Hello there and thanks for reading my question! I am looking for a good solution to the following challenge and hopefully you can help me:
Challenge
I would like to share some protected content (i.e. not accessible to search engines or normal site visitors) on a future kirby site with my students. All the students have user accounts on the university moodle site. I would like to be able to place links on the moodle course page that refer the students to protected pages on my kirby site without them having to sign in or create a separate user account.
My rough thoughts on an implementation
Idea A:
Log-in by link/URL on the kirby site. The link would include a username/password or other token that authorises the visitor as a user (with a certain role like “Student Winter Semester 2020”) and allows access to the protected section. In this way I can use a URL on the moodle to link to my content on kirby.
Idea B:
Use the router somehow to redirect normal visitors to the login page when they try to access the protected area. Links from the university moodle server are allowed through. I think this should be technically possible by IP address, but I have no idea at the moment how I would do this. Also, I would not be able to limit the students from one course to a set of pages on my kirby site. It is my understanding that anyone! who is referred from the university moodle site/server would be able to see any of the kirby pages protected in this way.
Idea C:
Somehow use session information to authorise visitors from the moodle site. This is probably the most elegant way. No idea at the moment how this could be accomplished.
I would love it, if you could help me to overcome my challenge. Maybe someone else has already asked this or a related question and you can just point me to it?
That’s an interesting brain teaser… I have recently been looking into some “creative hacks” around authorisation integrations, so as for Idea A, here’s a quick sketch how I imagine this could work (not working code, just a draft for further exploration).
Create a user ‘winter2020@example.com’ then create a route like:
This way, anybody who knows the URL example.com/studentlogin/4rp8l2m9 will automatically be logged in as a Winter 2020 student and forwarded to the (access restricted to user winter2020@example.com) page example.com/winter2020 that could contain your course material. Of course, good care needs to be taken that this user has very restricted rights (e.g. no Kirby Panel access etc.) as this is just security by obscurity.
Also, I am not sure how Kirby behaves with many devices logged in as “the same user” simultaneously; if that causes trouble, the hook would have to also create new users on the fly. That could likely be integrated into the route as well, using User::create().
Instead of properly “logging them in”, you could also just use such route to hand out a cookie that is then checked for in the template/controller of the /winter2020 pages. Just throwing around ideas here…
I don’t think that Idea B would work, since you cannot rely on browsers sending referrer headers with outlinks from the Moodle site (as a matter of fact, I’d assume that such environment has a rather strict referrer policy in place) and access based on IP address would be difficult unless all students are either on-premise or using a school VPN with a set IP range?
Idea C is the most elegant indeed. But that’s a full integration of Kirby with a Moodle environment and way beyond me
No solution so far, but some aspects to consider, as I am thinking of a similar usage scenario:
It largely depends on the amount of “protection” you would like to establish. Ideas A and B just hide the content from being found more or less easily, they do not protect it. If you can live with the fact that, sooner or later, some other persons will have access to your “protected” content, A and B are fine. You could as well just publish the username and password of a specific Kirby account on your moodle page.
Idea C goes into the direction of delegating access control. I think I once saw an OAuth plugin for Kirby but I am not sure about the functionalities. So you need to elaborate if your moodle site could issue a token which you could use on your Kirby site. This way, at least only users with a valid moodle account could login to your site or the parts which are protected.
If your “content” consists of files only and the intended users are only students visiting the course, maybe it is better to put these into the moodle course page as attachment or something like that.
If you indeed do not want to force your users to login to your site, your options to really protect your content are quite limited. If you just fear the workload of creating, managing and finally deleting (temporary) personal accounts in your Kirby instance, I would elaborate solutions at this end, i.e. you can already bulk create users based on a list of enrolled students and Kirby is flexible enough to extend some functionalities here.
The “security” of the content is indeed not the main purpose. I am not protecting secrets but I do want to restrict the audience for the material and information I wish to publish there i.e. for students of my courses only.
I think the suggested solution by @sebastiangreger could work for me with a reasonable effort (he says knowing it will always take longer )
My questions that arise from going down that path:
If I only commit this “atrocity in security” for a single user role, say “Students” (i.e. all passwordless user log-ins are part of this role) and restrict their access to a part of my website (i.e. a folder contents/uni/) without access to the panel. Would that limit the potential “breach” to that part of the site? Or am I exposing an attack surface this way that would make all other protected content, users or roles/accounts vulnerable?
@texnixe May I have feedback please, on whether I can log-in <25 visitors/students as the same user?
Finally, I thought I might additionally be able to check for the existence of a session cookie from moodle. However, I just ran a test in firefox and the session information is only retained when the link is opened in the same window. As soon as the link opens in a new tab all the session information is gone. No joy.
@marcus-at-localhost thanks for asking. I have not solved this problem yet. I have been postponing this challenge and am still focusing on creating more content for my site. I am currently planning to use the simple ‘log-in by link’ method as outlined by @sebastiangreger above as a temporary solution.
Ultimately I am now considering an implementation of the shibboleth service provider on my VPS in the hope that I can make it work with kirby somehow. Since every visitor of the university moodle page must log in using their university account, if I can implement the shibboleth SP, then they would automatically be logged-in with me as well when they follow the link to my kirby site. This works with between universities and their services. It may require the permission of an Identity Provider, like my university. That would be the most complete solution but it looks incredibly daunting. Maybe I can get it to work with a smaller SAML plugin of some sort.
In any case, no solution yet. I will update the post once I have something working.
I have not implemented any solution yet, but I discovered something interesting in moodle that makes another approach possible.
When you create a new link inside moodle, you can specify additional parameters for this link. Among them are interesting data like for example the course id number, the user name or id, the user email address etc. These are simply added to the link as url parameters.
If I am not mistaken, then the user id number or email address may thus be used to reference or look up a kirby user that already exists. Alternatively, it would be possible to automatically create a user “on the fly” with the email address and name that has been passed. Of course, the later approach is not ‘secure’.
It is just a thought I wanted to share, in case someone is also concerned with this isse.
)