| Message ID | 20201202113011.5382-1-stefan.schantl@ipfire.org |
|---|---|
| State | Accepted |
| Commit | 00e1105b9294b13570b931c6212f13da8a753581 |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4CmGwv1Pbfz3wpp for <patchwork@web04.haj.ipfire.org>; Wed, 2 Dec 2020 11:30:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4CmGwt1Lrqz1fd; Wed, 2 Dec 2020 11:30:22 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4CmGwt0KfYz2y1Y; Wed, 2 Dec 2020 11:30:22 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4CmGwr43Wxz2xkX for <development@lists.ipfire.org>; Wed, 2 Dec 2020 11:30:20 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4CmGwq2gpGz5s; Wed, 2 Dec 2020 11:30:19 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1606908619; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=8fkQt0b+hw8gYlrPlzZeTofZ427wrOU6garlXc0PSy4=; b=JICV0Mz5y8nZom2ZyHh1U5+uM8wqxEDkulq4cgp+3cIrI6RBhfKU/Rb0jzGlxMVKOCSsW7 Qa5RyucSC/gQVYBQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1606908619; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=8fkQt0b+hw8gYlrPlzZeTofZ427wrOU6garlXc0PSy4=; b=Su8VQMKd6NDNHq0OiSFcqTOsXr1vk4G1c3lk9A7nK2Gcv/gnPQRGTwZuYQs7IagXgZQ9fd 2Gdw9KXulr6J14IQMkr4hEejenCzcgfyTfH41YApXmRDb7XAc6E/S4lgEjHdpxYpP29gMa UGdfR5J0NXxUfSmn7u6gkM/pW72Y5B8oC5h7ljv0CLl2u6YZo+V6urqN2pVcGg0EPHA4jU cM+2XZ6hKJp0JJ2PenAjmFzbI9dwI6FhsdLwMc0/xLx7lBMC544A6jCNOUGcglPOCWcTIh aQ4xVR8xi8nKm3UsBUHayvWUPPaIfYYXOcaa1giWigNTaKBtZNvvcVu5fcKbHg== From: Stefan Schantl <stefan.schantl@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] ddns.cgi: Drop static provider list for token based auth. Date: Wed, 2 Dec 2020 12:30:11 +0100 Message-Id: <20201202113011.5382-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
ddns.cgi: Drop static provider list for token based auth.
|
|
Commit Message
Stefan Schantl
Dec. 2, 2020, 11:30 a.m. UTC
This is really hard to maintain when adding new or altering existing
providers.
Reference #12415.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
html/cgi-bin/ddns.cgi | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
Comments
Hello, I do not understand exactly what this patch is trying to achieve. Unfortunately we have no choice than doing it this way with the current UI. I do not think it is worth altering the UI for this, and I do not know how we could do it without having a list again? -Michael > On 2 Dec 2020, at 11:30, Stefan Schantl <stefan.schantl@ipfire.org> wrote: > > This is really hard to maintain when adding new or altering existing > providers. > > Reference #12415. > > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> > --- > html/cgi-bin/ddns.cgi | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi > index 715c37290..024eaf7f6 100644 > --- a/html/cgi-bin/ddns.cgi > +++ b/html/cgi-bin/ddns.cgi > @@ -665,13 +665,13 @@ sub GenerateDDNSConfigFile { > > my $use_token = 0; > > - # Handle token based auth for various providers. > - if ($provider ~~ ["dns.lightningwirelabs.com", "entrydns.net", "regfish.com", > - "spdns.de", "zzzz.io"] && $username eq "token") { > + # Check if token based auth is configured. > + if ($username eq "token") { > $use_token = 1; > + } > > # Handle token auth for freedns.afraid.org and regfish.com. > - } elsif ($provider ~~ ["freedns.afraid.org", "regfish.com"] && $password eq "") { > + if ($provider ~~ ["freedns.afraid.org", "regfish.com"] && $password eq "") { > $use_token = 1; > $password = $username; > > -- > 2.20.1 >
Hello Michael, the intension of this patch was, that a supported provider of DDNS has changed it's API to support now token based authentication. The code already has been changed so here we are safe by now. Also in case a new dynamic DNS provider will be added to DDNS, we do not have to do anything, because the GUI automatically will be filled with the new provider. But there is one big exception in this: If a new or existing provider has supports authentication tokens, this provider has to be added to this list, which is not very intuitive. We also have to ship the GUI each time for new, if this happened. (This was the former reason, why we created the "ddns list-providers" command to prevent from this.) My change simplifies, the check if token based authentication should be used or not. It removes the check against the static list of providers which supports token based authentications. (This is the list, which needs to be keep up to date by hand.) For the user nothing changes, because if he speciefies "token" as username, still the token base auth will be used for the choosen provider. The only way an user may be affected is, if he configures a token based auth for a provider which does not supports it. This now would be possible and will result in an authentication error against the provider - But Hey, if he fills