Item14506: Add Token Authentication

This will be used by the new Password Reset process.
foswiki · Oct 9, 2017 · e1f2e16 · e1f2e16
1 parent ef15a64
commit e1f2e16
Show file tree

Hide file tree

Showing 5 changed files with 485 additions and 215 deletions.
diff --git a/UnitTestContrib/test/unit/FuncUsersTests.pm b/UnitTestContrib/test/unit/FuncUsersTests.pm
@@ -2042,4 +2042,19 @@ sub DISABLEDverify_denyNonAdminReadOfAdminGroupTopic {
     return;
 }
 
+sub test_tokenLogin {
+
+    my $this = shift;
+
+    my $token =
+      Foswiki::LoginManager::generateLoginToken( 'Foofoo',
+        { cUID => 'Foofoo', a => 'b' } );
+
+    use Storable qw(fd_retrieve);
+    my $hashref =
+      Storable::retrieve("$Foswiki::cfg{WorkingDir}/tmp/tokenauth_$token");
+    print STDERR Data::Dumper::Dumper( \$hashref );
+    print STDERR " token ($token) \n";
+
+}
 1;
diff --git a/core/data/System/UserAuthentication.txt b/core/data/System/UserAuthentication.txt
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" date="1460338963" format="1.1" version="1"}%
+%META:TOPICINFO{author="ProjectContributor" date="1507509397" format="1.1" version="1"}%
 %META:TOPICPARENT{name="AdminDocumentationCategory"}%
 %STARTINCLUDE%
 ---+ User Authentication
@@ -274,10 +274,35 @@ limited value if the users access Foswiki via a proxy or other device that cause
 
 ---++++ Optional Sessions for Guest users
 
-_EXPERIMENTAL feature:_ In Foswiki version 2.0, sessions can be suppressed for guest users.   This is generally safe if guests have no ability to update.
-However if guests are permitted to update, such as by using the CommentPlugin, or if any wiki applications make use Session Variables, (See VarSESSIONVAR) then guest sessions should be enabled. See the
+In Foswiki version 2.0, sessions can be suppressed for guest users.   This is generally safe if guests have no ability to update, and is especially helpful if the site is subjected
+to a large workload from indexing and search bots.
+If guests are permitted to update, such as by using the CommentPlugin, or if any wiki applications make use Session Variables, (See VarSESSIONVAR) then guest sessions should be enabled. See the
 [[%SCRIPTURLPATH{"configure"}%][configure]] interface, =Security And Authentication= tab for more information.
 
+It's also possible to tell Foswiki to create a session on specific pages.  See expert setting: ={Sessions}{TopicsRequireGuestSessions}=.  Set it to a
+list of topics that should cause creation of a Foswiki session.  The default setting matches any topic containing the string "Registration" or "ResetPassword".
+
+---+++ Other Login methods
+
+The Foswiki Login Manager attempts to establish the identity of the current user through a series of steps:
+   1 It asks the configured login manager for the Web Server provided identity.
+      * Apache Login provides the REMOTE_USER identity.  Template Login does not supply an identity.
+   1 It examines any Session Cookie or IP Session mapping for the stored identity.
+      * Note that the session identity is allowed to override the web server's provided identity, for example, to support admin sudo login.
+   1 %N% If it still does not have an identity, it looks for an authentication token parameter =authtoken=[md5 key]=
+      * Auth tokens are new with Foswiki 2.2.  An Auth token can be created to "invite" a user, granting them a single-use login.
+      * The user can be restricted to access a single topic, such as ChangePassword.  All normal Web & Topic ACLs still apply.
+      * Auth tokens have a lifetime of 15 minutes by default.  See: =$Foswiki::cfg{Login}{TokenLifetime}=
+      * Token details are stored in $Foswiki::cfg{WorkingDir}/tmp/tokenauth_[md5-key]=
+   1 Finally, if it still does not have an identity, it looks for query params or X-Autentication headers and asks the Password Manager to check the credentials.  *This is considered insecure*, especially for non-SSL http: type connections.
+      * In CLI mode, the =-username= and =-password= CLI options will be checked.  If a username/password is provided and the check fails, the script will run as the Guest user. (By default, CLI Scripts always run as admin).
+      * With web access, there are two options
+         1 =username= and =password= query parameters. These are usable in very limited circumstances:
+            * ={Session}{AcceptUserPwParam}= must match the script.  Default is only =view= and =viewauth=.
+            * ={Session}{AcceptUserPwParamOnGET}= must be enabled, or use is restricted to POST operations.  This helps prevent emailing of links with embedded passwords.
+         1 =X-Authentication= header can be set to =Foswikibasic userid:password=  (userid:password must be encoded with MIME Base64 encoding.
+See [[%SCRIPTURLPATH{"view" topic="PerlDoc" web="System" module="Foswiki::LoginManager"}%]] for more details.
+
 #HowTo
 ---++ Important Considerations
 

diff --git a/core/lib/Foswiki.spec b/core/lib/Foswiki.spec
@@ -416,6 +416,12 @@ $Foswiki::cfg{Validation}{ExpireKeyOnUse} = 1;
 # the Web Server configuration.
 $Foswiki::cfg{LoginManager} = 'Foswiki::LoginManager::TemplateLogin';
 
+# **NUMBER LABEL="Login Token Lifetime"**
+# Specifiy the time in seconds the Login token should be usable, for example:  password reset.
+# Recommend setting this to allow for email delays, including grey listing
+# no more than 15 minutes (900 seconds).
+$Foswiki::cfg{Login}{TokenLifetime} = 900;
+
 # **BOOLEAN LABEL="Debug Login Manager" EXPERT**
 # Write debugging output to the webserver error log.
 $Foswiki::cfg{Trace}{LoginManager} = 0;
@@ -441,13 +447,15 @@ $Foswiki::cfg{AuthScripts} =
 # Enable this setting to restore the original insecure defaults.
 $Foswiki::cfg{LegacyRESTSecurity} = $FALSE;
 
-# **REGEX LABEL="Authenticated Scripts Pattern" EXPERT**
-# Regular expression matching the scripts that should be allowed to accept the 
+# **REGEX LABEL="Scripts accepting user/pass params" EXPERT**
+# Regular expression matching the scripts that should be allowed to accept the
 # =username= and =password= parameters other than the login script. Older
 # versions of Foswiki would accept the username and password parameter on any
 # script. The =login= and =logon= script will always accept the username and
 # password, but only from POST requests. In order to add support for the
-# =rest= and =restauth>> scripts, specify =/^(view|rest)(auth)?$/=
+# =rest= and =restauth>> scripts, specify =/^(view|rest)(auth)?$/=.  See also the
+# Miscellaneous -> Compatibilty expert settings if you want to accept user/pass
+# parameters on GET requests.
 $Foswiki::cfg{Session}{AcceptUserPwParam} = '^view(auth)?$';
 
 # **BOOLEAN LABEL="Prevent from Remembering the User Password" EXPERT DISPLAY_IF="{LoginManager}=='Foswiki::LoginManager::TemplateLogin'" CHECK="iff:'{LoginManager} =~ /TemplateLogin$/'"**