api-library icon indicating copy to clipboard operation
api-library copied to clipboard
verified publisher icon mautic

BasicAuth with incorrect credentials returns Mautic\Auth\BasicAuth Object

Open wbtdc opened this issue 7 years ago • 6 comments

This looks an awful lot like Mautic is returning a successful authentication when I test it with bad credentials. Here's my auth code:

	protected function authenticate($mautic_url, $mautic_username, $mautic_password) {
	    session_start();
	    
	    $settings = array(
	        'baseUrl'          => $mautic_url,       // Base URL of the Mautic instance
	        'userName'         => $mautic_username,
	        'password'         => $mautic_password,
	    );
	    
	    $initAuth = new ApiAuth();
	    return $initAuth->newAuth($settings, 'BasicAuth');
	}

I noticed that your example on the ReadMe has no reference to which URL to use when using basic auth, so I guessed from viewing the OAuth example that the settings key might be "baseUrl" like it is in the OAuth example.

If I put in a valid Mautic url and a bunk username/password ("asdf" and "asdf"), it returns this:

[19-Apr-2019 22:21:13 UTC] Auth returned: Mautic\Auth\BasicAuth Object
(
    [password:Mautic\Auth\BasicAuth:private] => asdf
    [userName:Mautic\Auth\BasicAuth:private] => asdf
    [_debug:protected] => 
    [_httpResponseHeaders:protected] => 
    [_httpResponseInfo:protected] => 
    [_curlTimeout:protected] => 
)

That does not look like the data structure that your documentation says will be returned in the event of incorrect credentials. Also, it looks the same as when I submit real credentials (the username and password show values, the rest do not).

Please advise as to what is going on and also if you could give me a working example of basic auth, that would be much appreciated, or better yet just update the BasicAuth part of the readme so that it works.

Best, Dave

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

wbtdc avatar Apr 19 '19 22:04 wbtdc

In fact, I just found in your tests an $auth->isAuthorized() call. If I do that after providing bad credentials, it comes back with a result of 1. I'm new to your API, but it really looks like it's allowing any non-blank username and password to authorize.

wbtdc avatar Apr 19 '19 22:04 wbtdc

Yeah I just found this in BasicAuth.php:

    /**
     * {@inheritdoc}
     */
    public function isAuthorized()
    {
        return (!empty($this->userName) && !empty($this->password));
    }

Looks like you forgot to unstub a stub.

I'm pretty sure that you should not just approve any login where they provide a username and a password...just saying.

That's really disappointing. Am I missing something? I sure hope so...

wbtdc avatar Apr 19 '19 23:04 wbtdc

Are there any other "surprises" like this I should know about before I start rolling out Mautic for my clients? I was really hoping to have a winner in terms of the right package for self-hosted email marketing!

wbtdc avatar Apr 19 '19 23:04 wbtdc

I don't have a direct response for that issue, but I suggest jumping onto slack channel #dev (mautic.slack.com)

virgilwashere avatar Apr 22 '19 07:04 virgilwashere

What does it return when you make an actual API call with false credentials? I do not think instantiating an object will automatically verify the credentials.

Anyhow, no reason to start making cynical comments. It's an open source package, if you find an issue, you can report it on Slack, or here and it will be looked at when someone comes around, like I did just now.

Anyway, I will look at getting this stub corrected.

Woeler avatar Apr 22 '19 11:04 Woeler

Look at the code I posted about "isAuthorized ()". If the user name and password are not blank, it returns true.

Also, I posted the Auth object that is returned already. It returns the same thing whether the creds are good or bad.

It is really bad that they released a BasicAuth plugin that just returns true all the time and they didn't catch it or tell anyone not to use it. I also checked their basic auth test code and it also does not actually test the auth functionality.

It's a valid question to wonder if there is anything else like this hiding in the code. I know it's open source, but people rely on this stuff and it requires either some diligence up front or a warning not to use basic auth at all. Instead they put in a switch allowing you to use basic auth and a warning to only use it over SSL. That sure seems like they had an opportunity to warn that it was not for production use, but they opted not to.

I still appreciate they work they have put in and I will still use it. I just want to know if it is really safe to still use it.

Best, Dave On Mon, Apr 22, 2019, 4:25 AM Woeler [email protected] wrote:

What does it return when you make an actual API call with false credentials? I do not think instantiating an object will automatically verify the credentials.

Anyhow, no reason to start making cynical comments. It's an open source package, if you find an issue, you can report it on Slack, or here and it will be looked at when someone comes around, like I did just now.

Anyhow, I will look at getting this stub corrected.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mautic/api-library/issues/189#issuecomment-485396155, or mute the thread https://github.com/notifications/unsubscribe-auth/ALAPGQP3XVAOURULKS3JDQ3PRWODVANCNFSM4HHIIF6A .

wbtdc avatar Apr 22 '19 14:04 wbtdc