(2015-05-28, 07:30 PM)martec Wrote: [ -> ] (2015-05-28, 09:57 AM)An0ny Wrote: [ -> ]By setting a preset set of allowed colors, allowed fonts etc then do a check in php on the site it self before submission each time. Regex in php would do the job anyway for this, as long as you check it before the shout is sent to the node
you saying to use ajax?
i will never use ajax in this. Ajax use a lot resource of server, and not make any sense. this is websocket shout and not php shoutbox.
If you use AJAX for processing the submission, modifying, and other actions that need security it would take minimal extra resources. The websocket server should only handle the delivery of messages, not the actual processing when a user submits one. But again, it really depends on the use case. But I am sure people would pick security every time.
In your test I was able to modify messages of any user without being logged in. I can spoof messages from any user.
The code is really good, but there needs to be security in place. I am sure if I dug deeper I could do even more damage to the system.
What I propose is using AJAX to send a request to the server to send the message. PHP will then validate the user and connect to an API runing on the node service that will authenticate and do the actual sending of the message. The user should not have any control over any of these processes.
I am not trying to be a jerk here, just want people to know the dangers of using this code. There is ABSOLUTELY NO AUTHENTICATION. I am willing to help out with your code and fix the issues if you want.
EDIT: If you really hate AJAX that much you can find a way to do authentication via node, but I would stay away from this. It adds way too much complexity and would more likely use the same if not more resources then just using AJAX and having PHP handle the submission.
(2015-05-28, 10:37 PM)Skylord123 Wrote: [ -> ] (2015-05-28, 07:30 PM)martec Wrote: [ -> ] (2015-05-28, 09:57 AM)An0ny Wrote: [ -> ]By setting a preset set of allowed colors, allowed fonts etc then do a check in php on the site it self before submission each time. Regex in php would do the job anyway for this, as long as you check it before the shout is sent to the node
you saying to use ajax?
i will never use ajax in this. Ajax use a lot resource of server, and not make any sense. this is websocket shout and not php shoutbox.
If you use AJAX for processing the submission, modifying, and other actions that need security it would take minimal extra resources. The websocket server should only handle the delivery of messages, not the actual processing when a user submits one. But again, it really depends on the use case. But I am sure people would pick security every time.
In your test I was able to modify messages of any user without being logged in. I can spoof messages from any user.
The code is really good, but there needs to be security in place. I am sure if I dug deeper I could do even more damage to the system.
What I propose is using AJAX to send a request to the server to send the message. PHP will then validate the user and connect to an API runing on the node service that will authenticate and do the actual sending of the message. The user should not have any control over any of these processes.
I am not trying to be a jerk here, just want people to know the dangers of using this code. There is ABSOLUTELY NO AUTHENTICATION. I am willing to help out with your code and fix the issues if you want.
EDIT: If you really hate AJAX that much you can find a way to do authentication via node, but I would stay away from this. It adds way too much complexity and would more likely use the same if not more resources then just using AJAX and having PHP handle the submission.
not possible...
php not has permanent connection with nodejs, so in php server the websocket connection not will work..
use autentication in nodejs will made all integration break, because will need separate account to shoutbox.
about not logged you saying with read only mode to guest? not more easy desactive this option in acp?
You don't do authentication in node. You build out a web server to run along side nodejs. This web server will be an api that will allow PHP and Node to talk together. I know the limitations with php. You don't need a connection open between node and php. You only make requests when something happens.
I actually had to make a chat program for my last job and made all the messages being sent and loading past messages done with php then uses node to send out messages in real time. So when someone send a message it would go sening client -> PHP -> node -> receiving client.
I actually had to do authentication in php and node to disallow other users from receiving messages that don't belong to them. You would only need to do this if people can send private shouts to each other, otherwise it doesn't matter.
Anyways. There needs to be some sort of authentication system in place for this. Otherwise bots will be able to post spam and anyone can manipulate the shout box. I can help you fix this issues if you want.
Also I can still make an account and mess up the shout box. There has to be authentication in place. You should put a notice in your original post about the security issue until it is resolved. This plugin is potentially dangerous until fixed.
(2015-05-29, 07:13 AM)Skylord123 Wrote: [ -> ]I actually had to make a chat program for my last job and made all the messages being sent and loading past messages done with php then uses node to send out messages in real time. So when someone send a message it would go sening client -> PHP -> node -> receiving client.
i really not want use something like...
speed of this will decrease substantially and server load will increase too.
for me better use something like
http://stackoverflow.com/questions/13095...5#24859515
(2015-05-28, 10:37 PM)Skylord123 Wrote: [ -> ] (2015-05-28, 07:30 PM)martec Wrote: [ -> ] (2015-05-28, 09:57 AM)An0ny Wrote: [ -> ]By setting a preset set of allowed colors, allowed fonts etc then do a check in php on the site it self before submission each time. Regex in php would do the job anyway for this, as long as you check it before the shout is sent to the node
you saying to use ajax?
i will never use ajax in this. Ajax use a lot resource of server, and not make any sense. this is websocket shout and not php shoutbox.
If you use AJAX for processing the submission, modifying, and other actions that need security it would take minimal extra resources. The websocket server should only handle the delivery of messages, not the actual processing when a user submits one. But again, it really depends on the use case. But I am sure people would pick security every time.
