boltauth / auth Goto Github PK

There's a few missing translations or untranslated messages left. Listing it here.

If you can register an account, nou need to be able to unregister.
This is why BoltAuth needs a "Delete my account" button.

And because the European GDPR exists this is a hot feature that people need.

The way to set this up UX wise could be as follows.

If you're registered and login you can edit your profile.
On the edit profile page is a button "Delete my account"
Clicking that button leads you to a page/popup with the following text:

Deleting your account removes your login information
This means you can not login anymore with your account
..
To delete your account click:
[Yes I want to delete my account]

Because BoltAuth does not handle creating content we can not automatically remove that too.
So if the site has user generated content that is linked to BoltAuth it either has to be anonymized, or it has to be removed.

Handling the removal of content will have to be the responsibility of the website developer, but we can help by adding events like \BoltAuth\Events::FORGET_ME_DELETE or \BoltAuth\Events::FORGET_ME_ANONYMIZE

Details

• Relevant Bolt Auth Version: 3.x

If you change your password to a password with less than 6 characters you can do this successfully. But after you login again there is a check if you use less than 6 characters. While you change your password there seems to be no such check. In the end you are left out because of your password change.

Details

• Relevant Bolt Auth Version: [ 3.0.7 ]
• Relevant Bolt Version: [ 3.3.3 ]
• PHP version: [ 7.1 ]
• For UX/UI issues: [ Firefox 64.0.2 64 bit ]

Reproduction

1. In Bolt, go to Extensions --> Auth
2. Edit on page "Manage Site Auth Roles" a user name
3. Set Password to a short one, e.g. "11"
4. Save your profile

Result: There will be no error. The password is accepted.

5. Try to login

Result: There will be a message "This value is too short. It should have 6 characters or more."
​
Result: If you are not an administrator you will be left out of the system.

Same issue happens when you change your password while logged into Auth at the password change page: No warning and you will be left out after you log out.

When I edit my profile and submit the form I get no feedback. When I want to recover my password and I use an e-mailadres that's not registered I get no feedback. The feedback template is included inside the files. The only form that gives feedback is the login form.

The documentation is missing/lacking in explaining if there are twig-functions for this to do this manually.

Details

• Relevant Bolt Auth Version: [ 3.0.2 ]
• Relevant Bolt Version: [ 3.4.10 ]
• PHP version: [ 7.0 ]
• For UX/UI issues: [ N/A ]

Reproduction

Copy all needed files to the theme directory and set the paths accordingly inside the auth config.
Test the login / recovery / edit templates. You wil notice that only the login template gives feedback of being successfully logged in or out.

I looked in the source of my HTML and there is also no empty html tag from the feedback template. It does not show at all.

Hey Team,

No issue with the project - looking to see some guidance as to where (file) I would need to inject my own code to enable LDAP as a provider?

Cheers.

Steps to reproduce

1. Browse to /auth/profile/edit while logged out
2. FINAL_REDIRECT_KEY gets set to /auth/profile/edit

   Auth/src/Controller/Auth.php

   Line 133 in 8b272b8

   $app['session']->set(Authentication::FINAL_REDIRECT_KEY, $request->getUri());

3. User gets redirected login page
4. After successfull login user is redirected to the home page

Expected Behaviour
User must be redirected to /auth/profile/edit

The 11th entry does not show. Page does not load pagination and only the first 10 accounts are visible.

Details

• Relevant Bolt Auth Version: [ 3.0.5 | master ]
• Relevant Bolt Version: [ 3.5.3 ]
• PHP version: [ 7.0 ]
• For UX/UI issues: [ Chrome Version 67.0.3396.87 (Official Build) (64-bit) ]

Happens on /bolt/extensions/auth
Add 11 accounts, you will see that there are only 10 visible.
Change 10 to 20 for example here: https://github.com/BoltAuth/Auth/blob/f1080cec5e805b907be9c84d2943d5d2de1ed7a8/src/Controller/Backend.php#L177-L179
and you will see the accounts are still there, just no pagination.

If you're filing a bug, please describe how to reproduce it. Include as much
relevant information as possible, such as:
​
other plugins that are installed
Seo 1.10
BoltForms 4.2.3
EmailSpooler 3.1.1
Sitemap 2.5.0
google/recaptcha 1.1.3
pagerfanta/pagerfanta 1.1.0
Paragonie/random_compat 2.0.15
ramsey/uuid 3.7.3

When reporting a bug in github against BoltAuth the reporter is told

NOTE: We are close to being finished with Auth version 3.0.0. If you have an
issue, be sure to try the beta for 3.0.0, and see if the issue is still present
there.

