diff --git a/pages/01.blog/new-linux-mobile-operating-systems-section-and-pinephone-pro-as-a-daily-driver/item.en.md b/pages/01.blog/new-linux-mobile-operating-systems-section-and-pinephone-pro-as-a-daily-driver/item.en.md new file mode 100644 index 0000000..58c2a2a --- /dev/null +++ b/pages/01.blog/new-linux-mobile-operating-systems-section-and-pinephone-pro-as-a-daily-driver/item.en.md @@ -0,0 +1,37 @@ +--- +title: 'New Linux Mobile Operating Systems section and PinePhone (Pro) as a daily driver' +author: Dan +published: true +date: '20-04-2024 00:11' +taxonomy: + category: + - news + tag: + - 'Linux Mobile' + - postmarketos + - 'TECH SAVIOURS' + - 'Arch Linux ARM' + - wiki + - tutorials +aura: + author: dan +--- + +# Linux Mobile +A new section popped up in our wiki - [Linux Mobile](https://wiki.techsaviours.org/en/phone/operating_systems/linux_mobile)! +Based for now only on a PinePhone (Pro) specifically on a braveheart (original PP - latest motherboard) and explorer (PPP). +Arch Linux ARM and postmarketOS are the operating systems included in the wiki. It only contains the option to create the images on your Arch system. It covers [DanctNIXs Arch Linux ARM build script](https://github.com/dreemurrs-embedded/arch-pine64-build) and [postmarketOSs pmbootstrap](https://wiki.postmarketos.org/wiki/Pmbootstrap). + +# PinePhone as a daily driver? +Nope. +I wrote an article in 2021 or so about a daily driven PinePhone that I never published. I couldn't find it anymore, so here's just a bit about it in relation to the new wiki section basically. +I used the PinePhone Original for about 9 months with the Pine64s keyboard, but the brick in the pocket (don't run without a proper belt around your hip!) was really annoying, but without the keyboard the phone couldn't run for a day. The battery searched and found the number 0 (%) very quickly. +So the PP is not at all useful for me as a daily driver, I would like to use it without the keyboard. I use a phone mainly as a phone - calls, texting and browsing. And that brings me straight to the next main drawback, calls (back then, maybe fixed now?) had a few issues. The other side couldn't hear me, or I never got a call. That happened randomly. The PPP has even more issues, but it's much faster than the PP, so it's more interesting for me. +I hope that all the issues will "disappear" one day, because Linux Mobile is the future for me to finally get away from the crappy way that Android comes with. After about 15 years of rooting, flashing and so on, I want to finally get that out of my head and start enjoying the freedom that Linux Mobile already offers on the other side! +The few disadvantages it has, it also has a lot of potential! Backups for example, suuuper easy! No TWRP, no nand backups or other weird ways to have "backups" of the system, or apps blocking backups and so on, oh Android can be very annoying! +A proper firewall ... yes everything you can do with Linux ;) + +So Linux Mobile must be part of our wiki! Time to own your own phone! Especially the phone is a big part of our digital everyday life! + +Have a good weekend! +Dan \ No newline at end of file diff --git a/plugins/login/CHANGELOG.md b/plugins/login/CHANGELOG.md index 469f052..b027b92 100644 --- a/plugins/login/CHANGELOG.md +++ b/plugins/login/CHANGELOG.md @@ -1,3 +1,17 @@ +# v3.7.8.1 +## 04/19/2024 + +1. [](#bugfix) + * Fixed a typo in `Email::sendActivationEmail()` [#303](https://github.com/getgrav/grav-plugin-login/issues/303) + +# v3.7.8 +## 04/16/2024 + +1. [](#improved) + * Use `random_bytes()` for password reset and activation, only fallback to `mt_rand()` if there's a generation error - discovered by [Fortbridge](https://fortbridge.co.uk) + * Added a new `site_host` field in the "Security" section to use in password reset and activation links sent in email. This allows you to avoid any "Password Reset Poisoning" attacks. - discovered by [Fortbridge](https://fortbridge.co.uk) + * Added a new warning in reset and activation emails that shows the "site host" clearly in order to avoid any nefariously sent emails. + # v3.7.7 ## 01/05/2024 diff --git a/plugins/login/README.md b/plugins/login/README.md index 291b49e..b5c63bc 100644 --- a/plugins/login/README.md +++ b/plugins/login/README.md @@ -174,6 +174,8 @@ dynamic_page_visibility: false # Integrate access into page visibil parent_acl: false # Look to parent `access` rules for access requirements protect_protected_page_media: false # Take `access` rules into account when directly accessing a page's media +site_host: # Optionally used in password reset and activation emails, to avoid "password poisoning attacks", this should be the URL of your site including the protocol. e.g. https://foo.com + rememberme: enabled: true # Enable 'remember me' functionality timeout: 604800 # Timeout in seconds. Defaults to 1 week @@ -427,6 +429,10 @@ user_registration: send_welcome_email: false # Send a welcome email to the user (probably should not be used with `send_activation_email` ``` +## Email Security Considerations + +For increased security and to deter users from being tricked into resetting their passwords or activating