Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Use of "guest" sessions instead of authenticated one to download some images from iOS #554

Closed
romain-intel opened this issue Sep 26, 2023 · 5 comments
Closed

[BUG] Use of "guest" sessions instead of authenticated one to download some images from iOS #554

romain-intel opened this issue Sep 26, 2023 · 5 comments
Assignees
@EddyLB
Milestone
Release 3.2

Comments

@romain-intel
Copy link

Describe the bug and how to reproduce
I hadn't used Piwigo in a while and recently updated everything (the server to 14b3 and the iOS app). I also use a version of piwigo_privacy (https://github.com/yonjah/piwigo_privacy) which ensures that images are always protected (ie: you need to have access to them to actually get to them).

The issue seems to be that, in some cases, the iOS app does not use a logged in session to download images and instead downloads "as guest" which breaks this protection. It only seems to do this for the representative image of an album (and that too not in all cases so it is a bit weird). All other images load fine (thumbnail or full version).

I've been trying to figure this out because I know I have a bit of an exotic setup but I believe the issue is in the iOS app (and not the PHP server code).

I instrumented things in user.inc.php to see what requests were coming in and here is what I see (user 2 is the "guest" user and user 3 is an actual registered user):

[2023-09-25 3:48:17]    [DEBUG] Request is json,pwg.session.login,vandr,xxxxxx
[2023-09-25 3:48:17]    [DEBUG] AT END user id is 2
[2023-09-25 3:48:17]    [DEBUG] Logging user 3
[2023-09-25 3:48:17]    [DEBUG] Opening session at
[2023-09-25 3:48:17]    [DEBUG] For tqfe3uka6ijafjrkt1okb7erq1 writing pwg_device|s:7:"desktop";pwg_mobile_theme|b:0;pwg_uid|i:3;
[2023-09-25 3:48:17]    [DEBUG] Attempting to read session tqfe3uka6ijafjrkt1okb7erq1
[2023-09-25 3:48:17]    [DEBUG] Cookies are tqfe3uka6ijafjrkt1okb7erq1
[2023-09-25 3:48:17]    [DEBUG] Set id to 3
[2023-09-25 3:48:17]    [DEBUG] Request is json,pwg.session.getStatus
...
[2023-09-25 3:48:17]    [DEBUG] Attempting to read session tqfe3uka6ijafjrkt1okb7erq1
[2023-09-25 3:48:17]    [DEBUG] Cookies are tqfe3uka6ijafjrkt1okb7erq1
[2023-09-25 3:48:17]    [DEBUG] Set id to 3
[2023-09-25 3:48:17]    [DEBUG] Request is json,pwg.categories.getList,medium,0,0,true
...
[2023-09-25 3:48:18]    [DEBUG] Attempting to read session qb5qmhe7uifjab339jmuoiqd2l
[2023-09-25 3:48:18]    [DEBUG] Attempting to read session r7gg164uve755672f0oms6b7m4
[2023-09-25 3:48:18]    [DEBUG] Cookies are r7gg164uve755672f0oms6b7m4
[2023-09-25 3:48:18]    [DEBUG] Cookies are qb5qmhe7uifjab339jmuoiqd2l
[2023-09-25 3:48:18]    [DEBUG] Auto guest login
[2023-09-25 3:48:18]    [DEBUG] Auto guest login
[2023-09-25 3:48:18]    [DEBUG] Request is 54281,_data/i/upload/2022/03/01/20220301235416-1b6c89b8-me.jpg
[2023-09-25 3:48:18]    [DEBUG] Request is 54915,_data/i/upload/2023/03/26/20230326135755-96738732-me.jpg

You can see in the log above that there is an authenticated session tqfe3uka6ijafjrkt1okb7erq1 and that it uses that for things like getStatus request but then, it has unknown sessions (not logged in), here r7gg164uve755672f0oms6b7m4 and qb5qmhe7uifjab339jmuoiqd2l, to access images directly. I can also confirm that all these sessions appear in the DB and that only one of them contains the pwg_id (the others do not since they correspond to a guest login).

Steps to reproduce the behavior:
To reproduce, just login into a brand new piwigo instance should produce the requests shown above but it will most likely work unless images are protected.

Expected behavior
I would expect the iOS app to always use the authenticated session to access anything from the server and never use a "guest" login to download or upload anything.

Note that in a lot of cases, it actually uses the proper session but it's just in some cases that it does not. I am pretty sure this worked before and I suspect some of the new cache code may have introduced a code path where a "guest" session attempts to get photos.

What did you do already
I searched for similar issues and also tried looking at past commits to see if I could understand where the issue was coming from but no luck. I disable guest login (which I think is part of the issue) and it is not reproducible on the demo because I suspect the demo is not protecting URLs.

  • Search whether a similar issue is already reported?
  • Check for known workarounds in the issue tracker?
  • Did you check with guest login?
  • Did you try to reproduce it with https://www.piwigo.org/demo/ ?

Screenshots
If applicable, add screenshots to help explain your problem.

Smartphone (please complete the following information):

  • Device: iPhone XS
  • iOS 16.6.1
  • App version 3.0.2

Additional context
As mentioned above, I do use the piwigo_privacy extension (well somewhat modified) and I initially looked there for the issue but it seems to be doing as it should (ie: denying guest access to images). The issue seems to be the iOS app making guest requests when it should ideally be making authenticated ones.
@romain-intel romain-intel changed the title [BUG] [BUG] Use of "guest" sessions instead of authenticated one to download some images from iOS Sep 26, 2023
@benjaminchodroff
Copy link

Can confirm. If you access a piwigo 13.8.0 server site, such as my own https://benchodroff.com/photos, using the latest TestFlight piwigo mobile 3.1 ios app, and do not login, you will be unable to download any photos from the iOS app even though everything else works.

However, if you then login, you can download photos.

Would greatly appreciate a fix so that even anonymous users can download photos.

@romain-intel
Copy link
Author

I'm not sure this is the exact same problem but may be related. My issue is that it is using a guest session when it shouldn't but yours seems to be that it is not using a guest one when you want it to. They may definitely be related.

Any update from the developers? Happy to provide more information if it helps.

Thanks!

@romain-intel
Copy link
Author

Gentle ping on this? I am happy to help if I can. This is not an area I am too familiar with but happy to try with a bit of guidance. Thanks!

@EddyLB
Copy link
Collaborator

EddyLB commented Oct 22, 2023

Hi @romain-intel
It is mandatory to open a session for retrieving the URLs of the images (unless guest has accessed to them). So the iOS app opens a session, retrieves the URLs with this session and then download images as guest. Even if image URLs are quite complex, I agree that it is not secure enough and we are going to fix this issue.

@romain-intel
Copy link
Author

Hello @EddyLB, thanks for your response. Yes, I saw it opening a session and that part works fine. I think we are saying the same thing namely: images are then currently sometimes downloaded without a session and you are saying that you will fix it so that image URLs as well as images are fetched using the authenticated session. Is that correct? If so, then yes, I think this would fix the issue I am seeing. (and to be clear, sometimes pictures are downloaded with a session, sometimes not, it's very weird :) ).

@EddyLB EddyLB self-assigned this May 8, 2024
@EddyLB EddyLB added this to the Release 3.2 milestone May 8, 2024
@EddyLB EddyLB mentioned this issue May 8, 2024
Closed
@EddyLB EddyLB closed this as completed in 792b81f Jun 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EddyLB EddyLB

Labels
None yet
Projects
None yet
Milestone
Release 3.2
Development

No branches or pull requests
3 participants
@romain-intel @benjaminchodroff @EddyLB