[HELP] API Success Verification, Error Handling, and Security

pancakes07

I am in the process of developing a community forum for a certain group. For this project, I have decided to employ Flarum as the core platform.

The critical tasks, such as user login, registration, password update/reset, and account deletion, are intended to be performed through my own website instead of the Flarum interface directly. This functionality has been accomplished by leveraging the SSO extension developed by Maicol Battistini (https://discuss.flarum.org/d/21666-php-and-wordpress-single-sign-on-sso-with-optional-jwt-addon).

However, a few queries and concerns have cropped up during the development process which are as follows:

Verifying API Success

How can I definitively confirm the success of an API request?
For instance, I need to determine whether a user's login attempt, password modification, or account deletion request has been successful. This validation is particularly crucial when a user alters their password on my site, as it automatically triggers a password update on the forum as well. I must ascertain that the forum password is updated successfully prior to modifying it in my own system. This is to avoid a situation where a user cannot access the forum because the password is only updated on my website.

Post-Account Deletion Error

Once a user deletes their account via API, they encounter an error while attempting to access the forum. The issue can only be resolved by clearing the browser's cookies. Here is the stack trace for this error:

Error thrown with message "Call to a member function updateLastSeen() on null"

Stacktrace:
#30 Error in C:\xampp\htdocs\site\forum\vendor\flarum\core\src\Http\Middleware\AuthenticateWithSession.php:41
#29 Flarum\Http\Middleware\AuthenticateWithSession:getActor in C:\xampp\htdocs\site\forum\vendor\flarum\core\src\Http\Middleware\AuthenticateWithSession.php:27
#28 Flarum\Http\Middleware\AuthenticateWithSession:process in C:\xampp\htdocs\site\forum\vendor\laminas\laminas-stratigility\src\Next.php:49
#27 Laminas\Stratigility\Next:handle in C:\xampp\htdocs\site\forum\vendor\flarum\core\src\Http\Middleware\RememberFromCookie.php:52
#26 Flarum\Http\Middleware\RememberFromCookie:process in C:\xampp\htdocs\site\forum\vendor\laminas\laminas-stratigility\src\Next.php:49
#25 Laminas\Stratigility\Next:handle in C:\xampp\htdocs\site\forum\vendor\flarum\core\src\Http\Middleware\StartSession.php:61
#24 Flarum\Http\Middleware\StartSession:process in C:\xampp\htdocs\site\forum\vendor\laminas\laminas-stratigility\src\Next.php:49
#23 Laminas\Stratigility\Next:handle in C:\xampp\htdocs\site\forum\vendor\flarum\core\src\Http\Middleware\CollectGarbage.php:46
#22 Flarum\Http\Middleware\CollectGarbage:process in C:\xampp\htdocs\site\forum\vendor\laminas\laminas-stratigility\src\Next.php:49
#21 Laminas\Stratigility\Next:handle in C:\xampp\htdocs\site\forum\vendor\flarum\core\src\Http\Middleware\ParseJsonBody.php:28
#20 Flarum\Http\Middleware\ParseJsonBody:process in C:\xampp\htdocs\site\forum\vendor\laminas\laminas-stratigility\src\Next.php:49
#19 Laminas\Stratigility\Next:handle in C:\xampp\htdocs\site\forum\vendor\flarum\core\src\Http\Middleware\HandleErrors.php:57
#18 Flarum\Http\Middleware\HandleErrors:process in C:\xampp\htdocs\site\forum\vendor\laminas\laminas-stratigility\src\Next.php:49
#17 Laminas\Stratigility\Next:handle in C:\xampp\htdocs\site\forum\vendor\flarum\core\src\Http\Middleware\InjectActorReference.php:25
#16 Flarum\Http\Middleware\InjectActorReference:process in C:\xampp\htdocs\site\forum\vendor\laminas\laminas-stratigility\src\Next.php:49
#15 Laminas\Stratigility\Next:handle in C:\xampp\htdocs\site\forum\vendor\laminas\laminas-stratigility\src\MiddlewarePipe.php:75
#14 Laminas\Stratigility\MiddlewarePipe:process in C:\xampp\htdocs\site\forum\vendor\middlewares\request-handler\src\RequestHandler.php:84
#13 Middlewares\RequestHandler:process in C:\xampp\htdocs\site\forum\vendor\laminas\laminas-stratigility\src\Next.php:49
#12 Laminas\Stratigility\Next:handle in C:\xampp\htdocs\site\forum\vendor\middlewares\base-path-router\src\BasePathRouter.php:99
#11 Middlewares\BasePathRouter:process in C:\xampp\htdocs\site\forum\vendor\laminas\laminas-stratigility\src\Next.php:49
#10 Laminas\Stratigility\Next:handle in C:\xampp\htdocs\site\forum\vendor\laminas\laminas-stratigility\src\Middleware\OriginalMessages.php:36
#9 Laminas\Stratigility\Middleware\OriginalMessages:process in C:\xampp\htdocs\site\forum\vendor\laminas\laminas-stratigility\src\Next.php:49
#8 Laminas\Stratigility\Next:handle in C:\xampp\htdocs\site\forum\vendor\middlewares\base-path\src\BasePath.php:73
#7 Middlewares\BasePath:process in C:\xampp\htdocs\site\forum\vendor\laminas\laminas-stratigility\src\Next.php:49
#6 Laminas\Stratigility\Next:handle in C:\xampp\htdocs\site\forum\vendor\flarum\core\src\Http\Middleware\ProcessIp.php:24
#5 Flarum\Http\Middleware\ProcessIp:process in C:\xampp\htdocs\site\forum\vendor\laminas\laminas-stratigility\src\Next.php:49
#4 Laminas\Stratigility\Next:handle in C:\xampp\htdocs\site\forum\vendor\laminas\laminas-stratigility\src\MiddlewarePipe.php:75
#3 Laminas\Stratigility\MiddlewarePipe:process in C:\xampp\htdocs\site\forum\vendor\laminas\laminas-stratigility\src\MiddlewarePipe.php:64
#2 Laminas\Stratigility\MiddlewarePipe:handle in C:\xampp\htdocs\site\forum\vendor\laminas\laminas-httphandlerrunner\src\RequestHandlerRunner.php:73
#1 Laminas\HttpHandlerRunner\RequestHandlerRunner:run in C:\xampp\htdocs\site\forum\vendor\flarum\core\src\Http\Server.php:45
#0 Flarum\Http\Server:listen in C:\xampp\htdocs\site\forum\index.php:26

