By Kasun Vithanage on 2017-08-15 12:48 in GSoC 17 Media Manager

Venue : Glip

Time : 10/08/2017 UTC 16:30

 

List of Attendees Overview

 

Mentor

 

A

Student

 

A

Allon Moritz (Lead)

AM

x

Kasun Vithanage

KV

x

Yves Hoppe

YH

x

     

David Neukirchen

DN

       

Puneet Kala

PK

       

Dimitris Grammatiko

DG

       

Other Attendees:

na

 

     

 

The Topics

Update about previous work

In the last meeting Kasun was about to develop a mock plugin for test Cloud filesystem with Joomla!. You can find it here. Feel free to test and give a feedback. This is a dropbox plugin. So you may want to have a dropbox account for test the Media Manager

 

OAuth2.0 Helper for Joomla!

Almost all 3rd party developers uses OAuth2.0 for authentication and authorization purposes for Clouds. Allon and David suggested to let those users have a Callback to use for the ease of development as was in the schedule for Authentication Process. This callback procedure is described below.

Proposal for Authentication Helpers

Introduction

For the authorization process it would be nice if we add some helpers for 3rd party developers. This method should be able to be flexible as much as possible because each of plugin acts differently on the OAuth2 Process.

 

Define an Interface

For the callbacks provided by the Joomla for developers work, certain methods are required. So it will be better if we could add an interface for the Media Manager to keep the promise between Joomla! and the Developer. Typically an OAuth Process involves

  • Authentication

  • Authorization

Both of them passes a data for a pre defined redirect url in the provider settings.

 

For example Dropbox users can get a code after pressing Allow for app which can be used to get an access and refresh token.

 

So the redirect url is used two times in the Dropbox, which comes with different parameters for each call. One with the Access Code and other with Access/Refresh Token. The interface we design should developer use the parameters which are passed to the callback for further process.

 

Interface : OAuth2Handler

 

OAuth2Handler

  • onCallback($params : array)

 

The plugins which implements this interface will have the opportunity to use the Cloud Callbacks provided by joomla.

 

Endpoint for OAuth

For this we need an public endpoint for joomla. Best suggestion is to use com_media controller as the endpoint without any involving of JRouter.

 

[site-name]/administrator/index.php?option=com_media&task=plugin.oauth2callback&plugin=[plugin-name]

Can be used as the endpoint for plugins.

 

For plg_filesystem_dropbox it would be

[site-name/administrator]/index.php?option=com_media&task=plugin.oauth2callback&plugin=plg_filesystem_dropbox

 

So we need to inform developers to use this endpoint

 

Process

After doing a proper authentication or an authorization, provider pass the required data to the given redirect uri as a GET or POST. In here Joomla will receive all the inputs from that and pass them to relative plugin.

 

For that Joomla will look for relevant plugin name and pass the data to the method onCallback($params : array). So the developer can use them either for authentication or authorization depends on the situation.

 

Security

With this setup anyone can send requests and invoke plugins which is a security flaw. Almost all clouds support adding an option called status in the parameters for ensure CSRF is valid. So we must warn developer to set this status to CSRF token in joomla before requesting the Provider. So after processing the result provider will redirect to callback with the status parameter set by the developer. In that case before do anything Joomla will check for it to ensure that it was sent within Joomla!

 

If CSRF check is failed, the request to invoke callback will be rejected.



Discussion

Allon and Yves both agreed on having this endpoint for joomla. Kasun initially decided it to be a public endpoint, but as most providers support status parameter in their cloud authentication process he decided to make this an administrator endpoint.

 

Kasun suggested showing an error message in any error.

 

All topics on the above brief introduction was accounted and approved by both mentors.



Documentation for Media Manager Joomla!

Kasun asked Allon about the documentation for the New Media Manager. Allon suggested few ideas how it should be. Yves said he will help Kasun when he start writing it.

 

Final Thoughts

Kasun will develop the authentication helper and deliver progress in the next meeting