shib71 / mod-auth-token Goto Github PK

Hello,

I need the feature to authorize specific clients (at the moment only iphones). 
I suggest to extend 
your mod-auth-token to retrieve a client-identification (iphone: UDID) which is 
also used to 
generate/check the token:

/downloads/UDID/dee0ed6174a894113d5e8f6c98f0e92b/43eaf9c5/file_to_protect.txt

To do this is pretty easy and I would like to provide this extension back to 
the project. So my 
questions are:

- Do you like the extension?
- Is the suggested way proper?
- Should I extend the project or do you prefer to do it by yourself?
- Any suggestions in general?

Thanks,
Stephan

Is it possible to compile mod_auth_token on windows?
Is yes how can i test it?

Hi, is it possible to make a relative path to my files without showing the url 
prefix in the page source - I really need it for video streaming (show 
/b0e215710bdae127da10fb0620eadee9/4d401f28/file.mp4 instead of 
/video/b0e215710bdae127da10fb0620eadee9/4d401f28/file.mp4). I want to prevent 
people from downloading videos directly.
Thank You!

I have configure auth_token with IP check enabled.

Using http protocol mod authenticate works fine but when using https instead of 
authentication it leads to 404 error. Am i missing something? 

do i need to add some other directives in httpd.conf

i have dedicated server with centos 6.5 64 bit

Attached an example of URI generation in Perl.

$url = $protectedPath . $token. "/" . $hexTime . $filename;

should be:

$url = $protectedPath . $token. "/" . $hexTime . $fileName;

Nearly all Linux packaging systems use 'make DESTDIR=/tmp/path/to/temp/location 
install' instead of a plain 'make install' to create packages.

I had to apply the following patch to get mod_auth_token to play nicely with 
Debian's packaging system.

If DESTDIR is not set, the package works as it currently does.

Here's the rationale behind DESTDIR.

What steps will reproduce the problem?
1. I do a lot of mod_auth_token "double hit" downloads via a download program
2. always when doing 40 concurrent downloads some of the tokens will expire
3. always some of the tokens do not expire but download wrong file

What is the expected output? What do you see instead?
I expect to see mod_auth_token prepare a x second url that works


What version of the product are you using? On what operating system?
1.0.5

Please provide any additional information below.

it is very hard to replicate, but I had had numerous users mention it on the 
website but I was sceptical, because I had not seen it myself, I have a desktop 
client that hits an authenticated php to get a token via json, that token is 
then the "real" download, when I do a mass download (70 files) it will 
invariably stop randomly and produce a "gone" error in the response. at the 
moment i can't give you this code but I would urge doing a stress test. make 
200 file. give them all unique easily findable name. (EG: 2.test inside is 5000 
number 2 characters" then make a screen scrape routine that will question the 
200 files as tokens then go wget those tokens then write a 3rd routine to check 
that 2.list really has "5000 2's in it" I will write this whole thing and end 
it to you but if you do this you will see that it will fail "gone" about one in 
40 and a similar incidence will be wrong file

What steps will reproduce the problem?
1. Download and uncompress 
[https://mod-auth-token.googlecode.com/files/mod_auth_token-1.0.6-beta.tar.gz]
2. bash ./configure

What is the expected output? What do you see instead?

I expect the configure to work just as it does with the 1.5 release.

Instead, I get:
--
configure: error: cannot find install-sh or install.sh in "." "./.." "./../.."
--

What version of the product are you using? On what operating system?

mod_auth_token 1.6 on CentOS 6

Please provide any additional information below.

After symlinking all the automake folders (which already linked for you in the 
1.5 release), I was able to configure without a problem. I fear that some end 
users may not have been able to figure this out and it would ideal to either 
note the need for the symlinks in INSTALL, or make an autosymlink script to do 
it for you. Either way, I figured my initial difficulty could be avoided and 
the solution could be automated.

