Move unsafe autologin to an extension (#7958)

Completes the following TODO https://github.com/FreshRSS/FreshRSS/issues/7923:

https://github.com/FreshRSS/FreshRSS/blob/de624dc8ce63ec819c61216d9d44f828841c293e/app/Controllers/authController.php#L105

Extension PR: https://github.com/FreshRSS/Extensions/pull/364

https://github.com/FreshRSS/Extensions/tree/main/xExtension-UnsafeAutologin

app/Controllers/authController.php

@@ -13,7 +13,6 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 	 *   - anon_access (default: false)
 	 *   - anon_refresh (default: false)
 	 *   - auth_type (default: none)
-	 *   - unsafe_autologin (default: false)
 	 *   - api_enabled (default: false)
 	 */
 	public function indexAction(): void {
@@ -33,12 +32,10 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 			$anon = Minz_Request::paramBoolean('anon_access');
 			$anon_refresh = Minz_Request::paramBoolean('anon_refresh');
 			$auth_type = Minz_Request::paramString('auth_type') ?: 'form';
-			$unsafe_autologin = Minz_Request::paramBoolean('unsafe_autologin');
 			$api_enabled = Minz_Request::paramBoolean('api_enabled');
 			if ($anon !== FreshRSS_Context::systemConf()->allow_anonymous ||
 				$auth_type !== FreshRSS_Context::systemConf()->auth_type ||
 				$anon_refresh !== FreshRSS_Context::systemConf()->allow_anonymous_refresh ||
-				$unsafe_autologin !== FreshRSS_Context::systemConf()->unsafe_autologin_enabled ||
 				$api_enabled !== FreshRSS_Context::systemConf()->api_enabled) {
 				if (in_array($auth_type, ['form', 'http_auth', 'none'], true)) {
 					FreshRSS_Context::systemConf()->auth_type = $auth_type;
@@ -47,7 +44,6 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 				}
 				FreshRSS_Context::systemConf()->allow_anonymous = $anon;
 				FreshRSS_Context::systemConf()->allow_anonymous_refresh = $anon_refresh;
-				FreshRSS_Context::systemConf()->unsafe_autologin_enabled = $unsafe_autologin;
 				FreshRSS_Context::systemConf()->api_enabled = $api_enabled;
 
 				$ok &= FreshRSS_Context::systemConf()->save();
@@ -74,7 +70,7 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 	 * the user is already connected.
 	 */
 	public function loginAction(): void {
-		if (FreshRSS_Auth::hasAccess() && !(FreshRSS_Context::systemConf()->unsafe_autologin_enabled && Minz_Request::paramString('u') !== '')) {
+		if (FreshRSS_Auth::hasAccess()) {
 			Minz_Request::forward(['c' => 'index', 'a' => 'index'], true);
 		}
 
@@ -106,7 +102,6 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 	 *   - challenge (default: '')
 	 *   - keep_logged_in (default: false)
 	 *
-	 * @todo move unsafe autologin in an extension.
 	 * @throws Exception
 	 */
 	public function formLoginAction(): void {
@@ -192,48 +187,6 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 				Minz_Request::setBadNotification(_t('feedback.auth.login.invalid'));
 				Minz_Request::forward(['c' => 'auth', 'a' => 'login'], false);
 			}
-		} elseif (FreshRSS_Context::systemConf()->unsafe_autologin_enabled) {
-			$username = Minz_Request::paramString('u', plaintext: true);
-			$password = Minz_Request::paramString('p', plaintext: true);
-			Minz_Request::_param('p');
-
-			if ($username === '') {
-				return;
-			}
-
-			FreshRSS_FormAuth::deleteCookie();
-
-			FreshRSS_Context::initUser($username);
-			if (!FreshRSS_Context::hasUserConf()) {
-				return;
-			}
-
-			$s = FreshRSS_Context::userConf()->passwordHash;
-			$ok = password_verify($password, $s);
-			unset($password);
-			if ($ok) {
-				Minz_Session::regenerateID('FreshRSS');
-				Minz_Session::_params([
-					Minz_User::CURRENT_USER => $username,
-					'passwordHash' => $s,
-					'csrf' => false,
-				]);
-				FreshRSS_Auth::giveAccess();
-
-				Minz_Translate::init(FreshRSS_Context::userConf()->language);
-
-				Minz_Request::good(
-					_t('feedback.auth.login.success'),
-					['c' => 'index', 'a' => 'index'],
-					showNotification: FreshRSS_Context::userConf()->good_notification_timeout > 0
-				);
-			} else {
-				Minz_Log::warning('Unsafe password mismatch for user ' . $username);
-				Minz_Request::bad(
-					_t('feedback.auth.login.invalid'),
-					['c' => 'auth', 'a' => 'login']
-				);
-			}
 		}
 	}
 

