trustedlogin / client Goto Github PK
View Code? Open in Web Editor NEWEasily and securely log in to your customers sites when providing support.
License: GNU General Public License v2.0
Easily and securely log in to your customers sites when providing support.
License: GNU General Public License v2.0
This limits the surface area for any possible compromises.
The idea is to allow the customer to change how long the developer has access to a site. This will resolve the friction that people may feel when clicking the button "why do they need a week!?". Even having the option to change the value will solve the problem.
This is for after launch, but shown in the auth screen mockup:
If enabled, show a vertical "milestone"-like timeline of access to site, when it was granted, by whom, etc.
• Juaquin Rogers granted access to GravityView support at 1:30 AM on August 7, 2020
• GravityView Support logged-in at 2:30 PM on August 7, 2020
• GravityView Support revoked access on 3:32 PM on August 7, 2020
Just like this!
first_name
and last_name
; support teams don't have namesdisplay_name
in place of where we assume people want to have a "support" suffix, like {{title}} Support
Let's just do this.
hash( 'sha256' , $data );
Edit: It may not be available in PHP 5.2…Can we use sha256
on 5.3+ and md5
on 5.2?
Found this on the trustedlogin.support (client plugin test site) server debug log.
[30-Apr-2021 18:54:02 UTC] PHP Fatal error: Uncaught Error: Call to a member function delete() on null in /sites/trustedlogin.support/files/wp-content/plugins/GravityView/vendor/GravityView/TrustedLogin/Cron.php:109
Stack trace:
#0 /sites/trustedlogin.support/files/wp-includes/class-wp-hook.php(292): GravityView\TrustedLogin\Cron->revoke()
#1 /sites/trustedlogin.support/files/wp-includes/class-wp-hook.php(316): WP_Hook->apply_filters()
#2 /sites/trustedlogin.support/files/wp-includes/plugin.php(551): WP_Hook->do_action()
#3 phar:///usr/local/bin/wp/vendor/wp-cli/cron-command/src/Cron_Event_Command.php(293): do_action_ref_array()
#4 phar:///usr/local/bin/wp/vendor/wp-cli/cron-command/src/Cron_Event_Command.php(262): Cron_Event_Command::run_event()
#5 [internal function]: Cron_Event_Command->run()
#6 phar:///usr/local/bin/wp/vendor/wp-cli/wp-cli/php/WP_CLI/Dispatcher/CommandFactory.php(98): call_user_func()
This will only work if it doesn't increase the encryption time linearly.
This used to require Flash, but now it’s a browser API.
It should give visual feedback to show it’s been copied (a little transparent “copied” floating up from the click target or something).
We shouldn’t need this library: https://clipboardjs.com but something like that.
Won’t be supported in IE apparently.
https://developer.mozilla.org/en-US/docs/Web/API/Element/copy_event
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Interact_with_the_clipboard
https://hackernoon.com/copying-text-to-clipboard-with-javascript-df4d4988697f
I'd like some feedback on this, @inztinkt and @shawnhooper
The SaaS is set to receive it, we just need to start sending it from the client plugin when it reports that the lockdown was triggered.
Encryption::get_remote_encryption_key()
pings the vendor's site for the public key.
If a 404 is returned, the error message returned is 'The TrustedLogin vendor was not found.'
Which is incorrect.
Caused by this being handled by Remote::handle_response(...)
which assumes it's pinging the SaaS.
The build process must not require plugins to rename translations. Also, we need i18n strings.
Dropping jquery.confirm from the plugin.
in order to make logging and saas table/ux useful, make the siteurl accessble.
In TrustedLogin\Encryption()
we add a 'cache' of a Vendor's encryption public_key (fetched from their WP API endpoint) into a namespaced site option (tl_<ns>_public_key
).
If the keys are reset on Vendor after an initial TL support agent is created, any future TL envelopes will be encrypted with the wrong public key, and thus won't be possible to decrypt once received.
We switch from site_option to transient with a 1 hour expiry.
We could also add a url param to the authpage to force a fetch of a new public_key from vendor.
Don't cache the public key, and always fetch it live from Vendor's site.
Thoughts @zackkatz ?
See GravityKit/GravityView@457320dfe
As reported here: BrianHenryIE/strauss#15
This will enable the SaaS to auto-cleanup trustedlogin/trustedlogin-ecommerce#277
No longer need to perform additional requests in #34, and will be able to just post to SaaS to renew expiration.
One of the biggest security problems that TL solves, especially for GDPR, is support people being able to see customer data, even when they don't need to.
We should have a way to check roles/caps for the user being granted and show the user whether the support has access to eCommerce data.
Here's a mock-up:
I was thinking along these lines:
Add a boolean allow ecommerce access
setting in the configuration array. If true, add additional caps for roles added by Woo, EDD, other shops. If false, remove access using exclude caps trustedlogin/trustedlogin-example#14 list.
shop_manager
roles that map to administrators.debug.log contains the following:
ReplaceMe\TrustedLogin\Logging::setup_klogger (error): KReplaceMe_ReplaceMe_Logger not found.
Could this be due to composer/mozart @zackkatz ?
A WordPress plugin using core's admin-ajax API is a common practice, but it's a really bad smell for a product that is security focused to repropose it for plugin settings. It's also not performant. It's also the endpoint that gets attacked the most.
If you want to have this as the insecure default fine, I get it WordPress. But please refactor so that the callbacks for admin-ajax are only responsible for validating/ authorizing the request and then dispatching to a class that was responsible only for handling the actual business logic of the request.
