View Issue Details

IDProjectCategoryView StatusLast Update
0000091opensim-SCFeaturepublic2021-10-11 15:17
Reporteronefang Assigned Toonefang  
PrioritynormalSeverityfeatureReproducibilityN/A
Status assignedResolutionopen 
Summary0000091: Finish the account management system.
DescriptionCurrently IG uses Drupal+d4os+my own custom module. MG uses that jOpenSim thingy. CG has manual account creation on ROBUST console. CG and IG will move to what ever I put into OpenSim_SC. CG needs something better soonish.

I first need to put a quick and dirty splash page into OpenSim_SC, so I get familiar with how the OpenSIm internal web server works. Perhaps using server side includes to fill in "X users online" and such.

I eventually want to move to LDAP or something standard for accounts, but I can put that off, since I'll have to migrate away from the OpenSim account system anyway. So what ever intermediate step/s can stay with the OpenSim account system.

Also eventually I'll want to use my Lua+WebAssembly+C/Lua web server modules thingy I have yet to invent ala matrix-RAD for web stuff. So keep this in mind.

The problem is getting from here to there without too much extra work on in between steps.
Tagsweb stuff

Relationships

related to 0000096 closedonefang Increase the limit for password length. 
parent of 0000105 resolvedonefang Add a status web page. 
parent of 0000106 assignedonefang Let new accounts pick their new avatar. 
child of 0000083 assignedonefang Deal with the various bits of web API it tries to call. 
child of 0000152 assignedonefang Write a multi front end UI system. 
Not all the children of this issue are yet resolved or closed.

Activities

onefang

onefang

2019-08-03 07:23

administrator   ~0000120

Hmm, what would work, and fit into my plans, would be a really basic, no frills, HTML forms based account management web page built into OpenSim_SC.
onefang

onefang

2019-08-04 00:25

administrator   ~0000128

opensim-SC/OpenSim/Framework/Console/RemoteConsole.cs is an example of authenticating a user.
onefang

onefang

2019-08-06 05:17

administrator   ~0000134

Last edited: 2019-08-06 21:36

A simple CRUD system. Using the new MySQLRaw.cs, don't bother making versions for other databases, this will likely only be used by a few grids that should stick to MariaDB / MySQL. Confirmed that CG, IG, and MG all use MariaDB.

Have a table structure, filled with field structures. A row structure will point to it, and include actual row data. Also some top level databaseData structure that would include several rows, and be the thing that is edited. The databaseData should include copies of the original data, so it can deal with the lost update problem.

onefang

onefang

2019-08-06 14:50

administrator   ~0000137

The list button should list all members, first and last names. White for approved members, grey for disabled members, blue for gods. If the logged in member is a god, they can click on a name to edit that member. Just basic email, password, and approved / disabled / god status editing.

A logged in member can edit their own email and password.
onefang

onefang

2019-08-06 15:29

administrator   ~0000138

Last edited: 2020-03-07 13:20

Looks useful.

Looks scary.



And they are both now irrelevant, I've switched to C + Lua, the C# .NET stuff is now legacy.

onefang

onefang

2019-08-07 07:01

administrator   ~0000139

Last edited: 2019-08-12 17:28

Block creating accounts with the god first names, surnames, and full names, those can be done in the console.

onefang

onefang

2019-08-07 07:15

administrator   ~0000140

Replace first/last name with a single name field, then check if it's two words server side. A great anti spammer thing I have found.
onefang

onefang

2019-08-07 20:48

administrator   ~0000141

Last edited: 2020-03-07 16:18

I should test the built in HTTPS support, but the problem is the cert, since I no longer have a public IP at home.

Use the manual DNS method of certbot, and use one of the domains from afraid. Or temporarily use sledjhamr, the webroot method as usual, then copy things.



Now irrelevant, I've switched to C + Lua, the C# .NET stuff is now legacy.

onefang

onefang

2019-08-08 15:38

administrator   ~0000143

Last edited: 2020-03-07 16:19

LetsEncrypt gives you PEM files (private key file protected), and naturally MONO prefers the Microsoft PKCS12 files (password protected). The following URLS should be useful -

https://stackoverflow.com/questions/7400500/how-to-get-private-key-from-pem-file

https://www.codeproject.com/Articles/162194/Certificates-to-DB-and-Back


Now irrelevant, I've switched to C + Lua, the C# .NET stuff is now legacy.

onefang

onefang

2019-08-09 10:29

administrator   ~0000145

Last edited: 2020-03-07 16:19

The HTTPS solution is to use openssl to convert from one format to the other. I could spend a lot of time adding code to use PEM, but I can't be arsed, this is only temporary web server until I get around to writing the C + Lua version.