in incorrect data the same will be happen. The only bigger problem would be if the valid username of a user is "token". In this case he will be affected in the same way and this could not be fixed in an easy way. IMHO, the benefits are bigger for us, because the maintain work will become much easier and one stupid error source will get eliminated. Best regards, -Stefan > Hello, > > I do not understand exactly what this patch is trying to achieve. > > Unfortunately we have no choice than doing it this way with the > current UI. > > I do not think it is worth altering the UI for this, and I do not > know how we could do it without having a list again? > > -Michael > > > On 2 Dec 2020, at 11:30, Stefan Schantl <stefan.schantl@ipfire.org> > > wrote: > > > > This is really hard to maintain when adding new or altering > > existing > > providers. > > > > Reference #12415. > > > > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> > > --- > > html/cgi-bin/ddns.cgi | 8 ++++---- > > 1 file changed, 4 insertions(+), 4 deletions(-) > > > > diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi > > index 715c37290..024eaf7f6 100644 > > --- a/html/cgi-bin/ddns.cgi > > +++ b/html/cgi-bin/ddns.cgi > > @@ -665,13 +665,13 @@ sub GenerateDDNSConfigFile { > > > > my $use_token = 0; > > > > - # Handle token based auth for various providers. > > - if ($provider ~~ ["dns.lightningwirelabs.com", > > "entrydns.net", "regfish.com", > > - "spdns.de", "zzzz.io"] && $username > > eq "token") { > > + # Check if token based auth is configured. > > + if ($username eq "token") { > > $use_token = 1; > > + } > > > > # Handle token auth for freedns.afraid.org and > > regfish.com. > > - } elsif ($provider ~~ ["freedns.afraid.org", > > "regfish.com"] && $password eq "") { > > + if ($provider ~~ ["freedns.afraid.org", "regfish.com"] > > && $password eq "") { > > $use_token = 1; > > $password = $username; > > > > -- > > 2.20.1 > >
Hi, You are moving the problem from the developer to the user. I think that might be more messy. I am also not sure how this will affect existing setups? -Michael > On 2 Dec 2020, at 15:35, Stefan Schantl <stefan.schantl@ipfire.org> wrote: > > Hello Michael, > > the intension of this patch was, that a supported provider of DDNS has > changed it's API to support now token based authentication. The code > already has been changed so here we are safe by now. > > Also in case a new dynamic DNS provider will be added to DDNS, we do > not have to do anything, because the GUI automatically will be filled > with the new provider. > > But there is one big exception in this: > > If a new or existing provider has supports authentication tokens, this > provider has to be added to this list, which is not very intuitive. > > We also have to ship the GUI each time for new, if this happened. > > (This was the former reason, why we created the "ddns list-providers" > command to prevent from this.) > > My change simplifies, the check if token based authentication should be > used or not. It removes the check against the static list of providers > which supports token based authentications. (This is the list, which > needs to be keep up to date by hand.) > > For the user nothing changes, because if he speciefies "token" as > username, still the token base auth will be used for the choosen > provider. > > The only way an user may be affected is, if he configures a token based > auth for a provider which does not supports it. This now would be > possible and will result in an authentication error against the > provider - But Hey, if he fills in incorrect data the same will be > happen. > > The only bigger problem would be if the valid username of a user is > "token". In this case he will be affected in the same way and this > could not be fixed in an easy way. > > IMHO, the benefits are bigger for us, because the maintain work will > become much easier and one stupid error source will get eliminated. > > Best regards, > > -Stefan >> Hello, >> >> I do not understand exactly what this patch is trying to achieve. >> >> Unfortunately we have no choice than doing it this way with the >> current UI. >> >> I do not think it is worth altering the UI for this, and I do not >> know how we could do it without having a list again? >> >> -Michael >> >>> On 2 Dec 2020, at 11:30, Stefan Schantl <stefan.schantl@ipfire.org> >>> wrote: >>> >>> This is really hard to maintain when adding new or altering >>> existing >>> providers. >>> >>> Reference #12415. >>> >>> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> >>> --- >>> html/cgi-bin/ddns.cgi | 8 ++++---- >>> 1 file changed, 4 insertions(+), 4 deletions(-) >>> >>> diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi >>> index 715c37290..024eaf7f6 100644 >>> --- a/html/cgi-bin/ddns.cgi >>> +++ b/html/cgi-bin/ddns.cgi >>> @@ -665,13 +665,13 @@ sub GenerateDDNSConfigFile { >>> >>> my $use_token = 0; >>> >>> - # Handle token based auth for various providers. >>> - if ($provider ~~ ["dns.lightningwirelabs.com", >>> "entrydns.net", "regfish.com", >>> - "spdns.de", "zzzz.io"] && $username >>> eq "token") { >>> + # Check if token based auth is configured. >>> + if ($username eq "token") { >>> $use_token = 1; >>> + } >>> >>> # Handle token auth for freedns.afraid.org and >>> regfish.com. >>> - } elsif ($provider ~~ ["freedns.afraid.org", >>> "regfish.com"] && $password eq "") { >>> + if ($provider ~~ ["freedns.afraid.org", "regfish.com"] >>> && $password eq "") { >>> $use_token = 1; >>> $password = $username; >>> >>> -- >>> 2.20.1 >>>
Mhm, you are right this will only move the problem from the developers (us) to the users. This is a really hard problem because there is no easy solution for this issue. We simple can take care about the users input and verify if the providers supports what has been configured or we even do not. If we decide to safe the users from themself, we need something to verify against and that would be something like such a crappy static list. Do I miss something or think to narrow? @List followers, what are your opinions? Best regards, -Stefan > > You are moving the problem from the developer to the user. > > I think that might be more messy. > > I am also not sure how this will affect existing setups? > > -Michael > > > On 2 Dec 2020, at 15:35, Stefan Schantl <stefan.schantl@ipfire.org> > > wrote: > > > > Hello Michael, > > > > the intension of this patch was, that a supported provider of DDNS > > has > > changed it's API to support now token based authentication. The > > code > > already has been changed so here we are safe by now. > > > > Also in case a new dynamic DNS provider will be added to DDNS, we > > do > > not have to do anything, because the GUI automatically will be > > filled > > with the new provider. > > > > But there is one big exception in this: > > > > If a new or existing provider has supports authentication tokens, > > this > > provider has to be added to this list, which is not very intuitive. > > > > We also have to ship the GUI each time for new, if this happened. > > > > (This was the former reason, why we created the "ddns list- > > providers" > > command to prevent from this.) > > > > My change simplifies, the check if token based authentication > > should be > > used or not. It removes the check against the static list of > > providers > > which supports token based authentications. (This is the list, > > which > > needs to be keep up to date by hand.) > > > > For the user nothing changes, because if he speciefies "token" as > > username, still the token base auth will be used for the choosen > > provider. > > > > The only way an user may be affected is, if he configures a token > > based > > auth for a provider which does not supports it. This now would be > > possible and will result in an authentication error against the > > provider - But Hey, if he fills in incorrect data the same will be > > happen. > > > > The only bigger problem would be if the valid username of a user is > > "token". In this case he will be affected in the same way and this > > could not be fixed in an easy way. > > > > IMHO, the benefits are bigger for us, because the maintain work > > will > > become much easier and one stupid error source will get eliminated. > > > > Best regards, > > > > -Stefan > > > Hello, > > > > > > I do not understand exactly what this patch is trying to achieve. > > > > > > Unfortunately we have no choice than doing it this way with the > > > current UI. > > > > > > I do not think it is worth altering the UI for this, and I do not > > > know how we could do it without having a list again? > > > > > > -Michael > > > > > > > On 2 Dec 2020, at 11:30, Stefan Schantl < > > > > stefan.schantl@ipfire.org> > > > > wrote: > > > > > > > > This is really hard to maintain when adding new or altering > > > > existing > > > > providers. > > > > > > > > Reference #12415. > > > > > > > > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> > > > > --- > > > > html/cgi-bin/ddns.cgi | 8 ++++---- > > > > 1 file changed, 4 insertions(+), 4 deletions(-) > > > > > > > > diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi > > > > index 715c37290..024eaf7f6 100644 > > > > --- a/html/cgi-bin/ddns.cgi > > > > +++ b/html/cgi-bin/ddns.cgi > > > > @@ -665,13 +665,13 @@ sub GenerateDDNSConfigFile { > > > > > > > > my $use_token = 0; > > > > > > > > - # Handle token based auth for various > > > > providers. > > > > - if ($provider ~~ ["dns.lightningwirelabs.com", > > > > "entrydns.net", "regfish.com", > > > > - "spdns.de", "zzzz.io"] && > > > > $username > > > > eq "token") { > > > > + # Check if token based auth is configured. > > > > + if ($username eq "token") { > > > > $use_token = 1; > > > > + } > > > > > > > > # Handle token auth for freedns.afraid.org and > > > > regfish.com. > > > > - } elsif ($provider ~~ ["freedns.afraid.org", > > > > "regfish.com"] && $password eq "") { > > > > + if ($provider ~~ ["freedns.afraid.org", > > > > "regfish.com"] > > > > && $password eq "") { > > > > $use_token = 1; > > > > $password = $username; > > > > > > > > -- > > > > 2.20.1 > > > >
