Feeling Lucky
J4 Issue
?
[#29338] - [4.0b1] User Token shown on View profile page is different to the token shown on the edit profile page
- Closed
- 7 Jun 2020
- Medium
- Build: staging
- # 29338
Steps to reproduce the issue
View a user profile on the frontend (https://example.com/index.php/author-login?view=profile)
Edit the same profile (yours) on the frontend (http://127.0.0.1:1025/index.php/change-password)
Expected result
The token on both pages should surely be the same right?
Actual result
Edit Profile:
View Profile:
joomla-cms-bot
- | Labels |
Added:
?
|
||
HLeithner
- | Labels |
Added:
J4 Issue
|
||
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-06-07 11:52:23 |
| Closed_By | ⇒ | Quy |
That's the same issue as why Reset is shown.
What is stored in the database is not the entire token to prevent a SQLi from divulging all tokens set up in Joomla, leading to privilege escalation. Instead, we only store a "seed". The actual token is a base 64 encoded string of a user ID, an algorithm and an HMAC of the seed with the site's secret using said algorithm.
When you send a token to Joomla the string is base64 decoded. The user ID lets us read the seed, if any, for the token. Then the authentication plugin calculates the HMAC of the seed with the site's secret and compares it with the HMAC provided in the token using time-safe compare. If the result is positive the user is considered logged in.
Since the profile view dumps the raw values stored in the profile you get the seed, not the actual token.
As I said in the other issue the solution is probably modifying the user plugin to basically remove the entire API token section from the loaded form on that page. Would you like to give it a try? Apparently I've found myself trying to fix CSS issues in J4 which is exactly what it sounds like...