app/Models/SystemConfiguration.php

@@ -26,7 +26,6 @@ declare(strict_types=1);
  * @property-read bool $pubsubhubbub_enabled
  * @property-read string $salt
  * @property-read bool $simplepie_syslog_enabled
- * @property bool $unsafe_autologin_enabled
  * @property-read bool $suppress_csp_warning
  * @property array<string> $trusted_sources
  * @property array<string,array<string,mixed>> $extensions

app/Models/UserConfiguration.php

@@ -75,7 +75,6 @@ declare(strict_types=1);
  * @property string $topline_thumbnail
  * @property int $ttl_default
  * @property int $dynamic_opml_ttl_default
- * @property-read bool $unsafe_autologin_enabled
  * @property string $view_mode
  * @property array<string,bool|int|string> $volatile
  * @property array<string,array<string,mixed>> $extensions

app/i18n/cs/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Hlavní ověřovací token',
 		'token_help' => 'Umožňuje přístup ke všem výstupům RSS uživatele i obnovování kanálů bez ověřování:',
 		'type' => 'Metoda ověřování',
-		'unsafe_autologin' => 'Povolit nebezpečné automatické přihlášení pomocí formátu: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/de/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Master-Authentifizierungs-Token',
 		'token_help' => 'Zugriff auf alle vom Nutzer erstellten RSS-Feeds freigeben (inkl. Aktualisierung ohne Authenthentifizierung):',
 		'type' => 'Authentifizierungsmethode',
-		'unsafe_autologin' => 'Erlaube unsicheres automatisches Anmelden mit folgendem Format: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/el/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Master authentication token',	// TODO
 		'token_help' => 'Allows access to all RSS outputs of the user as well as refreshing feeds without authentication:',	// TODO
 		'type' => 'Μέθοδος Πιστοποίησης',
-		'unsafe_autologin' => 'Επιτρέψτε την μη ασφαλή αυτόματη σύνδεση με την χρήση της μορφής: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/en-US/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Master authentication token',	// IGNORE
 		'token_help' => 'Allows access to all RSS outputs of the user as well as refreshing feeds without authentication:',	// IGNORE
 		'type' => 'Authentication method',	// IGNORE
-		'unsafe_autologin' => 'Allow unsafe automatic login using the format: ',	// IGNORE
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/en/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Master authentication token',
 		'token_help' => 'Allows access to all RSS outputs of the user as well as refreshing feeds without authentication:',
 		'type' => 'Authentication method',
-		'unsafe_autologin' => 'Allow unsafe automatic login using the format: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/es/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Token de autentificación Master',
 		'token_help' => 'Permite el acceso a todas las salidas RSS del usuario así como la actualización de fuentes sin autenticación:',
 		'type' => 'Método de identificación',
-		'unsafe_autologin' => 'Permite la identificación automática insegura usando el formato: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/fa/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'به نوعی دارایی دیجیتال اشاره دارد که از ویژگی حفظ ارزش و انتقال به دیگران برخوردار است. توکن ابزار دیجیتالی است که بر روی بلاک چین رمزگذاری می‌شود. می‌توان گفت که توکن همان ارزدیجیتال با ویژگی‌های منحصر به فرد است.',
 		'token_help' => 'اجازه دسترسی به تمام خروجی های ار اس اس کاربر و همچنین به روزرسانی فید ها را بدون احراز هویت می دهد',
 		'type' => ' روش احراز هویت',
-		'unsafe_autologin' => ' اجازه ورود خودکار ناامن را با استفاده از قالب:',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/fi/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Todentamisen päätunnisteväline',
 		'token_help' => 'Sallii käyttäjän kaikkien RSS-tulosteiden käyttämisen sekä syötteiden päivityksen ilman todennusta:',
 		'type' => 'Todentamismenetelmä',
-		'unsafe_autologin' => 'Salli suojaamaton automaattinen sisäänkirjaus: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/fr/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Jeton d’identification maître',
 		'token_help' => 'Permet d’accéder à toutes les sorties RSS de l’utilisateur et au rafraîchissement des flux sans besoin de s’authentifier :',
 		'type' => 'Méthode d’authentification',
-		'unsafe_autologin' => 'Autoriser les connexions automatiques non-sûres au format : ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/he/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Master authentication token',	// TODO
 		'token_help' => 'Allows access to all RSS outputs of the user as well as refreshing feeds without authentication:',	// TODO
 		'type' => 'שיטת אימות',
-		'unsafe_autologin' => 'הרשאה להתחברות אוטומטית בפורמט: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/hu/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Fő hitelesítési token',
 		'token_help' => 'Lehetővé teszi a hozzáférést a felhasználó összes RSS-kimenetéhez, valamint a hírfolyamok frissítéséhez hitelesítés nélkül:',
 		'type' => 'Hitelesítési módszer',
-		'unsafe_autologin' => 'Engedélyezze a nem biztonságos automata bejelentkezést a következő formátummal: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/id/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Token autentikasi utama',
