i'm just trying to authenticate moodle with user key authentication using this plugin. but i'm not sure is this a safe way to authenticate users because this plugin only check whether the user name exist in the moodle database. and anyone can guess the user name and send post request to the end point and it will give you the authenticated url.is anyone know how to make this more secure? or is this way not safe?
Asked
Active
Viewed 699 times
1 Answers
1
From a quick look at the plugin, the one-time URL is created by calling a Moodle webservice. That webservice call is only available to users who have been authenticated via a private token (that would be stored securely on the server that is making the webservice call to retrieve the URL).
As long as you don't give out the private token (e.g. don't include it in JavaScript sent to the user's browser) and as long as you don't grant general permission to generate login URLs, you should be fine.
Disclaimer: I am an experienced Moodle developer, but I have not reviewed the code in question, only the basic principles involved.
davosmith
- 6,037
- 2
- 14
- 23
-
thanks for the answer i really didn't notice that at first place.and i'm gonna use this plugin in my application.you saved my day bro. – Ruhith Udakara Nov 29 '19 at 04:18