For example in the god class there is "ajax_generate_support" method, from line 489 on is the business logic
https://github.com/trustedlogin/trustedlogin-client/blob/develop/src/Client.php#L489-L526
If that was in its own class, with the single responsibility of generating a support user, then I -- as a plugin developer -- could hook that up to the REST API with my own standard abstraction, endpoint naming, and avoid the performance and security concerns of admin-ajax.
If the site isn’t able to transmit credentials, don’t add the TL logo to the button.
From TrustedLogin\Client->extend_access()
Data we have:
$return_data = array(
'site_url' => get_site_url(),
'identifier' => $identifier_hash,
'user_id' => $support_user_id,
'expiry' => $expiration_timestamp,
'is_ssl' => is_ssl(),
'timing' => array(
'local' => $timing_local,
'remote' => null,
),
);
As well as which WP User clicked 'extend'.
Useful for logging on SaaS-side.
Things I see as issues:
add_action( 'admin_enqueue_scripts', array( $this, 'register_assets' ) );
jquery-confirm
or trusted-login
registered by plugin A, but not the copy registered by plugin B?So I think at a minimum namespacing these handles is necessary and adding filters or something to prevent any of the wp_register_script
or wp_enqueue_script
calls from running. Ideally, this responsibility would be removed from the Client
class and I as a plugin developer could easily remove the default hooks that the client adds and use my own system.
nonce
and publicKey
are needed by Sodium\crypto_box_open
metaData
is for anything misc. non crypto-related.
Only if you are 100% certain that your processor is safe, you can set ParagonIE_Sodium_Compat::$fastMult = true; without harming the security of your cryptography keys. If your processor isn't safe, then decide whether you want speed or security because you can't have both.
"Help, Sodium_Compat is Slow! How can I make it fast?"
The difference when enabling \ParagonIE_Sodium_Compat::$fastMult = true;
is huge:
The user experience difference is huge: 1.4 seconds is fine. 4.5 seconds feels like something is going wrong.
If this is just "how things are" we need to create an animation or something showing us generating secure cryptographic strings or something. Can't just have a spinner. It feels wrong.
[UPDATE]
We could have a progressive loading page, where it shows progress as it happens ("reticulating splines"):
And then that hides, and it says "DONE!"
Related to https://github.com/trustedlogin/trustedlogin-ecommerce/issues/270
If not active - don't do TL flow, instead redirect to provided support link.
The Client class has a lot of responsibilities. The __constructor method alone is responsible for:
I have a few major issues with this:
Also line 229 if ( ! isset( $passed_config['auth']['public_key'] ) ) {
to 264 does not validate a lot of potential errors. That line will generate a warning with the default argument for $config. It does not check if the variable is an array -- the __construct method signature has no type hint. The unit tests not testing what happens when a stClass object or a JSON string are passed to __construct is bad smell.
Imagine a Config class like this:
namespace TrustedLogin;
class Config
{
public function __construct(array $config )
{
}
public function validate(): Config
{
if( '1' == '2'){
throw new \Exception();
}
return $this;
}
//Getter and setter methods?
}
and if the __construct method of Client looked like this:
public function __construct( Config $config ) {
Then I could instantiate the client like this:
$config = new Config(['namespace' => 'shawn' ]);
try{
$config = $config->validate();
$client = new Client($config);
}catch (\Exception $e ){
//Don't tell me, a plugin developer
// how to log errors or show an admin notice using my own special abstraction
// I will handle this myself.
}
It's unclear what to do with the site access key. What's going to happen? Who does what?
Currently the SaaS isn't being notified when the user and endpoint are deleted locally.
The SaaS has a delete endpoint. It should be pinged when deleting access happens.
The code comments reference a URL that isn't redirecting yet:
Allow same key many times, but not brute-forcing the accesskey.
Assume user has the endpoint hash and are trying wrong keys.
Allow X bad attempts in X minutes (both should be constants set in the code).
Getting the following in debug.log
:
PHP Warning: call_user_func_array() expects parameter 1 to be a valid callback, class 'ReplaceMe\TrustedLogin\Cron' does not have a method 'cron_revoke_access' in .../hosts/trustedlogin-dev/wp-includes/class-wp-hook.php on line 288
This will allow for better debugging.
It is better to rely on PHP's encryption system than to create something custom with openssl_*
functions.
This library is included in PHP so it runs faster and there is a polyfill for out of date versions of PHP.
I would STRONGLY recommend using a secure encryption system like this one: https://gist.github.com/ericmann/1e54625d81a35b243eec0d67ae7b868f
Here, the core function wp_generate_password
is used to generate some sort of hash value:
This has two key weakness:
Related #3
The Must-Use Plugin configuration is important to the agency and hosting market.
hey @zackkatz I was looking at building this out a REST API endpoint.
ie <siteurl>/<api-slug>/tl-<ns>/<version>/revoke
however, now i'm just working through how:
Might it be best to let the site access timeout given that the encrypted envelope will be useless once the encryption keys are reset on vendor side?
Also means we can stop caching the public key and also drop issue #39.
Currently the public key lookup is fetched in the client code by reading the vendor/website
URL. This assumes that the same URL will be used for hosting the Vendor plugin.
Furthermore, this would prevent vendor from changing their websites without providing redirects for the public key endpoint (they probably would do a site-wide 301, but it's still a problem).
I propose either:
TrustedLogin\Encryption::get_remote_encryption_key()
could ping the SaaS instead of the Vendor. The SaaS would need to round-trip to the Vendor site to fetch the key, but it would allow modification and remove a setting that could be problematic in the future./wp-json/
endpoint. It's not clear that the vendor/website
configuration needs to be the same as the public key endpint.trustedlogin/trustedlogin-ecommerce#405
Data is printed to the DOM without escape functions:
See: https://wpvip.com/documentation/vip-go/validating-sanitizing-and-escaping/#always-escape-late
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.