Now irrelevant, I've switched to C + Lua, the C# .NET stuff is now legacy.

onefang

onefang

2019-08-16 10:01

administrator   ~0000166

Last edited: 2020-03-07 16:19

HTTPS config is tricky.

config/config.ini is shared with sims, and they can't all use the same port.

config/ROBUST/RobustExtra.ini didn't work, not even if including it. No idea why. Figured out why, it has to be at the end.



Now irrelevant, I've switched to C + Lua, the C# .NET stuff is now legacy.

onefang

onefang

2019-08-16 22:50

administrator   ~0000168

Last edited: 2019-09-10 07:41

Authentication and sessions.

Force SSL.

Two word name in a single edit box. Password in a password box.

Create a token, pass it around. Token expires, and is "only from IP xxx.xxx.xxx.xxx". Token is in header, cookie, or both. Both, and compare them to validate them. The token should be non-predictable. Hash the token like you would the password before storing it server side. Regenerate the cookie when the user is authenticated. Another possibility, split the token into two bits somehow, likely cryptographically, one in the header, the other in the cookie, then when recombined they must match something or other stored server side.

HttpOnly, Secure, Session, SameSite=Strict, Path=/web cookie.

Check the referer header is us.

Logout and password resets should invalidate the token.

Password reset and validation email could be the same process? Re-use the hashed cookie stuff?

DoS protection against dictionary attacks - increasing delay type stuff, let the user know what's going on.

All sorts of other things, but I think this is enough for the simple account manager.

Very useful.

Covers a specific detail about cookies.

Session fixation attack.

Mozilla's docs on cookies.

onefang

onefang

2019-08-16 23:23

administrator   ~0000169

I should use prepared SQL statements.
onefang

onefang

2019-08-20 12:32

administrator   ~0000171

Add a validation field, and a "resend validation email" button.
onefang

onefang

2019-08-21 11:10

administrator   ~0000172

I've decided to not include the account manager stuff I have been working on in this release of OpenSim_SC (0.9.0.1).

I was using the built in OpenSim web server. Something they wrote themselves, but that they didn't include the source code for it in the OpenSim source repo. I managed to track down the source code, but dunno if it's the same version as the binary they include. It's not designed for ordinary web pages, but rather as the internal communications between modules, and the viewer parts that run over HTTP. It has support for HTTPS, but that's a rarely used option. Turning it on so I can use it to protect account management resulted in lengthy error messages. They happen when people are not using the account manager.

So I'm very worried that I am triggering not well tested code paths. The current OpenSim_SC release candidate has been well tested, and I think it is ready for release soon, but not with HTTPS enabled causing new problems.

I planned to switch to lighttpd eventually anyway, even for the internal stuff. I think I'll work on using that for account management after this release. Lighttpd is about a third of the size of OpenSim web server, and heavily used by lots of people, being one of the top three open source web servers. Built to be light on resources and fast. It's a real web server, OpenSims isn't.

MG already has a Joomla based account system, IG has something similar based on Drupal, we will just have to wait a bit longer for my implementation.
onefang

onefang

2019-08-25 04:48

administrator   ~0000181

Add a MOTD when people log on, and allow to randomly pick it from a pool of MOTDs.

This feature requested by Taylor.
Taylor

Taylor

2019-08-28 12:42

updater   ~0000184

Feature request: Make partnering work via the accounts system.
onefang

onefang

2019-09-09 07:22

administrator   ~0000192

User must provide the old password when changing the password. So that "someone used my existing session to change my password" wont work.
onefang

onefang

2019-09-09 07:22

administrator   ~0000193

Provide an option to use ssh keys or similar.
onefang

onefang

2019-09-30 14:31

administrator   ~0000206

fido technotes channel binding and fido might be useful, though could be more or less what I came up with elsewhere, split token.
onefang

onefang

2019-10-01 12:08

administrator   ~0000207

2019 CWE Top 25 Most Dangerous Software Errors will be useful.
onefang

onefang

2019-10-05 04:23

administrator   ~0000217

Last edited: 2019-10-05 06:29

Should get this web stuff to work on MOAP, and check if that works as a HUD. Dynamic texture stuff likely wont work, I don't think text edit widgets are supported.

