User tests: Successful: Unsuccessful:
For a security issue, if an authentication plugin detects an anomaly (ex : a lot of tests of authentication in a short time, a suspect IP or a blacklisted IP...), this plugin should have a mean to cancel the current authentication.
Today, the only way to cancel the authentication process is to disable authentication plugin of Joomla and rewrite another on the same model.
The status "cancel" is unused and perhaps it would be a good use.
Status | New | ⇒ | Pending |
Labels |
Added:
?
|
Category | ⇒ | Authentication Libraries Plugins |
Please add test instructions, otherwise it is not easy to test and to know what the results should be.
I'm sorry but there are no instructions for testing.
The only way to test is to create an authentication plugin and note that this plugin does not have the means to stop the authentication process. Today the only way to break out the loop is when an authentication plugin has identified an user but there is no way to break out the loop if a plugin identifies a problem (ex : a lot of tests of authentication in a short time, a suspect IP or a blacklisted IP...). If a plugin finds a problem, the loop continue and cannot be stop.
Hey,
I've been having a look over this as my company are in the process of building an authentication plugin at the moment. I think this is fine BUT you need to add the cancelled status to the list of denied states https://github.com/joomla/joomla-cms/blob/3.6.1-rc2/libraries/cms/application/cms.php#L823 and
https://github.com/joomla/joomla-cms/blob/3.6.1-rc2/libraries/legacy/application/application.php#L635
If an authentication plugin returns otherwise than STATUS_SUCCESS, the test at the line 627 of application.php fails and the login function is stopped.
@colivier This cannot be merged at this point because the file and code was moved (now /libraries/joomla/authentication/authentication.php line 287).
@euismod2336 thank you for the information, so I close the PR
Status | Pending | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-11-04 13:35:51 |
Closed_By | ⇒ | colivier |
Category | Authentication Libraries Plugins | ⇒ | Libraries Authentication |
@colivier see: colivier#1 this should fix also the seccond Travis problem ;)