Log message #4105023

# At Username Text
# Dec 19th 2017, 21:39 birdy247 :+1:
# Dec 19th 2017, 21:39 admad @birdy247 Google already requires the redirect uri to exactly match, which is why social auth plugin doesn't modify the query string and uses session instead :slightly_smiling_face:
# Dec 19th 2017, 21:26 saeideng good night
# Dec 19th 2017, 21:09 dereuromark good find though, mapping that internally via session, db, ... should do the trick
# Dec 19th 2017, 21:09 dereuromark birdy: thats total BS. query string itself would already suffice for protections. total noobs.
# Dec 19th 2017, 21:08 birdy247 @dereuromark we can use the state :slightly_smiling_face: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/#logindialog
# Dec 19th 2017, 21:08 dereuromark what kind of annotations do they have/need? https://github.com/dereuromark/cakephp-ide-helper/issues/68
# Dec 19th 2017, 21:07 dereuromark @mail used cells yet?
# Dec 19th 2017, 21:07 birdy247 "Strict Mode prevents hijacking of your redirect URIs by requiring an exact match from your Valid OAuth redirect URIs list. For example, if your list contains www.example.com, then Strict Mode won't allow www.example.com/token as a valid redirect. It also won't allow any extra query parameters not present in your Valid OAuth redirect URIs list."
# Dec 19th 2017, 21:03 birdy247 ill ask facebook
# Dec 19th 2017, 21:02 dereuromark it indeed would then be session that would need remembering
# Dec 19th 2017, 21:01 dereuromark everything else is otherwise really annoying
# Dec 19th 2017, 21:01 dereuromark URL is until those start usually
# Dec 19th 2017, 21:00 dereuromark did you try query strings? I would bet that this is not part of their specs
# Dec 19th 2017, 21:00 birdy247 "exactly match the Valid OAuth Redirect URIs"
# Dec 19th 2017, 20:59 birdy247 exactly
# Dec 19th 2017, 20:59 birdy247 yes
# Dec 19th 2017, 20:59 dereuromark you mean with strict that no dynamic part is allowed?
# Dec 19th 2017, 20:58 birdy247 but if facebook is mandating that the url must be strict i.e. how can I pass a query string to OAuth
# Dec 19th 2017, 20:57 dereuromark as all the rest of cake itself works :slightly_smiling_face:
# Dec 19th 2017, 20:57 dereuromark it should point to the own login with redirect query string
# Dec 19th 2017, 20:57 dereuromark the callback action is implemented wrong
# Dec 19th 2017, 20:56 birdy247 I dont follow
# Dec 19th 2017, 20:56 dereuromark as long as the query string is encoded properly
# Dec 19th 2017, 20:56 dereuromark its nested basically
# Dec 19th 2017, 20:56 dereuromark redirect=ownsite?redirect?...
# Dec 19th 2017, 20:55 dereuromark well, that was never how it should be :slightly_smiling_face:
# Dec 19th 2017, 20:55 birdy247 https://www.domain.com/hybrid-auth/endpoint?redirect=%2Fenter-race%2F816%23anchorandhauth_done=Facebook
# Dec 19th 2017, 20:55 birdy247 i.e. this used to be my redirect uri
# Dec 19th 2017, 20:54 birdy247 others will not be allowed
# Dec 19th 2017, 20:54 birdy247 the redirect url has to be set in advance
# Dec 19th 2017, 20:54 birdy247 but that wont work now will it?
# Dec 19th 2017, 20:53 dereuromark that has never changed afaik
# Dec 19th 2017, 20:53 dereuromark no, it should always return back to the login which then redirects via query string
# Dec 19th 2017, 20:53 birdy247 I guess now we will have to store this in a session or something?
# Dec 19th 2017, 20:53 birdy247 at the moment I used the cakephp redirect query string to direct the user to where they wanted to go after the are redirected from the provider
# Dec 19th 2017, 20:52 birdy247 it will become mandatory to turn on strict mode
# Dec 19th 2017, 20:52 birdy247 Note: Turning on Strict Mode will invalidate any calls from URIs not listed in the Valid OAuth Redirct URI
# Dec 19th 2017, 20:51 dereuromark hybrid auth has some issues, so I would also like to change at some point to social auth
# Dec 19th 2017, 20:51 dereuromark whats the change?
# Dec 19th 2017, 20:50 birdy247 the redirect uri must be fixed