Hi, Alternatives I could come up with are: * Create a command to have ddns list all those providers. That way that list is in ddns where it probably belongs best. * Update the UI and add a third field for the token. That is however very bad UI because either the token field or the username/password field are a waste of space. Actually, we need to work towards having token only. Anything else is just dangerous because the whole account can be managed if this data leaks. -Michael > On 2 Dec 2020, at 16:02, Stefan Schantl <stefan.schantl@ipfire.org> wrote: > > Mhm, > > you are right this will only move the problem from the developers (us) > to the users. > > This is a really hard problem because there is no easy solution for > this issue. > > We simple can take care about the users input and verify if the > providers supports what has been configured or we even do not. > > If we decide to safe the users from themself, we need something to > verify against and that would be something like such a crappy static > list. > > Do I miss something or think to narrow? > > @List followers, what are your opinions? > > Best regards, > > -Stefan >> >> You are moving the problem from the developer to the user. >> >> I think that might be more messy. >> >> I am also not sure how this will affect existing setups? >> >> -Michael >> >>> On 2 Dec 2020, at 15:35, Stefan Schantl <stefan.schantl@ipfire.org> >>> wrote: >>> >>> Hello Michael, >>> >>> the intension of this patch was, that a supported provider of DDNS >>> has >>> changed it's API to support now token based authentication. The >>> code >>> already has been changed so here we are safe by now. >>> >>> Also in case a new dynamic DNS provider will be added to DDNS, we >>> do >>> not have to do anything, because the GUI automatically will be >>> filled >>> with the new provider. >>> >>> But there is one big exception in this: >>> >>> If a new or existing provider has supports authentication tokens, >>> this >>> provider has to be added to this list, which is not very intuitive. >>> >>> We also have to ship the GUI each time for new, if this happened. >>> >>> (This was the former reason, why we created the "ddns list- >>> providers" >>> command to prevent from this.) >>> >>> My change simplifies, the check if token based authentication >>> should be >>> used or not. It removes the check against the static list of >>> providers >>> which supports token based authentications. (This is the list, >>> which >>> needs to be keep up to date by hand.) >>> >>> For the user nothing changes, because if he speciefies "token" as >>> username, still the token base auth will be used for the choosen >>> provider. >>> >>> The only way an user may be affected is, if he configures a token >>> based >>> auth for a provider which does not supports it. This now would be >>> possible and will result in an authentication error against the >>> provider - But Hey, if he fills in incorrect data the same will be >>> happen. >>> >>> The only bigger problem would be if the valid username of a user is >>> "token". In this case he will be affected in the same way and this >>> could not be fixed in an easy way. >>> >>> IMHO, the benefits are bigger for us, because the maintain work >>> will >>> become much easier and one stupid error source will get eliminated. >>> >>> Best regards, >>> >>> -Stefan >>>> Hello, >>>> >>>> I do not understand exactly what this patch is trying to achieve. >>>> >>>> Unfortunately we have no choice than doing it this way with the >>>> current UI. >>>> >>>> I do not think it is worth altering the UI for this, and I do not >>>> know how we could do it without having a list again? >>>> >>>> -Michael >>>> >>>>> On 2 Dec 2020, at 11:30, Stefan Schantl < >>>>> stefan.schantl@ipfire.org> >>>>> wrote: >>>>> >>>>> This is really hard to maintain when adding new or altering >>>>> existing >>>>> providers. >>>>> >>>>> Reference #12415. >>>>> >>>>> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> >>>>> --- >>>>> html/cgi-bin/ddns.cgi | 8 ++++---- >>>>> 1 file changed, 4 insertions(+), 4 deletions(-) >>>>> >>>>> diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi >>>>> index 715c37290..024eaf7f6 100644 >>>>> --- a/html/cgi-bin/ddns.cgi >>>>> +++ b/html/cgi-bin/ddns.cgi >>>>> @@ -665,13 +665,13 @@ sub GenerateDDNSConfigFile { >>>>> >>>>> my $use_token = 0; >>>>> >>>>> - # Handle token based auth for various >>>>> providers. >>>>> - if ($provider ~~ ["dns.lightningwirelabs.com", >>>>> "entrydns.net", "regfish.com", >>>>> - "spdns.de", "zzzz.io"] && >>>>> $username >>>>> eq "token") { >>>>> + # Check if token based auth is configured. >>>>> + if ($username eq "token") { >>>>> $use_token = 1; >>>>> + } >>>>> >>>>> # Handle token auth for freedns.afraid.org and >>>>> regfish.com. >>>>> - } elsif ($provider ~~ ["freedns.afraid.org", >>>>> "regfish.com"] && $password eq "") { >>>>> + if ($provider ~~ ["freedns.afraid.org", >>>>> "regfish.com"] >>>>> && $password eq "") { >>>>> $use_token = 1; >>>>> $password = $username; >>>>> >>>>> -- >>>>> 2.20.1 >>>>>
Hi Stefan, Would it be possible to create some form of simple database file where all known suppliers are listed in together with what inputs they expect. Then you would know which items to check for in the WUI. Maybe you could even only show the required input boxes once the supplier has been chosen from the drop-down box. Regards, Adolf. On 02/12/2020 17:02, Stefan Schantl wrote: > Mhm, > > you are right this will only move the problem from the developers (us) > to the users. > > This is a really hard problem because there is no easy solution for > this issue. > > We simple can take care about the users input and verify if the > providers supports what has been configured or we even do not. > > If we decide to safe the users from themself, we need something to > verify against and that would be something like such a crappy static > list. > > Do I miss something or think to narrow? > > @List followers, what are your opinions? > > Best regards, > > -Stefan >> >> You are moving the problem from the developer to the user. >> >> I think that might be more messy. >> >> I am also not sure how this will affect existing setups? >> >> -Michael >> >>> On 2 Dec 2020, at 15:35, Stefan Schantl <stefan.schantl@ipfire.org> >>> wrote: >>> >>> Hello Michael, >>> >>> the intension of this patch was, that a supported provider of DDNS >>> has >>> changed it's API to support now token based authentication. The >>> code >>> already has been changed so here we are safe by now. >>> >>> Also in case a new dynamic DNS provider will be added to DDNS, we >>> do >>> not have to do anything, because the GUI automatically will be >>> filled >>> with the new provider. >>> >>> But there is one big exception in this: >>> >>> If a new or existing provider has supports authentication tokens, >>> this >>> provider has to be added to this list, which is not very intuitive. >>> >>> We also have to ship the GUI each time for new, if this happened. >>> >>> (This was the former reason, why we created the "ddns list- >>> providers" >>> command to prevent from this.) >>> >>> My change simplifies, the check if token based authentication >>> should be >>> used or not. It removes the check against the static list of >>> providers >>> which supports token based authentications. (This is the list, >>> which >>> needs to be keep up to date by hand.) >>> >>> For the user nothing changes, because if he speciefies "token" as >>> username, still the token base auth will be used for the choosen >>> provider. >>> >>> The only way an user may be affected is, if he configures a token >>> based >>> auth for a provider which does not supports it. This now would be >>> possible and will result in an authentication error against the >>> provider - But Hey, if he fills in incorrect data the same will be >>> happen. >>> >>> The only bigger problem would be if the valid username of a user is >>> "token". In this case he will be affected in the same way and this >>> could not be fixed in an easy way. >>> >>> IMHO, the benefits are bigger for us, because the maintain work >>> will >>> become much easier and one stupid error source will get eliminated. >>> >>> Best regards, >>> >>> -Stefan >>>> Hello, >>>> >>>> I do not understand exactly what this patch is trying to achieve. >>>> >>>> Unfortunately we have no choice than doing it this way with the >>>> current UI. >>>> >>>> I do not think it is worth altering the UI for this, and I do not >>>> know how we could do it without having a list again? >>>> >>>> -Michael >>>> >>>>> On 2 Dec 2020, at 11:30, Stefan Schantl < >>>>> stefan.schantl@ipfire.org> >>>>> wrote: >>>>> >>>>> This is really hard to maintain when adding new or altering >>>>> existing >>>>> providers. >>>>> >>>>> Reference #12415. >>>>> >>>>> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> >>>>> --- >>>>> html/cgi-bin/ddns.cgi | 8 ++++---- >>>>> 1 file changed, 4 insertions(+), 4 deletions(-) >>>>> >>>>> diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi >>>>> index 