It seems this information is way outdated as version 3.0.1 has been around for quite a while already.

Hi,

There is a javascript issue in auth.twig causing an error:

SyntaxError: missing ) after argument list

I fixed it by replacing simple quotes with double quotes for setMessage arguments:

            boltExt.setMessage("useradd", "{{__('Adding user...')}}" );
            boltExt.setMessage("userdel", "{{__('Removing user(s)...')}}");
            boltExt.setMessage("userenable", "{{__('Enabling user(s)...')}}" );
            boltExt.setMessage("userdisable", "{{__('Disabling user(s)...')}}");
            boltExt.setMessage("roleadd", "{{__('Adding role...')}}");
            boltExt.setMessage("roledel", "{{__('Removing role...')}}");
            boltExt.setMessage("authnotsellHeader", "{{__('Nothing Selected!')}}");
            boltExt.setMessage("authnotsell", "{{__('You need to choose a auth.')}}");
            boltExt.setMessage("rolenotsellHeader", "{{__('None role Selected!')}}");
            boltExt.setMessage("rolenotsell", "{{__('You need to choose a role.')}}");
            boltExt.setMessage("autherrorHeader", "{{__('Error!')}}");
            boltExt.setMessage("autherror", "{{__('The server returned an error.')}}");
            boltExt.setMessage("confirmdeleteHeader", "{{__('Confim deletion')}}");
            boltExt.setMessage("confirmdelete", "{{__('Are you sure you want to delete these accounts?')}}");
            boltExt.setMessage("confirmdeleteButton", "{{__('Yes!')}}");

Details

• Bolt Auth Version: [ 3.0.5 ]
• Bolt Version: [ 3.5.3 ]
• [ Firefox Quantum for Ubuntu 60.0.2 ]

If you have a website that had the Members extension and you want to replace that extension with the Auth extension you will need to update the database to make everything happen smoothly.

On mysql you can probably perform the following queries in your bolt database:

ALTER TABLE `bolt_members_account` RENAME TO  `bolt_auth_account` ;
ALTER TABLE `bolt_members_account_meta` RENAME TO  `bolt_auth_account_meta` ;
ALTER TABLE `bolt_members_oauth` RENAME TO  `bolt_auth_oauth` ;
ALTER TABLE `bolt_members_provider` RENAME TO  `bolt_auth_provider` ;
ALTER TABLE `bolt_members_token` RENAME TO  `bolt_auth_token` ;

But not all servers might support RENAME TO
And after that the schema needs to be updated too.

Is it possible to make this happen automagically?

Link to http://boltauth.com/ on the BoltAuth GitHub frontpage is not working at time of writing. (The link works but the domain seems down)

There is no way to make any admin user role able to view the Auth menu item.

It looks like this is caused by this section:

And maybe I'm misunderstanding here, but setPermission()'s argument should be the name of the permission required to view the menu item. Rather than a ||-separated list of roles.

https://docs.bolt.cm/3.3/extensions/intermediate/admin-menus

Details

• Relevant Bolt Auth Version: [ 3.0.1 ]
• Relevant Bolt Version: [ 3.3.1 ]
• PHP version: [ 7.0 ]

Reproduction

• Add something like this to auth.boltauth.yml:

roles:
    admin:
        - root
        - admin
        - editor

• ​Create a user with the editor role for example
• Login as that user
• The menu item does not appear

Workaround that is a bit of a hack

The way this hack works is by creating both a role and a permission with the same name.

If you are running into this problem you can do a hack like this:

auth.boltauth.yml:

roles:
    admin:
        - authmanager

permissions.yml:

roles:
    authmanager:
        description: Able to edit the auth user accounts
        label: Auth Manager
# and further down...
global:
    authmanager: [ authmanager ]

Then create a bolt admin user and give them the Auth Manager role. They will now be able to see the Auth menu item as well as visit the Auth page.

Possibly ignorant recommendation

It seems like Bolt wants us to grant access to things via permissions rather than roles. So perhaps this extension can switch to that philosophy as well. In the auth.boltauth.yml we can define the name of a permission required to manage auth stuff - maybe a default of "auth"? Then in our global permissions.yml we can grant the defined permission to the appropriate roles.

After adding an account the account looks disabled. But when I check the checkbox for the account and click the 'enable' button, I still can't login afterwards.

If I go into the edit account a second time and add a new/or the same password again the account wil log in.

