šŸ”’ Glitch unofficial oAuth

Update
I am discontinuing this older version of Glitch Oauth. Please check the new and much more secure version at https://login-with.glitch.me

Hi everyone!
Today Iā€™ve built a simple app that lets you sign in to any website with Glitch.

You only need to send your users to the auth screen, indicating the callback as a URI parameter.

When the user signs in, the website redirects the user to your endpoint with the URI parameter ā€œtokenā€ which contains the user information as a JSON string.

The information is encoded using a cipher, so you need to decode it using our decryptor script.

:point_right: Check it out: https://oauth-login.glitch.me/

No rickrolls this time, you have my word

Happy Glitching!
Tiago

PS: Inspired by Can we have Glitch oAuth

Whatā€™s your opinion?
  • Cool
  • This is useless
0 voters
1 Like

this seems to operate on the honor system, but Iā€™ve only looked briefly at the code. would you be willing to post an explanation of how this works?

1 Like

Edit: This is now much more secure when using https://login-with.glitch.me/


Show anyway [quote="wh0, post:2, topic:56112"] honor system [/quote]

Honor system?

Of course! Basicaly you input your username and it generates a random code. Then, when you click verify, it fetches Glitchā€™s open API and looks at your profile description. If the description contains the code, the project jumps over the lazy dog and redirects the user to your website.

well an honorable user would follow the rules of not redirecting if they arenā€™t the right user. does it have a way to enforce those rules on dishonorable users? could they redirect anyway? in my understanding they can

1 Like

could an attacker forge an encrypted token to make them look like a different victim user? from what Iā€™ve seen of the code, Iā€™m getting a sense that yes, they can in a reasonable threat model, where the attacker has their own computer.

3 Likes

Edit: This is now much more secure when using https://login-with.glitch.me/


Show anywayWell... Yes, an attacker could, but there's a catch: I actually didn't explain, but like you probably aren't going to but big secrets on top of this auth: This is just a way of knowing that *probably* (because of the problem you said) the user has the glitch account ________ and some information about the account. If you want to use something that actually works, then check out [AuthFlow](https://support.glitch.com/t/authflow-the-simplest-way-to-implement-a-login-system/55829?u=tiagorangel2011): you can use Google's built-in token verification system and make sure the user is real.

So youā€™ve put a nice GUI onto this:

1 Like

Well, I was inspired by that, but actually didnā€™t even look at itā€™s code (seems closed)! :grinning:

GlitchOAuth I think checks the login code on its server, which makes it possible to verify a login without trusting any client, which is much stronger if youā€™re building a full stack app.

1 Like

Yeah but thereā€™s the problem of keeping the website static The new version of the site now checks everything in the server.

Hi, I really think this is a good idea, but I really think you should make a few changes. As @wh0 said

Assuming he meant that the user is trusted not to go messing with the code, then yeah, I agree

var username = "tiagorangel";
var redirect = "https://example.com";

if (typeof crypt !== "function") {
  var crypt = (p, t) => {
    t = "oauth";
    let r = (t) => t.split("").map((t) => t.charCodeAt(0)),
      a = (t) => ("0" + Number(t).toString(16)).substr(-2),
      e = (p) => r(t).reduce((t, p) => t ^ p, p);
    return p.split("").map(r).map(e).map(a).join("");
  };
}

fetch(`https://api.glitch.com/v1/users/by/login?login=${username}`)
  .then((res) => res.json())
  .then((response) => {
    var token = crypt(JSON.stringify(response));
    window.location.replace(
      `${redirect}?token=${token}&login_provider=oauth-login&provider_url=example.com`
    );
  });

})

This code could be injected at the login screen, bypassing any means of authentication.
Maybe you could move the actual login/verification to a backend server and give the client a token to interact with the backend with, sort of like pocketbase and its JavaScript library. Basically what the library does is:

  1. It submits the credentials to the server
  2. The server gives a token and the client stores it in localStorage
  3. The library interacts with the client using that token

Although, the way your project works, step one would probably be setting a login token in the description.

Edit: This is now much more secure when using https://login-with.glitch.me/


Show anyway Ooops, it seems like there are a lot of security problems here! The big problem is keeping the site static and 24/7 awake, because I don't want users to keep looking at the loading screen for 3 hours I am currently working to improve the security of this, anyway thanks! *** **EDIT:** Implemented IIFE, minified javascript, and obfuscated some code (sorry glitch, please don't report my project!).

Obfuscating code is not really a good way of implementing security. Instead, you should write safe code in the first place (irrespective of whether you ā€˜have toā€™ write the code in some way to keep it static).

6 Likes

Edit: This is now much more secure when using https://login-with.glitch.me/


Show anyway [quote="EddiesTech, post:14, topic:56112"] (irrespective of whether you ā€˜have toā€™ write the code in some way to keep it static). [/quote] Unfortunately... [quote="tiagorangel2011, post:13, topic:56112"] because I donā€™t want users to keep looking at the loading screen for 3 hours [/quote]

Iā€™d rather prioritize my userā€™s security over speed. For example, I make some sort of twitter clone where I authenticate users via Glitch. If a userā€™s login could easily be easily forged, then I could pretend to be that user. Also, I agree with EddiesTech as I used a deobfuscator which allowed me to grab a basic concept on how the code worked. Someone really malicious could do the same thing.

4 Likes

I Glitched The Auth Site By Having It Redirect To The Auth Site

1 Like

This Also Sounds Good For My Game Pencil Agario

1 Like

Yes, thatā€™s a security concern, but if you want something secure, check out AuthFlow

@_tr Also, apart from the security issues, Iā€™m having an incredibly difficult time authenticating myself anyways. Glitch simply wonā€™t let me put login:xxxxxxxxxxxxxxxxxxxxx in my description! Apparently it thinks that login:xxxxxx is a link, and since it doesnā€™t start with http(s), it may be malicious. I canā€™t find any form of markdown to prevent it from failing me (code blocks, tables, backslash-escapes). This can be considered a bug.

1 Like

It seems to work for me!

I have sent you a private message

EDIT: This issue has been solved by private message

2 Likes