API shouldn't require a username and password

[anarcat]

Issue details

The API currently requires new "API client" to be created to operate, which includes a client_id and a client_secret.

But to actually work, the API also needs an access_token and refresh_token. And those are very short lived - one hour maximum.

This means to implement a client, you need to not only ask the user for an incomprehensible client_id and client_secret, but also for their username and password. Every client then needs to store those username and passwords indefinitely to regenerates the access tokens.

Environment

• wallabag version: 2.1.0 API documentation
• How did you install wallabag? irrelevant.
• Last wallabag version that did not exhibit the issue (if applicable): N/A
• php version: N/A
• OS: N/A
• type of hosting (shared or dedicated): N/A
• which storage system you choose at install (SQLite, MySQL/MariaDB or PostgreSQL): N/A

Steps to reproduce/test case

N/A.

Suggested solution

The username and password should be used only to create access tokens, which should be permanent. This would make the whole API way more efficient because then a single HTTP request would be require for API calls instead of two (assuming the worst case of less than one request per hour per client).

Alternatively, client tokens should be user-specific. I believe there may already be an issue about this, but right now, anyone can see (and delete?) anyone else's tokens on the server. That seems like a Real Bad Idea.

Clients should only ask the user's username and password as a transient secret, that can be used to create client tokens on the fly, which then can be used to create access tokens.

[j0k3r]

Alternatively, client tokens should be user-specific

It's already in place in the 2.2.0 (see #2499)

And we need to discuss about your interesting point.

[anarcat]

from what i see in #2806 - token ownership is not actually checked?

so there would still be work needed there.

I agree. Of course, you can refresh the tokens after they expired but in the case something fails after submitting the request, the new tokens are lost forever and the user needs to be asked for their username and password again. The suggested solution by @anarcat seems good to me.

Otherwise issues like https://github.com/wallabag/windows-app/issues/32 can happen at any time.

BTW, I have a question, mainly to the core team. My windows app is using the username and the password once to generate the access_token and the refresh_token. Those both values are saved in a database. However, I got some users reporting me that the app went from useful to useless after some weeks. I found out that this happens due to a failing refresh request, where my app might not get the newest values, even if the refresh request was done before. To illustrate this issue:

tokens are outdated -> Send request to server -> lose internet connection -> Server response is not getting parsed, but the old tokens are nevertheless invalid

The only solution would be to save the username and the password as well and use them to generate a fresh pair of tokens in case the above schema failed. Is that okay for you?

[tcitworld]

Nope, that's a no-go in terms of security. Let's increase the refresh token lifetime instead.

[anarcat]

how about making the refresh token permanent and revokable?

[tcitworld]

Not permanent IMHO. If the user didn't log inside the app for something like a year, you can expect the app to ask the user again for credentials.

[anarcat]

my app can't ask for credentials. it's automated.

most apps require username and password only when setting up, not after an arbitrary timeout. as far as i know, twitter Oauth credentials are permanent, for example.

the title of the issue i opened here is "API shouldn't require a username and password", and I meant it. it's not "API shouldn't require a username and password most of the time". i want to have a token i can use until revoked.

why are you expiring the tokens anyways? what's the use case for this?

if we are worried that users will lose that device, then the proper solution is not to expire the tokens, because then we are vulnerable for a long time after the device is lost: if i lose the device N days after then tokens are used, then I am vulnerable for full year. the proper solution is, as done elsewhere, to have a clear interface to see what devices have access and allow revocation.

I agree with @anarcat. This is the best way for the future and should be included in wallabag 2.3 (or as soon as possible). What should we do for older versions? Should we log out the user and enforcing him to re-login again?

[di72nn]

The problem arises from the fact that the only allowed grant_type (grant_type=password) configured to require a weird set of parameters: it takes both username and password (ok for this grant type) and client_id and client_secret.
client_id and client_secret are supposed to be used with grant_type=client_credentials which doesn't need username and password.

If grant_type=client_credentials is allowed, all the other problems discussed here are gone.

See: OAuth 2 Simplified (or read other OAuth-related info).

[di72nn]

There is authorization_code grant_type which should also be a good choice in case of wallabag, but:

1. There is no endpoint to get that authorization code.
2. It has pretty much the same disadvantages discussed here (it allows to get tokes once; if the tokens expire, the procedure needs to be repeated).

Update: I included the first point because authorization_code is present in the "Grant type allowed" list in wallabag UI, but there is no way to actually use it.

[anarcat]

from my point of view, we should be able to get as many tokens as we want with the client_id and client_secret. it seems completely redundant to have to provide the username and password as well, unless it is to create a new client_id and client_secret pair!

in other words, maybe the simplest solution for clients would be to have a user-specific client_id and client_secret that can be used (without passwords!) to generate temporary tokens on the fly. then the client_id and client_secret tokens could be used to revoke access...

obviously, for this to work, older pre-upgrade tokens would need to be purged or categorized differently, because they are currently publicly readable among all users.

is that what you meant?

[di72nn]

This is how it currently works:

http POST http://v2.wallabag.org/oauth/v2/token \
    grant_type=password \
    client_id=12_5um6nz50ceg4088c0840wwc0kgg44g00kk84og044ggkscso0k \
    client_secret=3qd12zpeaxes8cwg8c0404g888co4wo8kc4gcw0occww8cgw4k \
    username=yourUsername \
    password=yourPassw0rd

This is how it should work:

http POST http://v2.wallabag.org/oauth/v2/token \
    grant_type=password \
    client_id=12_5um6nz50ceg4088c0840wwc0kgg44g00kk84og044ggkscso0k \
    username=yourUsername \
    password=yourPassw0rd

Notice the absence of client_secret - grant_type=password shouldn't require it. Sources: simplified, RFC.

In theory API clients (read: client_id and client_secret pairs) should not be user-specific, but since they already are in recent versions, this is what may be added:

http POST http://v2.wallabag.org/oauth/v2/token \
    grant_type=client_credentials \
    client_id=12_5um6nz50ceg4088c0840wwc0kgg44g00kk84og044ggkscso0k \
    client_secret=3qd12zpeaxes8cwg8c0404g888co4wo8kc4gcw0occww8cgw4k

Sources: simplified, RFC.

For f*ck's sake, people, read the OAuth specs before inventing more crap.