Here are 2 configuration snippets that currently fail to work with 
mod_auth_token:

<Location /protected/>
    AuthTokenSecret        "secret"
    AuthTokenPrefix        /protected/
    AuthTokenTimeout       3600
    ProxyPass              http://127.0.0.1:8000/
</Location>

<Location /protected/>
    AuthTokenSecret        "secret"
    AuthTokenPrefix        /protected/
    AuthTokenTimeout       3600
    RewriteRule            ^(.*)$ http://127.0.0.1:8000/$1 [P,F]
</Location>

The issue is that mod_auth_token currently asks to be slotted before mod_alias, 
but not before other modules.

The attached patch just also adds mod_rewrite and mod_proxy to the list of 
modules that should run after mod_auth_token.

PS, I've taken the liberty of renaming aszPost to aszSucc as this is seems to 
be the standard for the apache 2.2 code base. Feel free to remove this change 
if you do not like it.

What steps will reproduce the problem?
1. ./configure
2. make
3. make install
4. apxs -c -i mod_auth_token.c

What is the expected output? What do you see instead?
./configure runs without error, but make and thus make install give this error:
"libtool: link: warning: undefined symbols not allowed in i686-pc-cygwin-shared 
libraries"

What version of the product are you using? On what operating system?
Apache 2.2, clean install. libtool 2.4. Windows 7 X64.

Please provide any additional information below.
The install does put "mod_auth_token.a" and "mod_auth_token.la" into my 
"usr/local/apache2/modules" but I need the end product as a .so or .dll for 
windows use.

Also, the install process looks for and cannot find a "dl name" in the created 
.la file and thus it assumes I am creating a .so file. When it cannot find that 
it errors and halts.

Any ideas?

What steps will reproduce the problem?
1. copy the AuthToken* parts into the .htaccess file
2. download a file
3.

What is the expected output? What do you see instead?
Download/script execution starts.
Instead, I get a 500 Server Error page.

What version of the product are you using? On what operating system?
Apache 2.2.9 on Solaris 10

Please provide any additional information below.
Is it possible to use this module from within the .htaccess file? I keep
getting 500 errors, if I copy the text inside from the <Location> block
into the .htaccess file. Any hint is welcome.

On the front page, you declare the variable $secretString as the secret key.  
But farther down in the code, you incorrectly reference it as $secret, not 
$secretString.

Just a heads-up for anybody else copying example code verbatim.  :)

Thanks.

What steps will reproduce the problem?
1. configure / install mod_auth_token on apache (default apache on linux)
2. generate download link through JAVA program
3. download file through URL

What is the expected output? What do you see instead?
Download file as expected

What version of the product are you using? On what operating system?
mod_auth_token-1.0.5

Please provide any additional information below.
I got below error when download / access file through URL

(8)Exec format error: exec of '/home/chetan/instantclient_11_2.tar.gz' failed

Any idea how to solve this problem

Little shell script for url testing.

./tokenurl.sh /file.txt |xargs -i wget --spider http://dahost.example.com{}

Hi everyone,

I converted PHP URI generation code to Python (nearly line by line).
Result is attached.

Best regards and happy new year,
Ales Teska

Most of the APIs used by mod_auth_token actually come from APR (apache portable 
runtime) and not from apache itself. Since apache links against APR and since 
APR's headers are usually installed in standard locations such as /usr/include, 
the build works ok as-is.

However, if a user were to install apache and APR in a non-standard directory 
(a home directory for example), the build would fail.

The attached patches fix this issue while also reducing the number of undefined 
symbols when running sanity checking tools on the final library, making the 
symbol resolution much more robust.

What steps will reproduce the problem?
1. Again this relates to using this module in a deployed enviornment.
2.
3.

What is the expected output? What do you see instead?
I would like to have performance metrics available for this module esp. the 
functions in mod_auth_token.c  I have been wondering lately what how this 
impacts Apache at peak load, and if performance could be drastically improved 
on specialized servers with graphics cards and technologies such as CUDA and 
ATI Stream App technology that allows compiling C code down to run on the 
graphics GPU units.  Possibly even better encryption could be supported this 
way.

What version of the product are you using? On what operating system?
Ubuntu linux

Please provide any additional information below.
Wish I knew more about this library...

