Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return user information in auth.pl if sent with a specific parameter (eg. ?info=json) #9910

Closed
alexgarel opened this issue Mar 13, 2024 · 5 comments · Fixed by #9918
Closed

Return user information in auth.pl if sent with a specific parameter (eg. ?info=json) #9910

alexgarel opened this issue Mar 13, 2024 · 5 comments · Fixed by #9918
Assignees
@stephanegigandet
Labels
🔐 Auth hunger games 💸 Prices

Comments

@alexgarel
Copy link
Member

alexgarel commented Mar 13, 2024
edited
Loading

We need to know some information like:

  • is a user a moderator
  • what is it's preferred language

for services like open-prices / nutripatrol / hungergames

It should be quite easy to add this functionality to auth.pl so that if there is a ?info=json parameter, we would return a json with useful information (maybe avoid revealing email for now)
@hangy
Copy link
Member

hangy commented Mar 13, 2024

What's the timeframe? We want to move a lot of this data to Keycloak (#1596), so that it could be available as user claims. If we add it to auth.pl now (it's really not an auth feature, but a user profile feature, but I digress, we'd have to proxy the request it to Keycloak afterwards.

@alexgarel
Copy link
Member Author

@hangy it's fairly urgent… for example NutriPatrol needs it to be deployed (only moderators should access moderation images).

It's only for internal tools (that use the cookie), so:

  • we should not advertise it in the documentation
  • we still would have to forward request to keycloak as you say, but we could remove it after a short period, as soon as those tools moves to keycloak API

cc @Valimp @john-gom @stephanegigandet @alexfauquette

@alexfauquette
Copy link
Member

NutriPatrol needs it to be deployed

If it's blocking, you still have the option of hard coding a list of username as nutripatrol moderator

@stephanegigandet stephanegigandet self-assigned this Mar 14, 2024
@stephanegigandet
Copy link
Contributor

I'm adding it.

stephanegigandet added a commit that referenced this issue Mar 14, 2024
@stephanegigandet
fix: add some user info in /cgi/auth.pl body #9910
0a55334
@stephanegigandet stephanegigandet mentioned this issue Mar 14, 2024
Merged
@stephanegigandet
Copy link
Contributor

(maybe avoid revealing email for now)

In fact we currently do return the email now (try https://world.openfoodfacts.org/cgi/auth.pl?body=1 )
Maybe not a good idea as a XSS attack would allow to get the email.

stephanegigandet added a commit that referenced this issue Mar 15, 2024
@stephanegigandet
fix: add some user info in /cgi/auth.pl body (#9918)
93b4abf 
* fix: add some user info in /cgi/auth.pl body #9910

* removing email
Payne680 pushed a commit to Payne680/openfoodfacts-server that referenced this issue Mar 15, 2024
@stephanegigandet @Mal-One
fix: add some user info in /cgi/auth.pl body (openfoodfacts#9918)
0b5434b 
* fix: add some user info in /cgi/auth.pl body openfoodfacts#9910

* removing email
john-gom pushed a commit that referenced this issue May 24, 2024
@stephanegigandet @john-gom
fix: add some user info in /cgi/auth.pl body (#9918)
abe41fd 
* fix: add some user info in /cgi/auth.pl body #9910

* removing email
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stephanegigandet stephanegigandet

Labels
🔐 Auth hunger games 💸 Prices
Projects
Revamping auth across Open Food Facts
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: add some user info in /cgi/auth.pl body openfoodfacts/openfoodfacts-server
4 participants
@hangy @alexgarel @stephanegigandet @alexfauquette