Details

• Relevant Bolt Auth Version: [ 3.0.5 | master ]
• Relevant Bolt Version: [ 3.5.3 ]
• PHP version: [ 7.0 ]
• For UX/UI issues: [ Chrome Version 67.0.3396.87 (Official Build) (64-bit) ]

Happens on /bolt/extensions/auth
Add 11 accounts, you will see that there are only 10 visible.
Change 10 to 20 for example here: https://github.com/BoltAuth/Auth/blob/f1080cec5e805b907be9c84d2943d5d2de1ed7a8/src/Controller/Backend.php#L177-L179
and you will see the accounts are still there, just no pagination.

If you're filing a bug, please describe how to reproduce it. Include as much
relevant information as possible, such as:
​
other plugins that are installed
Seo 1.10
BoltForms 4.2.3
EmailSpooler 3.1.1
Sitemap 2.5.0
google/recaptcha 1.1.3
pagerfanta/pagerfanta 1.1.0
Paragonie/random_compat 2.0.15
ramsey/uuid 3.7.3

may be good idea to use domain for auth cookie from globals config?

In:

the client_secret is put into the ProviderOptions, which is used here:

to build the authorization Url, which ist send as a redirect to the users browser, thus exposing the client_secret.

the client_secret should only be used in the token exchange, thus when the server makes the request to the provider, and not during authorization when the browser of the user does.

This is NOT a flaw in Leagues client, this is due to too many options being included when forming the url in the aforementioned lines of code.

Hi,

Forcing the redirect after login by adding the redirect param in the url does not work. The user gets redirected to the login page instead of the url passed in redirect param.

Details

• Relevant Bolt Auth Version: [ master ]
• Relevant Bolt Version: [ 3.5 ]
• PHP version: [ 7.0 ]

Reproduction

1. Steps to reproduce:
   • Access the login page with the param ?redirect=/your/target/url
   • Fill and submit the form
2. Expected result:
   • Get redirected to /your/target/url
3. Actual result:
   • The form is redirecting to /authentication/login?redirect=/your/target/url

Why this happens

The redirect path is set in the Autentication controller, wether the form is submitted or not. Therefore, the last redirect is set on the form submission as the referrer, being /authentication/login?redirect=/your/target/url. The referrer overrides the redirect parameter because the form is submitted without parameters

It happens here. Surrounding this piece of code with an if ($request->isMethod('get')) or if ($oauthForm->isSubmitted()) would fix the bug, PR coming up soon.

I'm using Auth v3.0.1 on top of bolt 3.3.3.

Error on using the urls described here: https://boltauth.com/routes-urls.html

Details

• Relevant Bolt Auth Version: 3.0.1
• Relevant Bolt Version: 3.3.3
• PHP version: PHP 7.0.22-0ubuntu0.16.04.1

Reproduction

I just migrated from a simple 2.2 install to 3.3. I wasnt using boltauth but I want to. But the links wont work. The twig functions like {{ auth_auth_login() }} do work.

When visiting /auth/profile/register or /authentication/reset i got:

ContextErrorException in Bag.php line 276: Catchable Fatal Error: Object of class Bolt\Extension\BoltAuth\Auth\AccessControl\Redirect could not be converted to string in Bag.php line 276 at ErrorHandler->handleError('4096', 'Object of class Bolt\Extension\BoltAuth\Auth\AccessControl\Redirect could not be converted to string', '/home/elimkerk/web/vendor/bolt/collection/src/Bag.php', '276', array('separator' => ' ')) at implode(' ', array(object(Redirect))) in Bag.php line 276 at Bag->join(' ') in RequestSanitiser.php line 49

Was just trying to install this via the Extensions menu item in the Bolt toolbar on a fresh clean install of Bolt (nothing in the database). Install failed with an error and now I'm getting this on every page (including the Bolt CMS pages themselves):

ContextErrorException in AuthServiceProvider.php line 415:
Notice: Undefined index: providers
in AuthServiceProvider.php line 415
at ErrorHandler->handleError('8', 'Undefined index: providers', '/var/www/ws/extensions/vendor/boltauth/auth/src/Provider/AuthServiceProvider.php', '415', array('app' => object(Application))) in AuthServiceProvider.php line 415
at AuthServiceProvider->registerOauthProviders(object(Application)) in AuthServiceProvider.php line 63
at AuthServiceProvider->register(object(Application)) in Application.php line 178
at Application->register(object(AuthServiceProvider)) in Manager.php line 212
at Manager->register(object(Application)) in ExtensionServiceProvider.php line 150
at ExtensionServiceProvider->boot(object(Application)) in Application.php line 197
at Application->boot() in Application.php line 91
at Application->run() in index.php line 8

Was I supposed to do something with the Providers first, before performing this install?

Details

• Relevant Bolt Auth Version: 3.x
• Relevant Bolt Version: 3.4.10
• PHP version: 7.0

Reproduction

I'm working on a Dockerized version of Bolt, running locally. Fresh install with no data, no configuration, no other extensions.