715c37290..024eaf7f6 100644 >>>>> --- a/html/cgi-bin/ddns.cgi >>>>> +++ b/html/cgi-bin/ddns.cgi >>>>> @@ -665,13 +665,13 @@ sub GenerateDDNSConfigFile { >>>>> >>>>> my $use_token = 0; >>>>> >>>>> - # Handle token based auth for various >>>>> providers. >>>>> - if ($provider ~~ ["dns.lightningwirelabs.com", >>>>> "entrydns.net", "regfish.com", >>>>> - "spdns.de", "zzzz.io"] && >>>>> $username >>>>> eq "token") { >>>>> + # Check if token based auth is configured. >>>>> + if ($username eq "token") { >>>>> $use_token = 1; >>>>> + } >>>>> >>>>> # Handle token auth for freedns.afraid.org and >>>>> regfish.com. >>>>> - } elsif ($provider ~~ ["freedns.afraid.org", >>>>> "regfish.com"] && $password eq "") { >>>>> + if ($provider ~~ ["freedns.afraid.org", >>>>> "regfish.com"] >>>>> && $password eq "") { >>>>> $use_token = 1; >>>>> $password = $username; >>>>> >>>>> -- >>>>> 2.20.1 >>>>>
Hi, > Hi, > > Alternatives I could come up with are: > > * Create a command to have ddns list all those providers. That way > that list is in ddns where it probably belongs best. This probably would be the best solution. So I'm thinking about to introduce something like "supports_token_auth = True" similar to "can_remove_records = True" in the source file which handles the providers. After that, adding a new command option, which outputs the providers with this flag similar to the "ddns list-providers" option. In this case we will get a dynamically generated list of what we want and need. > > * Update the UI and add a third field for the token. That is however > very bad UI because either the token field or the username/password > field are a waste of space. I think a checkbox for "Use token based auth" or a dropdown for choosing the Auth type and some nice JS code could avoid from this. > > Actually, we need to work towards having token only. Anything else is > just dangerous because the whole account can be managed if this data > leaks. You are true, but sadly this cannot be done by us - it'ss the job of the providers out there. - Stefan > > -Michael > > > On 2 Dec 2020, at 16:02, Stefan Schantl <stefan.schantl@ipfire.org> > > wrote: > > > > Mhm, > > > > you are right this will only move the problem from the developers > > (us) > > to the users. > > > > This is a really hard problem because there is no easy solution for > > this issue. > > > > We simple can take care about the users input and verify if the > > providers supports what has been configured or we even do not. > > > > If we decide to safe the users from themself, we need something to > > verify against and that would be something like such a crappy > > static > > list. > > > > Do I miss something or think to narrow? > > > > @List followers, what are your opinions? > > > > Best regards, > > > > -Stefan > > > You are moving the problem from the developer to the user. > > > > > > I think that might be more messy. > > > > > > I am also not sure how this will affect existing setups? > > > > > > -Michael > > > > > > > On 2 Dec 2020, at 15:35, Stefan Schantl < > > > > stefan.schantl@ipfire.org> > > > > wrote: > > > > > > > > Hello Michael, > > > > > > > > the intension of this patch was, that a supported provider of > > > > DDNS > > > > has > > > > changed it's API to support now token based authentication. The > > > > code > > > > already has been changed so here we are safe by now. > > > > > > > > Also in case a new dynamic DNS provider will be added to DDNS, > > > > we > > > > do > > > > not have to do anything, because the GUI automatically will be > > > > filled > > > > with the new provider. > > > > > > > > But there is one big exception in this: > > > > > > > > If a new or existing provider has supports authentication > > > > tokens, > > > > this > > > > provider has to be added to this list, which is not very > > > > intuitive. > > > > > > > > We also have to ship the GUI each time for new, if this > > > > happened. > > > > > > > > (This was the former reason, why we created the "ddns list- > > > > providers" > > > > command to prevent from this.) > > > > > > > > My change simplifies, the check if token based authentication > > > > should be > > > > used or not. It removes the check against the static list of > > > > providers > > > > which supports token based authentications. (This is the list, > > > > which > > > > needs to be keep up to date by hand.) > > > > > > > > For the user nothing changes, because if he speciefies "token" > > > > as > > > > username, still the token base auth will be used for the > > > > choosen > > > > provider. > > > > > > > > The only way an user may be affected is, if he configures a > > > > token > > > > based > > > > auth for a provider which does not supports it. This now would > > > > be > > > > possible and will result in an authentication