their accounts on 'fake' sites utilizing a [Password Poisoning Attack](https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning), you can now set the `site_host` property in the "Security" tab of the login properties, (e.g. `https://foo.com`) to ensure the users are sent to the original site only. + ## Sending an activation email By default the registration process adds a new user, and sets it as enabled. diff --git a/plugins/login/blueprints.yaml b/plugins/login/blueprints.yaml index e0dae9f..477d6b6 100644 --- a/plugins/login/blueprints.yaml +++ b/plugins/login/blueprints.yaml @@ -1,7 +1,7 @@ name: Login slug: login type: plugin -version: 3.7.7 +version: 3.7.8.1 testing: false description: Enables user authentication and login screen. icon: sign-in @@ -411,6 +411,12 @@ form: title: PLUGIN_LOGIN.SECURITY_TAB fields: + site_host: + type: text + size: medium + label: PLUGIN_LOGIN.SITE_HOST + help: PLUGIN_LOGIN.SITE_HOST_HELP + placeholder: "https://example.com" max_pw_resets_count: type: number size: x-small diff --git a/plugins/login/classes/Controller.php b/plugins/login/classes/Controller.php index ed006d7..76463e2 100644 --- a/plugins/login/classes/Controller.php +++ b/plugins/login/classes/Controller.php @@ -389,8 +389,14 @@ class Controller return true; } - $token = md5(uniqid((string)mt_rand(), true)); - $expire = time() + 604800; // next week + try { + $random_bytes = random_bytes(16); + } catch (\Exception $e) { + $random_bytes = mt_rand(); + } + + $token = md5(uniqid($random_bytes, true)); + $expire = time() + 86400; // 24 hours $user->reset = $token . '::' . $expire; $user->save(); diff --git a/plugins/login/classes/Email.php b/plugins/login/classes/Email.php index 74d0a98..dbf9cda 100644 --- a/plugins/login/classes/Email.php +++ b/plugins/login/classes/Email.php @@ -5,7 +5,6 @@ namespace Grav\Plugin\Login; use Grav\Common\Config\Config; use Grav\Common\Grav; use Grav\Common\Language\Language; -use Grav\Common\Page\Pages; use Grav\Common\User\Interfaces\UserInterface; use Grav\Common\Utils; use Grav\Plugin\Login\Invitations\Invitation; @@ -39,9 +38,12 @@ class Email throw new \RuntimeException('User activation route does not exist!'); } - /** @var Pages $pages */ - $pages = Grav::instance()['pages']; - $activationLink = $pages->url( + $site_host = $config->get('plugins.login.site_host'); + if (!empty($site_host)) { + $activationRoute = rtrim($site_host, '/') . '/' . ltrim($activationRoute, '/'); + } + + $activationLink = Utils::url( $activationRoute . '/token' . $param_sep . $token . '/username' . $param_sep . $user->username, null, true @@ -89,11 +91,14 @@ class Email throw new \RuntimeException('Password reset route does not exist!'); } - /** @var Pages $pages */ - $pages = Grav::instance()['pages']; - $resetLink = $pages->url( + $site_host = static::getConfig()->get('plugins.login.site_host'); + if (!empty($site_host)) { + $resetRoute = rtrim($site_host, '/') . '/' . ltrim($resetRoute, '/'); + } + + $resetLink = Utils::url( "{$resetRoute}/task{$param_sep}login.reset/token{$param_sep}{$token}/user{$param_sep}{$user->username}/nonce{$param_sep}" . Utils::getNonce('reset-form'), - null, + true, true ); @@ -190,9 +195,7 @@ class Email throw new \RuntimeException('User registration route does not exist!'); } - /** @var Pages $pages */ - $pages = Grav::instance()['pages']; - $invitationLink = $pages->url("{$inviteRoute}/{$param_sep}{$invitation->token}", null, true); + $invitationLink = Utils::url("{$inviteRoute}/{$param_sep}{$invitation->token}", true, true); $context = [ 'invitation_link' => $invitationLink, @@ -218,11 +221,17 @@ class Email $config = static::getConfig(); + $site_host = $config->get('plugins.login.site_host'); + if (empty($site_host)) { + $site_host = Grav::instance()['uri']->host(); + } + // Twig context. $context += [ 'actor' => $actor, 'user' => $user, 'site_name' => $config->get('site.title', 'Website'), + 'site_host' => $site_host, 'author' => $config->get('site.author.name', ''), ]; diff --git a/plugins/login/classes/Login.php b/plugins/login/classes/Login.php index 36b982b..f31eea4 100644 --- a/plugins/login/classes/Login.php +++ b/plugins/login/classes/Login.php @@ -491,7 +491,13 @@ class Login throw new \RuntimeException($this->language->translate('PLUGIN_LOGIN.USER_NEEDS_EMAIL_FIELD')); } - $token = md5(uniqid(mt_rand(), true)); + try { + $random_bytes = random_bytes(16); + } catch (\Exception $e) { + $random_bytes = mt_rand(); + } + + $token = md5(uniqid($random_bytes, true)); $expire = time() + 604800; // next week $user->activation_token = $token . '::' . $expire; $user->save(); diff --git a/plugins/login/languages/en.yaml b/plugins/login/languages/en.yaml index c3eb1f1..187cef5 100644 --- a/plugins/login/languages/en.yaml +++ b/plugins/login/languages/en.yaml @@ -156,4 +156,7 @@ PLUGIN_LOGIN: INVITATION_EMAIL_MESSAGE: "We welcome you to register an account to on site." INVALID_INVITE_EMAILS: "Error: An invalid list of emails was provided" INVALID_FORM: "Error: Invalid form" - FAILED_TO_SEND_EMAILS: "Failed to send emails to: %s" \ No newline at end of file + FAILED_TO_SEND_EMAILS: "Failed to send emails to: %s" + HOST_WARNING: '