šŸ”’ Glitch unofficial oAuth

The Gallery
1

<deleted>

1 Like
2

this seems to operate on the honor system, but Iā€™ve only looked briefly at the code. would you be willing to post an explanation of how this works?

1 Like
3

Edit: This is now much more secure when using https://login-with.glitch.me/

Show anyway [quote="wh0, post:2, topic:56112"] honor system [/quote]

Honor system?

Of course! Basicaly you input your username and it generates a random code. Then, when you click verify, it fetches Glitchā€™s open API and looks at your profile description. If the description contains the code, the project jumps over the lazy dog and redirects the user to your website.

4

well an honorable user would follow the rules of not redirecting if they arenā€™t the right user. does it have a way to enforce those rules on dishonorable users? could they redirect anyway? in my understanding they can

1 Like
6

could an attacker forge an encrypted token to make them look like a different victim user? from what Iā€™ve seen of the code, Iā€™m getting a sense that yes, they can in a reasonable threat model, where the attacker has their own computer.

3 Likes
7

Edit: This is now much more secure when using https://login-with.glitch.me/

Show anywayWell... Yes, an attacker could, but there's a catch: I actually didn't explain, but like you probably aren't going to but big secrets on top of this auth: This is just a way of knowing that *probably* (because of the problem you said) the user has the glitch account ________ and some information about the account. If you want to use something that actually works, then check out [AuthFlow](https://support.glitch.com/t/authflow-the-simplest-way-to-implement-a-login-system/55829?u=tiagorangel2011): you can use Google's built-in token verification system and make sure the user is real.
8

So youā€™ve put a nice GUI onto this:

1 Like
10

GlitchOAuth I think checks the login code on its server, which makes it possible to verify a login without trusting any client, which is much stronger if youā€™re building a full stack app.

1 Like
11

Yeah but thereā€™s the problem of keeping the website static The new version of the site now checks everything in the server.

12

Hi, I really think this is a good idea, but I really think you should make a few changes. As @wh0 said

Assuming he meant that the user is trusted not to go messing with the code, then yeah, I agree

var username = "tiagorangel";
var redirect = "https://example.com";

if (typeof crypt !== "function") {
  var crypt = (p, t) => {
    t = "oauth";
    let r = (t) => t.split("").map((t) => t.charCodeAt(0)),
      a = (t) => ("0" + Number(t).toString(16)).substr(-2),
      e = (p) => r(t).reduce((t, p) => t ^ p, p);
    return p.split("").map(r).map(e).map(a).join("");
  };
}

fetch(`https://api.glitch.com/v1/users/by/login?login=${username}`)
  .then((res) => res.json())
  .then((response) => {
    var token = crypt(JSON.stringify(response));
    window.location.replace(
      `${redirect}?token=${token}&login_provider=oauth-login&provider_url=example.com`
    );
  });

})

This code could be injected at the login screen, bypassing any means of authentication.
Maybe you could move the actual login/verification to a backend server and give the client a token to interact with the backend with, sort of like pocketbase and its JavaScript library. Basically what the library does is:

  1. It submits the credentials to the server
  2. The server gives a token and the client stores it in localStorage
  3. The library interacts with the client using that token

Although, the way your project works, step one would probably be setting a login token in the description.

14

Obfuscating code is not really a good way of implementing security. Instead, you should write safe code in the first place (irrespective of whether you ā€˜have toā€™ write the code in some way to keep it static).

6 Likes
15

Edit: This is now much more secure when using https://login-with.glitch.me/

Show anyway [quote="EddiesTech, post:14, topic:56112"] (irrespective of whether you ā€˜have toā€™ write the code in some way to keep it static). [/quote] Unfortunately... [quote="", post:13, topic:56112"] because I donā€™t want users to keep looking at the loading screen for 3 hours [/quote]
16

Iā€™d rather prioritize my userā€™s security over speed. For example, I make some sort of twitter clone where I authenticate users via Glitch. If a userā€™s login could easily be easily forged, then I could pretend to be that user. Also, I agree with EddiesTech as I used a deobfuscator which allowed me to grab a basic concept on how the code worked. Someone really malicious could do the same thing.

4 Likes
17

I Glitched The Auth Site By Having It Redirect To The Auth Site

1 Like
18

This Also Sounds Good For My Game Pencil Agario

1 Like
19

Yes, thatā€™s a security concern, but if you want something secure, check out AuthFlow

20

@tiago Also, apart from the security issues, Iā€™m having an incredibly difficult time authenticating myself anyways. Glitch simply wonā€™t let me put login:xxxxxxxxxxxxxxxxxxxxx in my description! Apparently it thinks that login:xxxxxx is a link, and since it doesnā€™t start with http(s), it may be malicious. I canā€™t find any form of markdown to prevent it from failing me (code blocks, tables, backslash-escapes). This can be considered a bug.

1 Like
26

Please be aware of the following when using ā€˜The Galleryā€™

  • The purpose of the Gallery is to show off things you have built, and answer questions about how you built it.
  • The Gallery should not be used to provide ongoing updates and support for the users of that app.

https://support.glitch.com/t/welcome-to-the-glitch-gallery/30432

27

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.