 		'token_help' => 'Mengizinkan akses ke semua RSS pengguna serta menyegarkan umpan tanpa autentikasi:',
 		'type' => 'Metode autentikasi',
-		'unsafe_autologin' => 'Izinkan masuk otomatis tidak aman menggunakan format: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/it/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Token di autenticazione principale',
 		'token_help' => 'Consente l’accesso a tutti gli output RSS dell’utente e di aggiornare i feed senza autenticazione:',
 		'type' => 'Metodo di autenticazione',
-		'unsafe_autologin' => 'Consenti accesso automatico non sicuro usando il formato: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/ja/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'マスター認証用のトークン',
 		'token_help' => 'ユーザーのすべての RSS 出力へのアクセスと、認証なしのフィードの更新を許可します',
 		'type' => '認証メソッド',
-		'unsafe_autologin' => '危険な自動ログインを有効にします',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/ko/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => '마스터 인증 토큰',
 		'token_help' => '인증 없이 사용자의 모든 RSS 내용과 피드 새로고침 권한을 허용합니다.:',
 		'type' => '인증',
-		'unsafe_autologin' => '다음과 같은 안전하지 않은 방식의 로그인을 허가합니다: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/lv/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Master authentication token',	// TODO
 		'token_help' => 'Allows access to all RSS outputs of the user as well as refreshing feeds without authentication:',	// TODO
 		'type' => 'Autentifikācijas metode',
-		'unsafe_autologin' => 'Atļaut nedrošu automātisku pieteikšanos, izmantojot formātu: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/nl/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Hoofdauthenticatietoken',
 		'token_help' => 'Geeft toegang tot alle RSS-uitvoer van de gebruiker en kan feeds verversen zonder authenticatie:',
 		'type' => 'Authenticatie methode',
-		'unsafe_autologin' => 'Sta onveilige automatische log in toe met het volgende formaat: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/oc/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Master authentication token',	// TODO
 		'token_help' => 'Allows access to all RSS outputs of the user as well as refreshing feeds without authentication:',	// TODO
 		'type' => 'Mòde d’autentification',
-		'unsafe_autologin' => 'Autorizar las connexions automaticas pas seguras al format : ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/pl/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Główny token uwierzytelniania',
 		'token_help' => 'Umożliwia dostęp do wszystkich kanałów RSS użytkownika, jak również odświeżanie kanałów bez uwierzytelnienia:',
 		'type' => 'Metoda uwierzytelniania',
-		'unsafe_autologin' => 'Pozwól na niebezpieczne automatyczne logowanie następującym schematem: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/pt-BR/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Token de autenticação principal',
 		'token_help' => 'Permite acesso a todos as saídas RSS do usuário bem como atualização dos feeds sem autenticação:',
 		'type' => 'Método de autenticação',
-		'unsafe_autologin' => 'Permitir login automático inseguro usando o seguinte formato: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/pt-PT/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Token de autenticação principal',
 		'token_help' => 'Permite acesso a todos as saídas RSS do utilizador bem como atualização dos feeds sem autenticação:',
 		'type' => 'Método de autenticação',
-		'unsafe_autologin' => 'Permitir login automático inseguro usando o seguinte formato: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/ru/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Главный токен аутентификации',
 		'token_help' => 'Обеспечивает доступ ко всем выходным данным RSS пользователя, а также к обновлению лент без проверки подлинности:',
 		'type' => 'Способ аутентификации',
-		'unsafe_autologin' => 'Разрешить небезопасный автоматический вход с использованием следующего формата: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/sk/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Hlavný prihlasovací token',
 		'token_help' => 'Povoľuje prístup k všetkým RSS výstupom, a tiež k obnove kanálov bez prihlásenia:',
 		'type' => 'Spôsob prihlásenia',
-		'unsafe_autologin' => 'Povoliť nebezpečné automatické prihlásenie pomocou webového formulára: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/tr/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Ana kimlik doğrulama belirteci',
 		'token_help' => 'Kullanıcının tüm RSS çıktılarına ve beslemeleri kimlik doğrulaması olmadan yenilemeye erişim sağlar:',
 		'type' => 'Kimlik doğrulama yöntemi',
-		'unsafe_autologin' => 'Güvenli olmayan otomatik girişe izin ver; şu formatı kullan: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/uk/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => 'Головний токен входу',
 		'token_help' => 'Надає доступ до всіх RSS-видач користувача, а також дає змогу оновлювати стрічки без входу:',
 		'type' => 'Тип входу',
-		'unsafe_autologin' => 'Дозволити небезпечний автоматичний вхід у форматі: ',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/zh-CN/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => '主验证 token',
 		'token_help' => '允许不验证而访问用户的全部 RSS 输出以及刷新订阅源：',
 		'type' => '认证方式',
-		'unsafe_autologin' => '允许不安全的自动登陆方式：',
 	),
 	'check_install' => array(
 		'cache' => array(

