Redmine Login Share

[laszlof]

I finally got around to setting up Redmine, and instead of duplicating the login process I decided to write a quick hack to let WHMCS users login to redmine, and auto-create accounts for existing WHMCS users.

 

Heres a quick and dirty howto. This assumes you already have a working redmine installation.

 

1) Setup the redmine database. Execute the following query on your redmine database:

INSERT INTO auth_sources (`type`, `name`, `host`, `port`, `account`, `account_password`, `base_dn`, `attr_login`, `attr_firstname`, `attr_lastname`, `attr_mail`, `onthefly_register`, `tls`) VALUES ('AuthSourceWHMCS', 'WHMCS', '[b]DBHOST[/b]', '[b]DBPASS[/b]', 'mysql:[b]DBNAME[/b]', 'email', 'firstname', 'lastname', 'email', 1, 0)

 

Replace the bolded items with your actual WHMCS connection details. Remember if you're hosting redmine on another server than WHMCS you will need to enable the remote mysql connection access.

 

2) Create a new file in redmine called app/models/auth_source_whmcs.rb with the following:

require "digest/md5"

class WHMCSdb_ActiveRecord < ActiveRecord::Base
 PAUSE_RETRIES = 5
 MAX_RETRIES = 50
end

class AuthSourceWHMCS < AuthSource
 def authenticate(login, password)
   retVal = nil
   unless(login.blank? or password.blank?)
     adapter, dbName = self.base_dn.split(':')
     retryCount = 0    
     begin             
       connPool = WHMCSdb_ActiveRecord.establish_connection(
         :adapter  => adapter,         
         :host   => self.host,         
         :port   => self.port,         
         :username => self.account,    
         :password => self.account_password,
         :database => dbName,          
         :reconnect  => true           
       )                       
       db = connPool.checkout();
     rescue => err     
       if(retryCount < WHMCSdb_ActiveRecord::MAX_RETRIES)
         sleep(1) if(retryCount < WHMCSdb_ActiveRecord::PAUSE_RETRIES)
         retryCount += 1               
         connPool.disconnect!          
         retry                         
       else                    
         raise                         
       end                     
     end               
     resultRow = db.select_one("SELECT id, firstname, lastname, password FROM tblclients WHERE email = '#{login}'")
     unless(resultRow.nil? or resultRow.empty?) 
       clientid = resultRow['id']
       firstname = resultRow['firstname']
       lastname = resultRow['lastname'] 
       hash, salt = resultRow['password'].split(':')
       plain_pass = salt + password
       comp_pass = Digest::MD5.hexdigest(plain_pass)
       loginvalid = 1 if(hash == comp_pass) 
       loginvalid = 1 if(hash == password)
       if(loginvalid > 0)      
         retVal =                      
         {                             
           :firstname    => firstname,         
           :lastname   => lastname,            
           :mail     => login,                 
           :auth_source_id   => self.id        
         } if(self.onthefly_register?) 
       end
     end
   end
   connPool.checkin(db)
   return retVal
 end

 def auth_method_name
   "WHMCS"
 end
end

 

3) Restart your rails app. (If you're using mod_passenger, just restart httpd)

4) At this point, existing WHMCS clients will be able to login to redmine using their email address as the login, and their password.

However, you want to have a nice button in WHMCS to make them auto login. Thats a bit more tricky, as the passwords stored in WHMCS are not reversable. The solution is to allow the login script to access the md5 hash of the password as well. The login script is already set to do that, so we simply need to add the proper code to our WHMCS templates. This should work for any template file, but I have it set it my header.tpl.

 

5) At the top of the header.tpl file, add the following code:

{if $loggedin}
{assign var='redmine_user' value=$clientsdetails.email}
{assign var='redmine_pass' value=':'|explode:$clientsdetails.password}
{/if}

 

Anywhere you want to put the button, place the following code:

 

<form id="redmine" action="[b]HTTP://WWW.YOURDOMAIN.COM/REDMINE[/b]/login" method="POST">
 <input type="hidden" name="username" value="{$redmine_user}" />
 <input type="hidden" name="password" value="{$redmine_pass[0]}" />
 <input type="submit" class="btn primary" value="Login to Redmine" />
</form>

 

Obviously, replace the URL with the URL for redmine. be sure to append the "/login" to the end of if.

 

Thats it, so long as I didnt make any typo's, you should have working WHMCS -> redmine login share.

 

Enjoy!

[4is]

With the form in the last step, that vars $redmin_user+pass are they displayed there or are they values when you submit to redmine?, If the hidden values contain the user + pass that could be a potential security risk, a simple link linking to a php script which then submits the form information instead of displaying values client side.

[laszlof]

The values are not displayed, they are hidden. This is really no different than linking it to an external script, the POST fields still need to be passed from the client. You cannot submit them via curl and expect it to log you in.

 

The password is also just a hash, without the salt. It would be nearly impossible for anyone to figure out the password from it. Not to mention they would have to be logged in to even get it, meaning they already have the password.

[4is]

There not hidden. You can right click the page and view source it would be there, sending data via post including your password etc could be a security flaw. You've made a form that displays a user name and password on the actuall webpage, instead of making one single link that automaticly logs in and re-directs.

[laszlof]

There not hidden. You can right click the page and view source it would be there, sending data via post including your password etc could be a security flaw. You've made a form that displays a user name and password on the actuall webpage, instead of making one single link that automaticly logs in and re-directs.

 

By "hidden" I mean in the input sense, not literally hidden.

 

However, as I said, the password is not actually a password, its an MD5 hash without the required salt. Even with the salt, it would someone quite a long time with a brute force tool to find the password match. Without the salt, nearly impossible.

 

Besides, if you're logged in and can see the page, you already know the password.

 

If you're concerned about MITM attacks, setup an SSL certificate on your redmine installation.

 

Sending a password via POST is how just about every other login system works, this is no different.

 

There is no way to to make a "single link login" system for this, unless you have redmine hosted on the same host name as your WHMCS install. For me, its not even on the same server, let alone the same host name.

 

About as close as you're going to come is to make a "redmine_login.php" page that pulls the details from a DB, and outputs a form object and auto submits it with javascript. However, all someone would have to do is disable javascript and it would be precisely the same as what I've done.