Found a better solution that involved disallowing login when username=false (registration_id field not present) and when janrain reports no email. basically this prevents AOL logins.
Let's all think whether there is a better way to handle it in a backward compatible way. On Oct 9, 12:18 am, Massimo Di Pierro <[email protected]> wrote: > Correction. The identifier is there. The problem is that web2py only > uses the janrain identifier as an identifier if > auth.define_tables(username=True) else it uses email. AOL login does > not passes the email along. > > We could modify tools.py so that to always add a registration_id field > to the table even if auth.define_tables(username=False). This solves > the problem above but it will force a migration of your auth_user > table and your app will no longer recognize users who have previously > logged in. Suggestions? > > For now if you use janrain or other third party federated ID, make > sure > > auth.define_tables(username=True) > > Massimo > > On Oct 8, 11:55 pm, Massimo Di Pierro <[email protected]> > wrote: > > > > > > > > > A major vulnerability has been discovered. > > > When a user logs in with Janrain using AOL, Janrain reports an > > identifier=None instead of a valid unique id for the user as it > > normally does. Therefore is two different people login in a web2py > > application using different AOL accounts, Janrain reports them as the > > same person. > > > I have just pushed a partial fix to trunk that prevents login when the > > Janrain identifier is set to None. that means you cannot login in > > web2py with AOL. > > > According to the Janrain online docs, the identifier should be unique > > for every user but it does not appear to be the case for AOL users. > > > Even if you do not wish to upgrade, copy gluon/contrib/login_methods/ > > rpx_account.py from trunk into your version. > > > Massimo