MOAP worked as a HUD, I was able to use Candy and chat in the IG chat room.

onefang

onefang

2019-10-20 04:58

administrator   ~0000218

Last edited: 2020-03-07 16:22

I'd love to move on from the current OpenSim password hashing, to something more modern and more secure. And then in a decades time update it once more. The problem will be knowing which one to try, coz there will be old password hashes until old accounts can update. I can store a "use password method X" number along with the account.

UPDATE - The problem here is that the hashing method might be cemented into place in the viewers.

Also should work out what the restrictions on passwords are, and display them at password create / change time. Though things like password length limit is viewer dependent.

onefang

onefang

2019-10-30 12:07

administrator   ~0000219

I may have already taken care of this sort of attack, but double check it anyway -

cookie security
onefang

onefang

2020-01-23 14:46

administrator   ~0000264

Last edited: 2020-04-03 15:02

WebAuthn is probably a good idea for 2FA and 3FA.

https://arstechnica.com/information-technology/2019/12/idevices-finally-get-key-based-protection-against-account-takeovers/

Also - https://www.theregister.co.uk/2020/02/04/security_key_google_opensk/ for DIY.

Taylor

Taylor

2020-01-23 23:34

updater   ~0000265

WebAuthn is probably a good idea for 2FA and 3FA.

onefang

Does it support physical security keys?
onefang

onefang

2020-01-23 23:46

administrator   ~0000266

Yes, it's the new open standard for physical security keys and biometrics. So finger prints, face scans, Yubikeys and such. Apple was dragging their heels supporting it, now they do, so now all the big players support it, which is what the linked article is about.

3FA is three factors, the traditional "something you know, something you have, something you are", password, key, fingerprints respectively. 2FA is any two of those.
onefang

onefang

2020-05-02 11:14

administrator   ~0000284

The basic account creation, and admin approval stuff is done. Enough to let people create accounts. That's the very important show stopper bit, so I'll decrease the priority of this task now.
onefang

onefang

2020-07-04 15:51

administrator   ~0000287

https://www.theregister.com/2020/04/30/email_http_leakage/ Yet another privacy issue I'll have to keep an eye on for later.
onefang

onefang

2020-10-02 09:08

administrator   ~0000288

https://arstechnica.com/information-technology/2020/07/apple-has-finally-embraced-key-based-2fa-so-should-you/ Includes some more general info.
onefang

onefang

2020-12-15 22:18

administrator   ~0000290

For the validation link, they should have to log in before they can use it. Helps avoid problems with email address typos that end up going to someone else, since someone else wont know the password.
onefang

onefang

2020-12-26 11:55

administrator   ~0000293

Last edited: 2020-12-26 12:23

CRLF injection attacks is something I don't recall guarding against.

Wikipedia

OWASP

onefang

onefang

2021-03-02 08:54

administrator   ~0000294

"But it doesn't protect against injecting HTML. If the web application takes a field in the database and renders it on a page as HTML instead of text, you have an opportunity to get the page to run your own Javascript in what is known as an XSS attack. This is typically combined with spear phishing an administrator so you can exfiltrate their credentials when they load the page."

Double check I'm doing something about this.
onefang

onefang

2021-07-21 04:40

administrator   ~0000450

Send moar emailz!

Send one to admins when new member validates, or at least those that opt in.

Send one to new member when they are approved, with instructions on what to do next.
onefang

onefang

2021-07-25 10:40

administrator   ~0000458

https://fidoalliance.org/UX-guidelines/ More passwordless stuffs.