I did this

root@428209 [/home/anime/public_html]# locate default.conf
/home/cpeasyapache/src/httpd-2.2.22/docs/conf/extra/httpd-default.conf
/home/cpeasyapache/src/httpd-2.2.22/docs/conf/extra/httpd-default.conf.in
/usr/local/apache/conf/extra/httpd-default.conf
/usr/local/apache/conf/original/extra/httpd-default.conf
/usr/local/apache/conf_pre_ea3/extra/httpd-default.conf
/usr/local/apache/conf_pre_ea3/original/extra/httpd-default.conf
/usr/share/alsa/pcm/default.conf

My directive code is 

<Directory /home/anime/public_html/cache3>
        AllowOverride None
        allow from all
</Directory>
ScriptAlias /cache3/ /home/anime/public_html/cache3/
# Token settings
<Location /cache3/>
      AuthTokenSecret       "baokyrocks"
      AuthTokenPrefix       /cache3/
      AuthTokenTimeout      600
      AuthTokenLimitByIp    off
</Location>


But i not sure which is the default.conf to setup at, my centos is version 6 

I added at
/home/cpeasyapache/src/httpd-2.2.22/docs/conf/extra/httpd-default.conf

But it doesnt work

It generate me a string like 
/cache3/c076d0a8e66c3d9038744accf72665bd/4fe68d07/[A-Destiny] Kingdom - 02 
(848x480 h264 AAC) [E25330C5]_3_001.mp4

And i did this

http://myipaddress/~username/cache3/c076d0a8e66c3d9038744accf72665bd/4fe68d07/[A
-Destiny] Kingdom - 02 (848x480 h264 AAC) [E25330C5]_3_001.mp4

But it return me 404 not found.

I get a Forbidden error for URLs generated for files that names' contain spaces.
It may happen that there are problems with other special characters in the 
filenames.
I can't rename my files as they are user generated and it is impossible to go 
on the "renaming way".

I already tried using "+" and "%20" instead of " " (space) before generating 
the URL but those are not working.

How can I solve this problem?

What steps will reproduce the problem?

1. configure auth_token as usual with IP check enabled.

2. try to access one of the protected the pages through any proxy, with the 
token generated for client IP address.

3. you will get "unauthorized", because auth_token is only seeing proxy IP 
address, and does not check "x-forwarded-for" header from the request.

What version of the product are you using? On what operating system?
1.0.6beta on Ubuntu 12.04.1 LTS x64


Please provide any additional information below.

It would be great, if this module can be configured to use any HTTP header in 
authentication, not just "remote_host"

Make mod_auth_token work on windows

What steps will reproduce the problem?
Under PuTTY SSH client
1. # wget http://mod-auth-token.googlecode.com/files/mod_auth_token-1.0.6-
beta.tar.gz
2. # tar -zxvpf mod_auth_token-1.0.6-beta.tar.gz
3. # cd mod_auth_token
4. # chmod 777 *
5. # ./configure

What is the expected output? What do you see instead?
Compilation process preparation. 
configure: error: cannot find install-sh or install.sh 
in "." "./.." "./../.."

What version of the product are you using? On what operating system?
mod_auth_token-1.0.6-beta.tar.gz
CentOS 5.x

Please provide any additional information below.
Please tell me the steps necesary to compile this module correctly.

I just installed auth-mod-token 1.0.6 and I edited httpd.conf and created a php 
file located at http://freefilmssite.com/movie.php. The content of the file is 
the sample php code on main page plus some html to display the $url. My problem 
as you can see if you go to the file is that nothing shows up and nothing 
happens. If i remove the php code the html shows up fine. Please help

What steps will reproduce the problem?
1. Download a file
2.
3.

What is the expected output? What do you see instead?
I see the file downloading but it makes an error in the apache log.

What version of the product are you using? On what operating system?
1.0.5

Please provide any additional information below.
The error generated is
mod_auth_token: malformed or nonexistent token
i know why, it's because it run authenticate_token one time with the url
/download/the token/the date/the file.zip
and another time with
/download/the file.zip
and the last one will generate an error, but still send the file.

What steps will reproduce the problem?
1. Install Apache behind a squid or varnish proxy
2. Enable AuthTokenLimitByIp
3. Generate and use client token. 

