Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

/feat | Ability to Login to SOGo with a One-Click-Link from another Application #6070

Open
wants to merge 2 commits into
base: staging
Choose a base branch
from

Conversation

xLixon
Copy link

@xLixon xLixon commented Sep 10, 2024

Contribution Guidelines

What does this PR include?

Short Description

This PR is a little "Add-On" to the SOGo-One-Click-Auth already implemented in Mailcow.
It gives the function to create a token for an Login to SOGo From other applications only with the API token.

How does it work?

  1. POST Request from Application to Mailcow
    -> Body: username: {MAILBOX EMAIL ADDRESS} | apikey: {APIKEY} (JSON)
  2. Response:
    -> Body: success: true/false | username: {RETURN OF USERNAME} | token: {ONE-TIME AUTH TOKEN FOR SOGO}
  3. User gets redirected to /sogossologin/sogo-auth.php?email=EMAIL&token=TOKEN
    -> GET Parameters: email: {MAILBOX EMAIL ADDRESS} | token: {ONE-TIME AUTH TOKEN}

Tadaaa! User is logged in to SOGo.


Yes, that means that with the API Key, everyone can login to a Mailaccount. But Admins can login from the panel either way.
And there is no difference between a comprimized Admin Mailcow Account or a leaked API-Key because the API Key can do as much as the admin account.

Affected Containers

  • php-fpm
  • sogo

Did you run tests?

What did you tested?

I generated a token, used the token in the URL and got logged in to SOGo

What were the final results? (Awaited, got)

Everything worked just as i intended it to.

@milkmaker
Copy link
Collaborator

Thanks for contributing!

I noticed that you didn't select staging as your base branch. Please change the base branch to staging.
See the attached picture on how to change the base branch to staging:

check_prs_if_on_staging.png

@xLixon xLixon changed the base branch from master to staging September 10, 2024 15:43
@DerLinkman
Copy link
Member

Your branch is not based on your staging branch...

Also: affected containers are not filled out!

Please read the contribution guidelines to fulfill our requirements for a pr...

@DerLinkman DerLinkman marked this pull request as draft September 11, 2024 10:28
@xLixon
Copy link
Author

xLixon commented Sep 11, 2024

I filled the affected containers:
"No containers affected."
If the staging branch is "needed", i will soon push another version with the staging branch

@xLixon xLixon marked this pull request as ready for review September 11, 2024 10:32
@DerLinkman
Copy link
Member

But no containers affected is not right.

Affected are:

  • php-fpm
  • sogo (at least at some part)

@xLixon
Copy link
Author

xLixon commented Sep 11, 2024

But are they affected even tho i didnt even change anything in the containers?

@DerLinkman
Copy link
Member

DerLinkman commented Sep 11, 2024

You made changes to use the both containers. PHP to parse this script and sogo to authenticate with, so yes.

Why do we discuss about this? Simply add this and i'm fine.

@xLixon
Copy link
Author

xLixon commented Sep 11, 2024

Okey if this are changes then i will add it.
I didnt mean to discuss this, i just wanted to understand what is a "change". I thought changes are only things i activly changed in the container but it seems like only using them is also a change. thanks for this info!

@FreddleSpl0it
Copy link
Collaborator

FreddleSpl0it commented Nov 8, 2024

It would be better if there were an SSO for users to log in to the mailcow UI, similar to the existing Domain Admin SSO feature. From there, the user could navigate further to webmail or be directly redirected to SOGo, leveraging the existing sogo-auth.php script. I'm suggesting this because, with the OIDC and LDAP features, direct login to SOGo won't be possible, everything needs to go through mailcow's PHP sessions.

I believe there's already a branch with this feature, but it hasn't been merged yet.
eb33166

@xLixon
Copy link
Author

xLixon commented Nov 8, 2024 via email

@FreddleSpl0it
Copy link
Collaborator

Can you maybe explain this a little further?Because i think that is already like you said.The Login is already processed by mailcow and also saved with the data mailcow is using for their own "Direct-Login"-MethodVon meinem/meiner Galaxy gesendet-------- Ursprüngliche Nachricht --------Von: FreddleSpl0it @.> Datum: 08.11.24 07:52 (GMT+01:00) An: mailcow/mailcow-dockerized @.> Cc: xLixon @.>, Author @.> Betreff: Re: [mailcow/mailcow-dockerized] /feat | Ability to Login to SOGo with a One-Click-Link from another Application (PR #6070) It would be better if there were an SSO for users to log in to the mailcow UI, similar to the existing Domain Admin SSO feature. From there, the user could navigate further to webmail or be directly redirected to SOGo, leveraging the existing sogo-auth.php script. I'm suggesting this because, with the OIDC and LDAP features, direct login to SOGo won't be possible, everything needs to go through mailcow's PHP sessions —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

ah yes you are right, my bad.

@xLixon
Copy link
Author

xLixon commented Nov 8, 2024

Can you maybe explain this a little further?Because i think that is already like you said.The Login is already processed by mailcow and also saved with the data mailcow is using for their own "Direct-Login"-MethodVon meinem/meiner Galaxy gesendet-------- Ursprüngliche Nachricht --------Von: FreddleSpl0it @.> Datum: 08.11.24 07:52 (GMT+01:00) An: mailcow/mailcow-dockerized _@**._> Cc: xLixon _@.>, Author @._> Betreff: Re: [mailcow/mailcow-dockerized] /feat | Ability to Login to SOGo with a One-Click-Link from another Application (PR #6070) It would be better if there were an SSO for users to log in to the mailcow UI, similar to the existing Domain Admin SSO feature. From there, the user could navigate further to webmail or be directly redirected to SOGo, leveraging the existing sogo-auth.php script. I'm suggesting this because, with the OIDC and LDAP features, direct login to SOGo won't be possible, everything needs to go through mailcow's PHP sessions —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: _@_.*>

ah yes you are right, my bad.

Did you try it?

@DerLinkman DerLinkman force-pushed the staging branch 2 times, most recently from aaee040 to 4d688c5 Compare November 15, 2024 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants