View Issue Details

IDProjectCategoryView StatusLast Update
0009598Multi Theft Auto : San AndreasSecuritypublic2017-06-28 23:15
ReporterGrafuAssigned Toccw 
PrioritynormalSeverityfeatureReproducibilityalways
Status resolvedResolutionfixed 
Product Version1.5.3 
Target Version1.5.4Fixed in Version1.5.4 
Summary0009598: Cannot add mobile IP address to autorized IPs to access HTTP
Description

Cannot add mobile IP address to autorized IPs to access HTTP. Would be nice to have a command to add IP through console instead of playing MTA on phone.

TagsNo tags attached.

Relationships

has duplicate 0009599 closedccw New issues [Request] Consider removing HTTP IP authorization enforcement 

Activities

Grafu

2017-04-22 13:51

viewer   ~~0025831

Last edited: 2017-04-22 13:59

View 2 revisions

Adding phone serial (if such exists) since IP can be dynamic. ****

authserial [account] after http attempt, but I guess HTTP doesn't accept serials. ****

ccw

2017-04-22 19:16

administrator   ~~0025833

One solution could be to have a secondary password for http access if the IP has not been authorized.

Drakath

2017-04-22 19:24

viewer   ~~0025834

Would sending a temporary key to the email defined in owner_email_address be possible?

ccw

2017-04-22 19:41

administrator   ~~0025835

How about a command which authorized the last ip attempted for http access.
eg:
authserial [account] http-ip

Grafu

2017-04-22 19:56

viewer   ~~0025836

Last edited: 2017-04-22 20:09

View 2 revisions

The main problem that IP changes on every phone internet turn on/off. So "authserial [account] http-ip" is not a solution. It should be something static like phone's MAC address.

Secondary password is a nice idea. But registering it might be a problem, especially if developers wanted to register accounts in their own way. In this case HTTP could send a request and checking if account has a specific account data key with hashed password. If it doesn't, permission to HTTP would be only granted if IP is authorised the old way.

ccw

2017-04-23 02:27

administrator   ~~0025838

Please give an example of developers registering accounts in their own way

Drakath

2017-04-23 08:36

viewer   ~~0025839

Adding an event handler, which could be cancelled for failed HTTP logins would allow scripters to implement this however they want.
For example:
addEventHandler("onHttpLoginFailed", function(theCurrentAccount, isAuthorized, key)
if theCurrentAccount and isObjectInACLGroup ("user."..getAccountName(theCurrentAccount), aclGetGroup ( "Admin" ) ) then
if not isAuthorized then
if key and key == getAccountData(theCurrentAccount, "customData") then
cancelEvent()
end
end
end
end)

Parameters: account theCurrentAccount, bool isAuthorized, string key
Cancelling the event would result in user logging in regardless of authorization.
This is backwards compatible with the regular way.

ccw

2017-05-07 02:58

administrator   ~~0025914

The following command was added for 1.5.4:
authserial <account_name> httppass

For details:
https://wiki.multitheftauto.com/wiki/Authorized_Serial_Account_Protection#How_to_use

Issue History

Date Modified Username Field Change