Mod-Auth-Token uses the IP of the proxy server, and not that of the "real" 
client. Behind a single proxy things may appear to work, but there is no 
security provided (all clients will appear as the IP of the proxy).

Behind a proxy farm there will be random failures/successes.

If the app generating the token is not behind the same proxy as the server 
validating the token then IP validation will not work at all.

What is the expected output? What do you see instead?
The cache server should correctly set the X-Forwarded-For header. I expect 
mod-auth-token to enable the use of X-Forwarded-For header if required. It may 
be necessary to specify a list of "allowed" proxy addresses, and step through 
the X-Forwarded-For header to find the first non-allowed proxy server to use as 
the client IP.

Standing to Apache's APR documentation at

https://apr.apache.org/docs/apr/0.9/group__apr__strings.html#g7bd80c95ffb7b3f96b
c78e7b5b5b0045

the apr_pstrcat() function takes a list of strings. The code in 1.0.6_beta 
instead passes a character ('/'), beside missing a sentinel at the end of 
parameters.

I'm attaching a patch to fix the issue.

What is the expected output? What do you see instead?
should see a .jpg file, instead i get a forbidden message

What version of the product are you using? On what operating system?
tried 1.0.5 and 1.0.6 beta
debian (lenny) with apache2

Please provide any additional information below.

my httpd.conf
LoadModule auth_token_module  /usr/lib/apache2/modules/mod_auth_token.so
<Location /downloads/>
        AuthTokenSecret "secret"
        AuthTokenPrefix /downloads/
        AuthTokenTimeout 60
</Location>



php code:
<?php
// Settings to generate the URI
$secret = "secret";        // Same as AuthTokenSecret
$protectedPath = "/downloads/";         // Same as AuthTokenPrefix
$ipLimitation = false;                 // Same as AuthTokenLimitByIp
$hexTime = dechex(time());             // Time in Hexadecimal      
$fileName = "kannnichtkommen.jpg";    // The file to access


// Let's generate the token depending if we set AuthTokenLimitByIp
if ($ipLimitation) {
  $token = md5($secret . $fileName . $hexTime . $_SERVER['REMOTE_ADDR']);
}
else {
  $token = md5($secret . $fileName. $hexTime);
}


// We build the url
$url = $protectedPath . $token. "/" . $hexTime . "/" . $fileName;
echo 'http://ads.sui.at'.$url;

if the generated url is called within a browser:
Forbidden

You don't have permission to access 
/downloads/c3eee0620dd7022d4104152c69808194/4cb90464/kannnichtkommen.jpg on 
this server.

so it "does" work, but sadly does not grant me access when it should...

modules seems to be loaded successfully as i get it listed through "apache2 -M"

any ideas?

If you’ve ever wanted to stream MP4s securely over the internet while 
preventing hotlinking and stealing of your content, hopefully this helps.

Full guide: http://bit.ly/fR9kgC

Hi,

I wrote a tiny Perl module to generate mod-auth-token compatible URLs.

The module is Authen::ModAuthToken .

It's available in cpan:
http://search.cpan.org/~agordon/Authen-ModAuthToken-0.03/

Regards,
 -gordon

Hi,

1.0.6 beta, I confirm that the IP option works for me.

It would be great if the directory path was hidden too.

Thanks for the module.

Creating a site where users can upload binary content. Want to protect that 
content from direct download by other users by dynamically generating urls 
where appropriate. 

Content is stored in a folder per user id. eg 
(/video/[uid]/converted/filename.mpg)

How can I protect video/*/converted. It looks like your code generates the 
token from the data in the httpd.conf which would be static. Filename appears 
to be handled in a "special" way by both apache and your code. 

please advise.

What version of the product are you using? On what operating system?
mod_auth_token 1.05
Apache 2.2.3
Centos 5.5


<Location /sites/default/files/videos/*/video/converted/>
  AuthTokenSecret     "MyTopSecretToken"
  AuthTokenPrefix     /sites/default/files/videos/*/video/converted/
  AuthTokenTimeout    30
</Location>

We needed a way to secure full html pages with images and videos that load
in the same directory. We wanted to make these pages accessible within a
specific time window. We wanted to use mod_auth_token to do this, but every
file that gets loaded in the page is a separate request to Apache and
requires a unique token for every image or embeded resource in the page. 
So I added a new flag to the config called GlobalToken. The token is the
MD5 of the secret and the hextime, but not the file path. When this is
enabled the generated link uses just the secret + the hex time to create
the token, then all embedded resources in the page share the same token. 
It works great for our purposes and is a great way to secure flash videos
from leaching, and link sharing.

