically logged in. In Rainloop I used ExternalLogin with a token as the password and had a plugin which translated the token into the mail password. While the plugin works, sadly ExternalLogin does not anymore.

Describe the solution you'd like Reimplementing ?ExternalLogin which redirects the user after a post request to a logged in state of the webmail.

Describe alternatives you've considered I did not find a similar option.

Additional context https://github.com/RainLoop/rainloop-webmail/issues/154

Thanks!

the-djmaze commented 2 years ago

I've added it back for you, but keep in mind that this is still an insecure feature.

It might fail in the future when there will be more security.

You should have a look at https://github.com/the-djmaze/snappymail/issues/278

strifel commented 2 years ago

Hey, thanks a lot for reimplementing.

Sadly it did not work directly, but I just had the time to debug the issue. I needed to re-add to functions:

StripSlashesValue (I think this was only needed for JSON, but I am not sure) in app/libraries/MailSo/Base/Utils.php
GetRequest in app/libraries/MailSo/Base/Http.php

Now it seems to work. I will have a look at #278. Thanks!

the-djmaze commented 2 years ago

StripSlashesValue

This was bad design, that's why i removed it

GetRequest

You may argue that accessing $_REQUEST is bad or not. It's just better to use $_GET or $_POST so you really get what you need.

strifel commented 2 years ago

The problem is that the ExternalLogin code does still use these methods and throws an exception that it can not find them.

strifel commented 2 years ago

I think this feature should either be removed again or fixed, as it currently is not working. I actually now think removing might be totally ok as one can build a very similar feature with #278 like (for others stumbling on this issue)

<?php
// Enable SnappyMail Api and include index file
$_ENV['SNAPPYMAIL_INCLUDE_AS_API'] = true;
require 'index.php';

if (array_key_exists('email', $POST) and array_key_exists('password', $POST)) {
  $ssoHash = \RainLoop\Api::CreateUserSsoHash($POST['email'], $POST['password']);
  \header('Location: https://yourdomain.com/?sso&hash='.$ssoHash);
} else {
  header("Status: 400 Bad Request");
  print("ERROR");
}

Thanks for all your help!