error against the > > > > provider - But Hey, if he fills in incorrect data the same will > > > > be > > > > happen. > > > > > > > > The only bigger problem would be if the valid username of a > > > > user is > > > > "token". In this case he will be affected in the same way and > > > > this > > > > could not be fixed in an easy way. > > > > > > > > IMHO, the benefits are bigger for us, because the maintain work > > > > will > > > > become much easier and one stupid error source will get > > > > eliminated. > > > > > > > > Best regards, > > > > > > > > -Stefan > > > > > Hello, > > > > > > > > > > I do not understand exactly what this patch is trying to > > > > > achieve. > > > > > > > > > > Unfortunately we have no choice than doing it this way with > > > > > the > > > > > current UI. > > > > > > > > > > I do not think it is worth altering the UI for this, and I do > > > > > not > > > > > know how we could do it without having a list again? > > > > > > > > > > -Michael > > > > > > > > > > > On 2 Dec 2020, at 11:30, Stefan Schantl < > > > > > > stefan.schantl@ipfire.org> > > > > > > wrote: > > > > > > > > > > > > This is really hard to maintain when adding new or altering > > > > > > existing > > > > > > providers. > > > > > > > > > > > > Reference #12415. > > > > > > > > > > > > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> > > > > > > --- > > > > > > html/cgi-bin/ddns.cgi | 8 ++++---- > > > > > > 1 file changed, 4 insertions(+), 4 deletions(-) > > > > > > > > > > > > diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi > > > > > > index 715c37290..024eaf7f6 100644 > > > > > > --- a/html/cgi-bin/ddns.cgi > > > > > > +++ b/html/cgi-bin/ddns.cgi > > > > > > @@ -665,13 +665,13 @@ sub GenerateDDNSConfigFile { > > > > > > > > > > > > my $use_token = 0; > > > > > > > > > > > > - # Handle token based auth for various > > > > > > providers. > > > > > > - if ($provider ~~ ["dns.lightningwirelabs.com", > > > > > > "entrydns.net", "regfish.com", > > > > > > - "spdns.de", "zzzz.io"] && > > > > > > $username > > > > > > eq "token") { > > > > > > + # Check if token based auth is configured. > > > > > > + if ($username eq "token") { > > > > > > $use_token = 1; > > > > > > + } > > > > > > > > > > > > # Handle token auth for freedns.afraid.org and > > > > > > regfish.com. > > > > > > - } elsif ($provider ~~ ["freedns.afraid.org", > > > > > > "regfish.com"] && $password eq "") { > > > > > > + if ($provider ~~ ["freedns.afraid.org", > > > > > > "regfish.com"] > > > > > > && $password eq "") { > > > > > > $use_token = 1; > > > > > > $password = $username; > > > > > > > > > > > > -- > > > > > > 2.20.1 > > > > > >
Hello Adolf, thanks for joining the conversation and your thoughts. > Hi Stefan, > > Would it be possible to create some form of simple database file > where all known suppliers are listed in together with what inputs > they expect. Yes of course this would be possible, but would not really solve the problem of a static list or file which also needs to be adjusted if new providers will be added or existing ones are changed. > Then you would know which items to check for in the WUI. Maybe you > could even only show the required input boxes once the supplier has > been chosen from the drop-down box. In my reply to Michael I put some thoughts about how this issue hopefully can be solved in a very smart way by getting the affected providers directly from the ddns tool itself. Best regards, -Stefan > > Regards, > > Adolf. > > > On 02/12/2020 17:02, Stefan Schantl wrote: > > Mhm, > > > > you are right this will only move the problem from the developers > > (us) > > to the users. > > > > This is a really hard problem because there is no easy solution for > > this issue. > > > > We simple can take care about the users input and verify if the > > providers supports what has been configured or we even do not. > > > > If we decide to safe the users from themself, we need something to > > verify against and that would be something like such a crappy > > static > > list. > > > > Do I miss something or think to narrow? > > > > @List followers, what are your opinions? > > > > Best regards, > > > > -Stefan > > > You are moving the problem from the developer to the user. > > > > > > I think that might be more messy. > > > > > > I am also not sure how this will affect existing setups? > > > > > > -Michael > > > > > > > On 2 Dec 2020, at 15:35, Stefan Schantl < > > > > stefan.schantl@ipfire.org> > > > > wrote: > > > > > > > > Hello Michael, > > > > > > > > the intension of this patch was, that a supported provider of > > > > DDNS > > > > has > > > > changed it's API to support now token based authentication. The > > > > code > > > > already has been changed so here we are safe by now. > > > > > > > > Also in case a new dynamic