Please see the attached patch file.

Thank you for a great mod!
Jared Sprague
Red Hat Software Applications Engineer
RHCE 805009722242451 

String secret="secret string";                    // Same as AuthTokenSecret
String protectedPath="/vod/";                   // Same as AuthTokenPrefix
//boolean ipLimitation=false;                     // Same as AuthTokenLimitByIp
long time= (new Date()).getTime();                // Time in decimal
time=time/1000;                                   // timestamp of java is 
longer than PHP 
String hexTime =Long.toHexString(time);            // hexTime  in Hexadecimal  
String token =getMD5( (secret+ filePathName + hexTime).getBytes());
return protectedPath +token+"/"+hexTime+ filePathName;


public String getMD5(byte[] source) {
    String s = null;
    char hexDigits[] = { 
    '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd',   'e', 'f' };
    try {
        java.security.MessageDigest md = java.security.MessageDigest
                .getInstance("MD5");
        md.update(source);
        byte tmp[] = md.digest();
        char str[] = new char[16 * 2];
        int k = 0; 
        for (int i = 0; i < 16; i++) { 
            byte byte0 = tmp[i]; 
            str[k++] = hexDigits[byte0 >>> 4 & 0xf]; 
            str[k++] = hexDigits[byte0 & 0xf];
        }
        s = new String(str); 
    } catch (Exception e) {
        e.printStackTrace();
    }
    return s;
}

What steps will reproduce the problem?
1. Turn AuthTokenLimitByIp on
2. Make requests to protected files
3. Watch the error log

What is the expected output? What do you see instead?
--> I do not expect every request to be logged as error ("polluting" the error 
log). Especially for environments with many hits to protected files this makes 
logfiles very large and makes it hard to find real errors in the log.

What version of the product are you using? On what operating system?
--> 1.0.6-beta or SVN version on Debian Squeeze. 

Please provide any additional information below.
--> The problem is mod_auth_token.c, line 159 
(http://code.google.com/p/mod-auth-token/source/browse/trunk/mod_auth_token.c#15
9) - this always logs requests with conf->checkip enabled with an error 
log-level, even if there is no error, like this:

[Sat Sep 01 00:01:46 2012] [warn] [client 1.2.3.4] mod_auth_token: request from 
ip 1.2.3.4, referer: https://www.example.com

I do not know if it's possible to use a lower log-level - otherwise I'd suggest 
to completely remove this log call.

Hello,

I am working on RPM package for Fedora and there is an issue with your 1.0.6 
beta tarball. It has wrong permissions when unpacked:

drw-r--r-- 3 lzap lzap 4096 10. úno  2010 mod_auth_token

Its missing "x" permission.

Also .svn directory is distributed. Would you mind removing it (svn export can 
do this for you).

Many thanks, here is our bugzilla entry: 
https://bugzilla.redhat.com/show_bug.cgi?id=633240

Just a idea: Link available in future

token: $hexTime = dechex(time()+120); // Link available after 2 minutes

At the moment, token is "valid" immediately.

Hello,

I need to protect a directory with time-limit, but allow any file in this 
directory (including subdirs), without specifically encoding a new URL for each 
file.

Please find the attached patch that adds the above option.

To use it:

In the apache configuration path, put:
<Location /datafiles/>
      AuthTokenSecret       "foobar"
      AuthTokenPrefix       /datafiles/
      AuthTokenTimeout      60
      AuthTokenAnyPath      on
</Location>

And so any (valid) encoded time under "/datafiles/" will work, regardless of 
the actual file being accessed.