app/i18n/zh-TW/admin.php

@@ -22,7 +22,6 @@ return array(
 		'token' => '主要驗證權杖',
 		'token_help' => '允許存取使用者的所有 RSS 輸出以及重整源而無需身份驗證:',
 		'type' => '認證方式',
-		'unsafe_autologin' => '允許不安全的自動登入方式：',
 	),
 	'check_install' => array(
 		'cache' => array(

app/views/auth/index.phtml

@@ -46,18 +46,6 @@
 			</div>
 		</div>
 
-		<div class="form-group">
-			<div class="group-controls">
-				<label class="checkbox" for="unsafe_autologin">
-					<input type="checkbox" name="unsafe_autologin" id="unsafe_autologin" value="1"<?=
-						FreshRSS_Context::systemConf()->unsafe_autologin_enabled ? ' checked="checked"' : '',
-						FreshRSS_Auth::accessNeedsAction() ? '' : ' disabled="disabled"' ?> />
-					<?= _t('admin.auth.unsafe_autologin') ?>
-					<kbd><?= Minz_Url::display(['c' => 'auth', 'a' => 'login', 'params' => ['u' => 'alice', 'p' => '1234']], 'html', true) ?></kbd>
-				</label>
-			</div>
-		</div>
-
 		<div class="form-group">
 			<div class="group-controls">
 				<label class="checkbox" for="api_enabled">

config.default.php

@@ -78,11 +78,6 @@ return [
 	#	You need to set the user’s API password.
 	'api_enabled' => false,
 
-	# Allow or not the use of an unsafe login,
-	#	by providing username and password in the login URL:
-	#	https://example.net/FreshRSS/p/i/?c=auth&a=login&u=alice&p=1234
-	'unsafe_autologin_enabled' => false,
-
 	# By default, FreshRSS will display a warning to logged-in admin users if the CSP policy is insecure.
 	#	This setting can disable the warning.
 	#	For more information see: https://freshrss.github.io/FreshRSS/en/admins/10_ServerConfig.html#security