In your test I was able to modify messages of any user without being logged in. I can spoof messages from any user.
The code is really good, but there needs to be security in place. I am sure if I dug deeper I could do even more damage to the system.
What I propose is using AJAX to send a request to the server to send the message. PHP will then validate the user and connect to an API runing on the node service that will authenticate and do the actual sending of the message. The user should not have any control over any of these processes.
I am not trying to be a jerk here, just want people to know the dangers of using this code. There is ABSOLUTELY NO AUTHENTICATION. I am willing to help out with your code and fix the issues if you want.
EDIT: If you really hate AJAX that much you can find a way to do authentication via node, but I would stay away from this. It adds way too much complexity and would more likely use the same if not more resources then just using AJAX and having PHP handle the submission.
(2015-05-29, 09:27 AM)martec Wrote: [ -> ] (2015-05-29, 07:13 AM)Skylord123 Wrote: [ -> ]I actually had to make a chat program for my last job and made all the messages being sent and loading past messages done with php then uses node to send out messages in real time. So when someone send a message it would go sening client -> PHP -> node -> receiving client.
i really not want use something like...
speed of this will decrease substantially and server load will increase too.
for me better use something like http://stackoverflow.com/questions/13095...5#24859515
As I have stated before, the performance will barely be affected if at all. Since users are already authenticated via php on mybb you may as well use that. Otherwise you will be encountering several issues such as when the user logs out they can potentially still be logged into the shoutbox, etc.
Even if you do use that session system you still have to authenticate. What is your method of authenticating?
You can authenticate by passing the sid cookie form mybb to Node then having node to a lookup on the mybb_sessions table to check the uid (user id). This would work for authentication. Although not completely ideal, better then no authentication.
I have a problem. I can't sendshouts or do anything, but the shoutbox shows active users.
When I press "enter" it just makes a new line.
(2015-05-29, 02:32 PM)Skylord123 Wrote: [ -> ]As I have stated before, the performance will barely be affected if at all. Since users are already authenticated via php on mybb you may as well use that. Otherwise you will be encountering several issues such as when the user logs out they can potentially still be logged into the shoutbox, etc.
why not will affect?
all time that will push message will need use ajax... and not will affect?
And php server will need contact all time node server. So when someone will shout something, will need wait php open again new connection with node etc... This will made message delieve slowly in node server, this is lag that for me It is not acceptable. Ajax is very slow compared to websocket.
if will made something, for me better create new exclusive authentication for the shoutbox, and shoutbox will work as totaly external chat.
(2015-05-29, 08:57 PM)propilot Wrote: [ -> ]I have a problem. I can't sendshouts or do anything, but the shoutbox shows active users.
When I press "enter" it just makes a new line.
this happen when fail to connect with mongodb.
will restarted openshift server?
will really used In public Url: First textbox: miunashout (if you put something different, shoutbox won't work), because if used something different will unable connect with mongodb.
(2015-05-29, 09:04 PM)martec Wrote: [ -> ] (2015-05-29, 02:32 PM)Skylord123 Wrote: [ -> ]As I have stated before, the performance will barely be affected if at all. Since users are already authenticated via php on mybb you may as well use that. Otherwise you will be encountering several issues such as when the user logs out they can potentially still be logged into the shoutbox, etc.
why not will affect?
all time that will push message will need use ajax... and not will affect?
And php server will need contact all time node server. So when someone will shout something, will need wait php open again new connection with node etc... This will made message delieve slowly in node server, this is lag that for me It is not acceptable. Ajax is very slow compared to websocket.
if will made something, for me better create new exclusive authentication for the shoutbox, and shoutbox will work as totaly external chat.
(2015-05-29, 08:57 PM)propilot Wrote: [ -> ]I have a problem. I can't sendshouts or do anything, but the shoutbox shows active users.
When I press "enter" it just makes a new line.
this happen when fail to connect with mongodb.
will restarted openshift server?
will really used In public Url: First textbox: miunashout (if you put something different, shoutbox won't work), because if used something different will unable connect with mongodb.
Everything seems to work when I go to the shoutbox URL it says "
Miuna Shoutbox Server 2.0 successfully installed!"
I restarted the server as well. the first textbox is "miunashout"
The database works as well:
http://i.imgur.com/KVeR8L9.png
(2015-05-29, 09:14 PM)propilot Wrote: [ -> ]Everything seems to work when I go to the shoutbox URL it says "Miuna Shoutbox Server 2.0 successfully installed!"
I restarted the server as well. the first textbox is "miunashout"
The database works as well: http://i.imgur.com/KVeR8L9.png
so provide test admin account of your forum, pin and access of your openshift
(2015-05-29, 09:21 PM)martec Wrote: [ -> ] (2015-05-29, 09:14 PM)propilot Wrote: [ -> ]Everything seems to work when I go to the shoutbox URL it says "Miuna Shoutbox Server 2.0 successfully installed!"
I restarted the server as well. the first textbox is "miunashout"
The database works as well: http://i.imgur.com/KVeR8L9.png
so provide test admin account of your forum, pin and access of your openshift
I pmed you with the details