Example:
<?php
$secret = "foobar";             // Same as AuthTokenSecret
$protectedPath = "/datafiles/";        // Same as AuthTokenPrefix
$hexTime = dechex(time());             // Time in Hexadecimal  

// NOTE: No file name is encoded, just the time
$token = md5($secret . $hexTime);  

// build the url
$url = "http://myserver.com/datafiles/$token/any/file.would.work.txt";
?>


Hope this helps someone.

regards,
 -gordon

What steps will reproduce the problem?
1. just normal implementation using j2se
2.
3.

What is the expected output? What do you see instead?
- image access to be accurate 

What version of the product are you using? On what operating system?
1.0.5 (FCx Linux)

Please provide any additional information below.
Everything works fine except the issue being the generate token if config
says 30 seconds remains valid for 3+minutes and in case of 60 seconds it
remains valid for 4+ minutes. What's the reason that once the timestamp is
generated the token should expire to nearest second which it is not and
take minutes to expire! 

Is there anything Iam missing?

What steps will reproduce the problem?
1. Downloading
2.
3.

What is the expected output? What do you see instead?

Expect to see download instead getting a 403 forbidden error

also getting mod-auth-token erros in the log

EX:  mod_auth_token: failed token auth (got
'6a73544f1420e2a36eabd78423784d6e', expected '9CE5C2789FBF3140202FE7CC3FDF0A8A

My config file

      <Location "/fyc/">
        AuthTokenSecret       "test"
        AuthTokenPrefix       /fyc/
        AuthTokenTimeout      60
        #AuthTokenLimitByIp    off
      </Location>

Using test script

<?php
// Settings to generate the URI
$secret = "test";        // Same as AuthTokenSecret
$protectedPath = "/fyc/";         // Same as AuthTokenPrefix
$hexTime = dechex(time());             // Time in Hexadecimal      
$fileName = "/video-1b.flv";    // The file to access
$token = md5($secret . $filename. $hexTime);

// We build the url
$url = $protectedPath . $token. "/" . $hexTime . $fileName;
echo $url;
?>



What version of the product are you using? On what operating system?
1.0.5
CecntOS

Please provide any additional information below.

What steps will reproduce the problem?
1. I am the core developer of the django-classcomm project which uses this 
technology.
2. http://classcomm.net/ runs on slice hosting right now, so the sys admins 
configure the httpd.conf for me.
3. Would be nice to be able to configure in a .htaccess file so that my project 
would run more seamlessly on the available Django hosts market.

What is the expected output? What do you see instead?
http://classcomm.googlecode.com/

What version of the product are you using? On what operating system?
We have been using since 1.0.1 and will be upgrading to 1.0.6 tomorrow

Please provide any additional information below.
What other things can we do to make URI file accessc control more secure and 
more easy?

Hello.

I want to create some protected url but i would like to manage the access time 
with a PHP Script.

It's possible ?

Thx and sorry for my english but I'm french :=).

After hours of searching I ended up trying this to compile the module on 64 bit 
debian 6 (squeeze) using a 32 bit apache as a part of the XAMPP stack 
(apachefriends)

What steps will reproduce the problem?
1. ./configure CFLAGS="-m32" LDFLAGS="-m32" CXXFLAGS="-m32" CPPFLAGS="-m32" 
--with-apxs=/opt/lampp/bin/apxs
2. make check
3. make install
It finishes fine, however when I try to stop apache (/opt/lampp/lampp 
stopapache)
it reports back :

Failed loading /opt/lampp/modules/mod_auth_token.so: 
/opt/lampp/modules/mod_auth_token.so: wrong ELF class: ELFCLASS64

which means that somewhere it is not building for 32 bit but rather 64 bit.

What version of the product are you using? On what operating system?

this is with both versions of mod-auth-token.

Please provide any additional information below.

I think using XAMPP could also be a problem, but after downloading xampp-dev I 
could at least finally compile it, but it still reports the wrong ELF so I must 
be missing a parameter for ./configure somewhere.

Since it would be much easier, I would love a link to the 32 bit version of 
mod_auth_token.so. I'm pretty sure this would solve my problem, but i'm still 
curious on how to actually compile it for 32 bit so 32bit apache can actually 
load the module.

Any assistance would be appreciated :)