I went into the control panel and selected Extensions, then typed BoltAuth into the field. It gave me the BoltAuth version it recommended, and I installed it. Popped up a little window that says it was Preparing install.... and then I got an error message about something failing, I don't recall exactly what it said. And now every page on the site gives me the message in the attached screenshot.

Happy to help debug further, but I can't seem to get Bolt to do anything but output this error at this point. Since I'm relatively new to Bolt, not sure what happens next or how to 'undo' this extension.

Thanks.

I think I've reported this as bug 70 when BoltAuth was still bolt/Members. It seems to have survived the transition to BoltAuth.

I have a pretty virgin installation of bolt 3.3.6 with BoltAuth 3.0.1 at http://localhost/bolt. When I visit http://localhost/bolt/bolt/extensions/auth the sidebar on the right is mostly not functioning. None of the buttons of "Enable", "Disable", "Add role" and "Remove role" seem to have any effect. There is no page refresh or any other discernible action even when I select a user first.

I also find this isn't the best UI. It is my understanding that for those buttons to have any effect, one needs to select at least one user from the list first. As such, I think it would help if they were greyed out until that is the case. I hope this would be easy enough to implement.

FWIW, I use Firefox 56 on Ubuntu. I've tried this in Chromium for the same result.

There are global settings to set the senderName and senderEmail in the global Bolt config.yml
bolt/bolt#7675 bolt/bolt#7675

We should make the global config values the default sender and reply to for the botlauth notifications if no values are set in https://github.com/BoltAuth/Auth/blob/master/config/config.yml.dist#L23-L25

As per #41 the documentation of Auth needs updates for the changed templates and the new global feedback.

Hi,

The form LoginPasswordType has a constraint on the password length. This kind of constraint is useful for password creation / update but not much for the login form.

My issue here is that I'm extending BoltAuth by adding a custom AuthorisationHandler to allow my users to login through a webservice. Some of these existing users have passwords with less than 6 characters.

I could override the form itself but I reckon this constraint could simply be removed because it also gives a potential attacker a clue on the passwords hashed in the database.

Alternatively, making the length configurable could be a solution.

If you redirect to another page after logging out the feedback will not be shown.
The feedback is only visible when you return to a profile or the logout page.

Details

• Relevant Bolt Auth Version: 3.x
• Relevant Bolt Version: 3.x

Reproduction

• Create a bolt site
• Add the boltauth extension and configure a local provider
• Create some pages
• Create a page with the slug page/welcome
• Set the login redirect in app/config/extensions/auth.boltauth.yml to the welcome page

redirects:
    login: /page/welcome

• Log in with boltauth and you will be redirected to /page/welcome
• You will not see the message "Login successful." on the welcome page.
• You will see the message "Login successful." after you return to http://example.com/auth/profile/edit

After upgrading to Bolt 3.4, the database check tool says:

Table bolt_auth_token is not the correct schema: invalid column token

Trying to update the database doesn't fix it.
When I upgraded Bolt from 3.3 to 3.4, I had this problem with some core Bolt tables as well, and it was fixed when I upgraded to 3.4.2 (possibly with this? https://github.com/bolt/bolt/pull/7187/files). The issue remains only with BoltAuth.

Details

• Relevant Bolt Auth Version: 3.0.2
• Relevant Bolt Version: 3.4.2
• PHP version: 7.1

Reproduction

1. Bug summary: Database check always says table bolt_auth_token is not the correct schema, no matter how many times I run the database update.
2. Specifics: Bolt was installed with Composer. It uses SQLite.
3. Steps to reproduce: [Due to the nature of the bug I can't try to reproduce it now, so I can't guarantee it is reproducible this way.]
   • Install Bolt 3.3
   • Install BoltAuth extension
   • Upgrade Bolt to 3.4
4. Expected result:
   • Running the database check should not find any modifications needed. Or if it does, the database update should fix them.
5. Actual result:
   • The database check always says "Table bolt_auth_token is not the correct schema: invalid column token"

A Javascript error occurs when trying to enable/disable/delete a user or add/remove a role.
The error is auth is not defined

Console output below:

Deleting user(s): 739ebb13-8d53-4d70-89c9-4cb0f1e9b914  auth-admin.js:93:13
ReferenceError: auth is not defined[Learn More]  bolt.js:1:1

Details

• Relevant Bolt Auth Version: [ master ]
• Relevant Bolt Version: [ 3.3.1 ]
• PHP version: [ 7.1.0 ]
• For UX/UI issues: [ Firefox DevEdition 55 ]

Reproduction

Create a new boltauth user, then try to enable/disable/delete him or add/remove a role.