shoelaced Posted August 20, 2019 Share Posted August 20, 2019 Title says the gist. The main reason I would want to offer Google sign in would be for security's sake, in the sense that if a user activates Google sign in, then their login ability would be handled by Google and I would no longer be storing their password. Obviously I don't expect a data breach, but it seems like if a user no longer uses their password, then I might as well no longer store a password for them on the off-chance that it does ever happen. In any case, I was wondering what WHMCS does with stored passwords when a user activates Google sign in, if anything. 0 Quote Link to comment Share on other sites More sharing options...
WHMCS ChrisD Posted August 21, 2019 Share Posted August 21, 2019 Hello @shoelaced No, the client will continue to be able to login with Email & Password or Via Google Sign-In we do not clear out the password when the client adds a Sign-In Integration to their options to sign into the client area 0 Quote Link to comment Share on other sites More sharing options...
shoelaced Posted August 21, 2019 Author Share Posted August 21, 2019 Are customers able to sign up with Google sign in? What happens then, does the system just generate a password for the account? Seems like storing a working but unnecessary password negates all the security benefits of Google sign in, but okay. 0 Quote Link to comment Share on other sites More sharing options...
zitu4life Posted August 21, 2019 Share Posted August 21, 2019 And if a client who does not has a gmail account? a client who does not has facebook account or twitter account? He will keep using WJMCS storage password. v7.8 brings a free 2factor autentication to increase security, actually I did not tested how is "free" are. I undestand your point of view, perhaps you are saying if a client you there is a workaround to let you disable password when Gmail signin are ativate. For example in server login sometimes we deacrivate root login to increase security. in WHMCS i do not know if it is possible, but if were possible would like to know. I have client that never login in their account If could just disable it would give it a try. 0 Quote Link to comment Share on other sites More sharing options...
shoelaced Posted August 21, 2019 Author Share Posted August 21, 2019 Quote perhaps you are saying if a client you there is a workaround to let you disable password when Gmail signin are ativate. Yes, my question was whether the password gets deleted when Google sign in is activated, which I would think would be the ideal default behavior for security's sake. The password would remain intact if the customer is not using a social login. The way it is now if a customer has activated social sign in, then their password just sits there. Since they never use it to log in they'll never remember it anyway, nor think to change it if it gets compromised. It would just sit there as a security hole in their account forever. 0 Quote Link to comment Share on other sites More sharing options...
zitu4life Posted August 21, 2019 Share Posted August 21, 2019 (edited) Would be a nice future to increase security also, if we had the ability to prevent or disable client login on WHMCS admin, if needed. I know WHMCS is designated to be self client portal platform,... but this mean this future will only ensure it to be used only if a Admin thinks if needed. I had client that do not has email, so I have setup them on Admin side, I know they will never login to their client, they never know if client portal exists, they are old business man that not familiar with such a thing, so If could prevent login would be a must. So how i made contact with these clients, I use SMS addon 😃, also a future to never send emails are welcome, because those client has test@email.com for example. I know i can submit a future request, but it will take 2 4 6 years and also not sure even WHMCS will add it. Workaround would be always a immediate solution...i guess Add client is hard-coded tpl file. Edited August 21, 2019 by zitu4life 0 Quote Link to comment Share on other sites More sharing options...
zitu4life Posted August 21, 2019 Share Posted August 21, 2019 Another hypothetical situation...I even do not know if such circumstance can happen.... - Our client area page area under attack we could has a future to disable all client login with one click on WHMCS admin side, and then contact our hosting provider for help to immediately to check our server. Security futures and improvements should be always welcome. 0 Quote Link to comment Share on other sites More sharing options...
brian! Posted August 21, 2019 Share Posted August 21, 2019 3 hours ago, shoelaced said: Are customers able to sign up with Google sign in? https://docs.whmcs.com/Configuring_Sign-In_using_Google Quote Enabling the Google Sign In Integration enables visitors and customers to register, sign in and connect their Google accounts with your WHMCS installation for faster sign-up and automatic sign-in. so the answer to that is yes. 3 hours ago, shoelaced said: What happens then, does the system just generate a password for the account? interesting question - I don't know what happens with the password if they register using a Google sign in. 1 hour ago, shoelaced said: Yes, my question was whether the password gets deleted when Google sign in is activated, which I would think would be the ideal default behavior for security's sake. The password would remain intact if the customer is not using a social login. I don't think it does - so if a user signs up as normal, and if they later use a signin option (fb/twitter or google), it's an additional login method and won't delete their account password. 35 minutes ago, zitu4life said: Would be a nice future to increase security also, if we had the ability to prevent or disable client login on WHMCS admin, if needed. I know WHMCS is designated to be self client portal platform,... but this mean this future will only ensure it to be used only if a Admin thinks if needed. I had client that do not has email, so I have setup them on Admin side, I know they will never login to their client, they never know if client portal exists, they are old business man that not familiar with such a think, so If could prevent login would be a must. you could do that with a hook - you would just need to add a condition as to what should prevent a user from logging in - so that could be an admin client custom field (e.g checkbox); it could be assigning these users to a client group - then the hook checks the user as they login against these condition(s). 25 minutes ago, zitu4life said: Our client area page area under attack we could has a future to disable all client login with one click on WHMCS admin side, and then contact our hosting provider for help to immediately to check our server. that solution already exists - you just put WHMCS into maintenance mode. https://docs.whmcs.com/General_Tab#Maintenance_Mode Quote Enabling this option will prevent your customers from accessing the client area and display the error message you can set beneath, useful when performing upgrades or changes you don’t want them to see. As an admin you will still be able to see the client area but your clients will not. Both the API and Hooks will continue to function unobstructed while Maintenance Mode is enabled. https://help.whmcs.com/m/system/l/680991-prevent-customers-accessing-the-site-maintenance-mode 1 Quote Link to comment Share on other sites More sharing options...
zitu4life Posted August 21, 2019 Share Posted August 21, 2019 2 hours ago, brian! said: that solution already exists - you just put WHMCS into maintenance mode. Thank you!! Well, actually I am ware of that option, but did not think it could used in that situation too ☺️ ...there is always something new to learn in this community. 2 hours ago, brian! said: you could do that with a hook - you would just need to add a condition as to what should prevent a user from logging in - so that could be an admin client custom field (e.g checkbox); it could be assigning these users to a client group - then the hook checks the user as they login against these condition(s). I have all those clients assigned to a color group called No Valid Email, also I have custom fields created for others ends, but I could create new one if needed. So that hook would only need every-time new client added by Admin, and if it do not have valid email, assign it to this client group No Valid Email. It is not a urgent thing, but when you have free time, your hook are always welcome, until WHMCS add it on core solution 😶 the other thing it that when client has no valid email WHMCS still tries to send automated emails on every invoice, so I will receive a ticket auto email response from email provider - Delivery Status Notification (Failure) from gmail in my specific case Perhaps I could block sender email and solve the problem? 0 Quote Link to comment Share on other sites More sharing options...
brian! Posted August 21, 2019 Share Posted August 21, 2019 6 minutes ago, zitu4life said: I have all those clients assigned to a color group called No Valid Email, also I have custom fields created for others ends, but I could create new one if needed. So that hook would only need every-time new client added by Admin, and if it do not have valid email, assign it to this client group No Valid Email. there have been hooks posted previously, that limit what clients can do in WHMCS until they've verified their email address. 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.