Issue History

Date Modified Username Field Change
2019-08-03 06:32 onefang New Issue
2019-08-03 06:32 onefang Status new => assigned
2019-08-03 06:32 onefang Assigned To => onefang
2019-08-03 06:35 onefang Relationship added related to 0000086
2019-08-03 06:35 onefang Relationship added related to 0000083
2019-08-03 06:37 onefang Relationship replaced child of 0000083
2019-08-03 06:38 onefang Relationship deleted related to 0000086
2019-08-03 07:23 onefang Note Added: 0000120
2019-08-04 00:25 onefang Note Added: 0000128
2019-08-06 05:17 onefang Note Added: 0000134
2019-08-06 14:47 onefang Note Edited: 0000134
2019-08-06 14:50 onefang Note Added: 0000137
2019-08-06 15:29 onefang Note Added: 0000138
2019-08-06 15:31 onefang Note Edited: 0000138
2019-08-06 21:36 onefang Note Edited: 0000134
2019-08-07 07:01 onefang Note Added: 0000139
2019-08-07 07:15 onefang Note Added: 0000140
2019-08-07 20:48 onefang Note Added: 0000141
2019-08-07 23:44 onefang Target Version => 0.9.0.1 RC1
2019-08-08 11:01 onefang Note Edited: 0000141
2019-08-08 15:38 onefang Note Added: 0000143
2019-08-09 10:29 onefang Note Added: 0000145
2019-08-12 17:28 onefang Note Edited: 0000139
2019-08-12 23:15 onefang Tag Attached: web stuff
2019-08-13 15:33 onefang Relationship added parent of 0000105
2019-08-16 10:01 onefang Note Added: 0000166
2019-08-16 22:50 onefang Note Added: 0000168
2019-08-16 23:02 onefang Note Edited: 0000168
2019-08-16 23:02 onefang Note Edited: 0000168
2019-08-16 23:14 onefang Note Edited: 0000168
2019-08-16 23:19 onefang Note Edited: 0000168
2019-08-16 23:23 onefang Note Added: 0000169
2019-08-16 23:26 onefang Note Edited: 0000168
2019-08-16 23:41 onefang Note Edited: 0000168
2019-08-16 23:52 onefang Note Edited: 0000168
2019-08-17 00:21 onefang Note Edited: 0000168
2019-08-17 00:22 onefang Note Edited: 0000168
2019-08-17 00:26 onefang Note Edited: 0000168
2019-08-17 01:41 onefang Note Edited: 0000168
2019-08-17 02:03 onefang Note Edited: 0000166
2019-08-20 12:32 onefang Note Added: 0000171
2019-08-21 11:06 onefang Target Version 0.9.0.1 RC1 => 0.9.0.2
2019-08-21 11:10 onefang Note Added: 0000172
2019-08-25 04:48 onefang Note Added: 0000181
2019-08-28 12:42 Taylor Note Added: 0000184
2019-09-09 07:22 onefang Note Added: 0000192
2019-09-09 07:22 onefang Note Added: 0000193
2019-09-10 07:41 onefang Note Edited: 0000168
2019-09-30 14:31 onefang Note Added: 0000206
2019-10-01 12:08 onefang Note Added: 0000207
2019-10-05 04:23 onefang Note Added: 0000217
2019-10-05 06:29 onefang Note Edited: 0000217
2019-10-20 04:58 onefang Note Added: 0000218
2019-10-20 04:58 onefang Relationship added related to 0000096
2019-10-30 12:07 onefang Note Added: 0000219
2020-01-23 14:46 onefang Note Added: 0000264
2020-01-23 15:03 onefang Note Edited: 0000264
2020-01-23 23:34 Taylor Note Added: 0000265
2020-01-23 23:46 onefang Note Added: 0000266
2020-02-06 05:59 onefang Relationship added child of 0000152
2020-02-06 06:01 onefang Relationship added parent of 0000106
2020-03-07 13:20 onefang Note Edited: 0000138
2020-03-07 16:18 onefang Note Edited: 0000141
2020-03-07 16:19 onefang Note Edited: 0000143
2020-03-07 16:19 onefang Note Edited: 0000145
2020-03-07 16:19 onefang Note Edited: 0000166
2020-03-07 16:22 onefang Note Edited: 0000218
2020-04-03 15:02 onefang Note Edited: 0000264
2020-05-02 11:14 onefang Note Added: 0000284
2020-05-02 11:15 onefang Severity major => feature
2020-07-04 15:51 onefang Note Added: 0000287
2020-10-02 09:08 onefang Note Added: 0000288
2020-12-15 22:18 onefang Note Added: 0000290
2020-12-26 11:55 onefang Note Added: 0000293
2020-12-26 12:23 onefang Note Edited: 0000293
2021-03-02 08:54 onefang Note Added: 0000294
2021-07-21 04:40 onefang Note Added: 0000450
2021-07-25 10:40 onefang Note Added: 0000458
2021-08-10 23:43 onefang Target Version 0.9.0.2 =>
2021-10-11 15:17 onefang Summary Create an account management system. => Finish the account management system.