DNS provider will be added to DDNS, > > > > we > > > > do > > > > not have to do anything, because the GUI automatically will be > > > > filled > > > > with the new provider. > > > > > > > > But there is one big exception in this: > > > > > > > > If a new or existing provider has supports authentication > > > > tokens, > > > > this > > > > provider has to be added to this list, which is not very > > > > intuitive. > > > > > > > > We also have to ship the GUI each time for new, if this > > > > happened. > > > > > > > > (This was the former reason, why we created the "ddns list- > > > > providers" > > > > command to prevent from this.) > > > > > > > > My change simplifies, the check if token based authentication > > > > should be > > > > used or not. It removes the check against the static list of > > > > providers > > > > which supports token based authentications. (This is the list, > > > > which > > > > needs to be keep up to date by hand.) > > > > > > > > For the user nothing changes, because if he speciefies "token" > > > > as > > > > username, still the token base auth will be used for the > > > > choosen > > > > provider. > > > > > > > > The only way an user may be affected is, if he configures a > > > > token > > > > based > > > > auth for a provider which does not supports it. This now would > > > > be > > > > possible and will result in an authentication error against the > > > > provider - But Hey, if he fills in incorrect data the same will > > > > be > > > > happen. > > > > > > > > The only bigger problem would be if the valid username of a > > > > user is > > > > "token". In this case he will be affected in the same way and > > > > this > > > > could not be fixed in an easy way. > > > > > > > > IMHO, the benefits are bigger for us, because the maintain work > > > > will > > > > become much easier and one stupid error source will get > > > > eliminated. > > > > > > > > Best regards, > > > > > > > > -Stefan > > > > > Hello, > > > > > > > > > > I do not understand exactly what this patch is trying to > > > > > achieve. > > > > > > > > > > Unfortunately we have no choice than doing it this way with > > > > > the > > > > > current UI. > > > > > > > > > > I do not think it is worth altering the UI for this, and I do > > > > > not > > > > > know how we could do it without having a list again? > > > > > > > > > > -Michael > > > > > > > > > > > On 2 Dec 2020, at 11:30, Stefan Schantl < > > > > > > stefan.schantl@ipfire.org> > > > > > > wrote: > > > > > > > > > > > > This is really hard to maintain when adding new or altering > > > > > > existing > > > > > > providers. > > > > > > > > > > > > Reference #12415. > > > > > > > > > > > > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> > > > > > > --- > > > > > > html/cgi-bin/ddns.cgi | 8 ++++---- > > > > > > 1 file changed, 4 insertions(+), 4 deletions(-) > > > > > > > > > > > > diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi > > > > > > index 715c37290..024eaf7f6 100644 > > > > > > --- a/html/cgi-bin/ddns.cgi > > > > > > +++ b/html/cgi-bin/ddns.cgi > > > > > > @@ -665,13 +665,13 @@ sub GenerateDDNSConfigFile { > > > > > > > > > > > > my $use_token = 0; > > > > > > > > > > > > - # Handle token based auth for various > > > > > > providers. > > > > > > - if ($provider ~~ ["dns.lightningwirelabs.com", > > > > > > "entrydns.net", "regfish.com", > > > > > > - "spdns.de", "zzzz.io"] && > > > > > > $username > > > > > > eq "token") { > > > > > > + # Check if token based auth is configured. > > > > > > + if ($username eq "token") { > > > > > > $use_token = 1; > > > > > > + } > > > > > > > > > > > > # Handle token auth for freedns.afraid.org and > > > > > > regfish.com. > > > > > > - } elsif ($provider ~~ ["freedns.afraid.org", > > > > > > "regfish.com"] && $password eq "") { > > > > > > + if ($provider ~~ ["freedns.afraid.org", > > > > > > "regfish.com"] > > > > > > && $password eq "") { > > > > > > $use_token = 1; > > > > > > $password = $username; > > > > > > > > > > > > -- > > > > > > 2.20.1 > > > > > >
diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi index 715c37290..024eaf7f6 100644 --- a/html/cgi-bin/ddns.cgi +++ b/html/cgi-bin/ddns.cgi @@ -665,13 +665,13 @@ sub GenerateDDNSConfigFile { my $use_token = 0; - # Handle token based auth for various providers. - if ($provider ~~ ["dns.lightningwirelabs.com", "entrydns.net", "regfish.com", - "spdns.de", "zzzz.io"] && $username eq "token") { + # Check if token based auth is configured. + if ($username eq "token") { $use_token = 1; + } # Handle token auth for freedns.afraid.org and regfish.com. - } elsif ($provider ~~ ["freedns.afraid.org", "regfish.com"] && $password eq "") { + if ($provider ~~ ["freedns.afraid.org", "regfish.com"] && $password eq "") { $use_token = 1; $password = $username;