UserValidator.php Edits:

Is it a sound practice to modify username and password requirements by directly editing the UserValidator.php file? Currently, I have adjusted the getRules method as such:

    protected function getRules()
    {
        $idSuffix = $this->user ? ','.$this->user->id : '';

        return [
            'username' => [
                'required',
                'regex:/^[a-z0-9_-]+$/i',
                'unique:users,username'.$idSuffix,
            ],
            'email' => [
                'required',
            ],
            'password' => [
                'required',
            ]
        ];
    }

Other validation requirements are checked via my own authentication system. I am concerned about potential complications stemming from these changes.

Plaintext Password Transmission:

For user login/registration, the API necessitates sending passwords in plain text. Is this a secure approach? If not, could there be a workaround? It would be ideal if the system could just authenticate the user and disregard the password.

Any assistance or insights you can offer would be greatly appreciated. Thank you in advance.

askvortsov

pancakes07 How can I definitively confirm the success of an API request?

A successful API request should return a 20x HTTP response status. But if you're only going to be logging in via SSO, why require setting the password on the forum to begin with?

pancakes07 Once a user deletes their account via API

Odd, deleting a user should delete all access tokens because of how the database works. This might be a bug on Flarum's side.

pancakes07 Is it a sound practice to modify username and password requirements by directly editing the UserValidator.php file?

No. Any kind of modifications to Flarum should be done via custom extensions (or custom extenders, for a lower weight solution). See https://docs.flarum.org/extenders/ and https://docs.flarum.org/extend, there's an extender that allows you to add rules to an existing validator.

pancakes07 the API necessitates sending passwords in plain text

This is fine, the problem is storing passwords in plain text. Transmission isn't an issue as long as your site is properly configured to use HTTPS, which ensures that data you send is encrypted and not messed with during transmission.

pancakes07

askvortsov No. Any kind of modifications to Flarum should be done via custom extensions

Despite not being a programmer, I am doing a real effort to solve these issues on my own. I reverted the UserValidator.php to default and, based on this, I edited the extend.php file, and it looked like this:

<?php

/*
 * This file is part of Flarum.
 *
 * For detailed copyright and license information, please view the
 * LICENSE file that was distributed with this source code.
 */

use Flarum\Extend;

return [
    // Register extenders here to customize your forum!
    (new Extend\Validator(\Flarum\User\UserValidator::class))
    ->configure(function ($flarumValidator, $validator) {
        $rules = $validator->getRules();

        // The validator is sometimes used to validate *only* other attributes
        if (!array_key_exists('username', $rules) && !array_key_exists('email', $rules) && !array_key_exists('password', $rules)) {
            return;
        }

        // Loop through all Laravel validation rules until we find the one we're looking to replace
        $rules['username'] = array_map(function (string $rule) {

            // Min length change
            if (\Illuminate\Support\Str::startsWith($rule, 'min:')) {
                return 'min:1';
            }

            // Max length change
            if (\Illuminate\Support\Str::startsWith($rule, 'max:')) {
                return 'max:200';
            }

            // If it's not one of the rules we're looking for, we keep it as-it
            return $rule;
        }, $rules['username']);

        // Loop through all Laravel validation rules until we find the one we're looking to replace
        $rules['email'] = array_map(function (string $rule) {

            // Filter remove
            if (\Illuminate\Support\Str::startsWith($rule, 'email:')) {
                return '';
            }

            // Unique remove
            if (\Illuminate\Support\Str::startsWith($rule, 'unique:')) {
                return '';
            }

            // If it's not one of the rules we're looking for, we keep it as-it
            return $rule;
        }, $rules['email']);

        // Loop through all Laravel validation rules until we find the one we're looking to replace
        $rules['password'] = array_map(function (string $rule) {

            // Min length remove
            if (\Illuminate\Support\Str::startsWith($rule, 'min:')) {
                return 'min:1';
            }

            // If it's not one of the rules we're looking for, we keep it as-it
            return $rule;
        }, $rules['password']);

        $validator->setRules($rules);
    }),
];

However, after this change, when I try to update a user password via the api, I get the following error:

TypeError: array_key_exists(): Argument #2 ($array) must be of type array, null given in C:\xampp\htdocs\site\vendor\illuminate\collections\Arr.php:177
Stack trace:
#0 C:\xampp\htdocs\site\vendor\illuminate\collections\Arr.php(177): array_key_exists('token', NULL)
#1 C:\xampp\htdocs\site\vendor\maicol07\flarum-api-client\src\Response\Factory.php(28): Illuminate\Support\Arr::exists(NULL, 'token')
#2 C:\xampp\htdocs\site\vendor\maicol07\flarum-api-client\src\Client.php(77): Maicol07\Flarum\Api\Response\Factory::build(Object(GuzzleHttp\Psr7\Response))
#3 [internal function]: Maicol07\Flarum\Api\Client->request()
#4 C:\xampp\htdocs\site\vendor\maicol07\flarum-api-client\src\Fluent.php(353): call_user_func_array(Array, Array)
#5 C:\xampp\htdocs\site\vendor\maicol07\flarum-sso-plugin\src\User.php(69): Maicol07\Flarum\Api\Fluent->__call('request', Array)
#6 C:\xampp\htdocs\site\Al\Forum.php(148): Maicol07\SSO\User->update()
#7 C:\xampp\htdocs\site\Engine\User.php(157): Forum->updatePassword('username', 'password...')
#8 C:\xampp\htdocs\site\Engine\Ajax.php(37): User->updatePassword(1, Array)
#9 {main}

Can you guide me finding the correct solution via extension/extender?

askvortsov Odd, deleting a user should delete all access tokens because of how the database works.

Any clue on how can I solve this issue? All I am doing is calling the delete method of the SSO plugin by Maicol. It successfully deletes the user, but the user gets an error when he tries to access the forum. If debug is enabled, the error is the one I showed you on my previous message.

luceos

pancakes07 can you explain in human language what changes to the validator you want to make?

pancakes07

luceos

I want to make sure the username can have any length, including 1 (up to database limit of 200). Why? Because my website already has registered users with that length and because I want to allow that. I can live with the regex the way it is now.

Any superior limit on username length other than that should be checked on my own authentication system, responsible for signup and login on both my website and Flarum.

The same applies to password and email. All email verification is done on my own authentication system, according to my rules. I don't want an email to get validated on my website and not on Flarum. By the way, I don't even use any email related features of Flarum (notification, password reset, etc).