Security Concern

[AVapps]

This plugin uses a redirection (to /opauth-complete) to let you handle authenticated users data and try to identify them against your database. Thus anyone sending a post request with consistent auth response data ( existing 'uid' in database, 'validated' => true ) will login successfully !

A possible solution to this issue would be to call (from OpatuhController) a protected "_callback" function defined in AppController. Another would be to use CakePHP 2.1+ EventSystem to dispatch an 'Opauth.complete' event with auth data as parameter.

[gentunian]

I'm worried about the same thing. How to resolve this issue? Can you elaborate a bit deeper?

[Suven]

Really sad to see such a great plugin no longer maintained.
@Jahdrien Your idea with the protected callback seems fine and should be the default way.

I will fork and try to implement the suggested changes later this day and would be happy to have your second sight/feedback.

[ceeram]

Focus is on opauth 1.0 where this plugin would be redundant.
Op 4 jul. 2014 08:30 schreef "Sven" notifications@github.com:

Really sad to see such a great plugin no longer maintained.
@Jahdrien https://github.com/Jahdrien Your idea with the protected
callback seems fine and should be the default way.

I will fork and try to implement the suggested changes later this day and
would be happy to have your second sight/feedback.

—
Reply to this email directly or view it on GitHub
#35 (comment).

[Suven]

Having a quick look at 1.0s documentation raises the question if this will only be compatible with Cake 3 (since the use of namespaces).

If so, this issue is big enough to receive some more attention.

[ceeram]

You can use namespaced libs just fine in any cakephp version
Op 4 jul. 2014 09:31 schreef "Sven" notifications@github.com:

Having a quick look at 1.0s documentation raises the question if this will
only be compatible with Cake 3 (since the use of namespaces).

If so, this issue is big enough to receive some more attention.

—
Reply to this email directly or view it on GitHub
#35 (comment).

[gentunian]

@ceeram for those we don't know, why this will be redundant? Thanks.