The SMF plugin for Bitshares login protocol.

[gamey]

hxxp:bytemaster.bitshares.org/article/2014/12/22/BitShares-Login/ [nonactive] is the blog post for the protocol/feature itself. I implemented support for it within SMF at hxxp:bitsharesnation.org [nonactive]

Brief background to explain problem -
A one time token is generated on the server end and embedded into a button.  When the user clicks on the button, a protocol handler is called for the bts protocol and the bitshares client (bitshares is like bitcoin 2.0) does the crypto-authentication locally and then calls the callback url which would point to the originating erver..  This allows user authentication that eliminates man in the middle by using a centralized certificate authority.

tl;dr - One time token generated inside smf frontpage, will it be cached by the SMF caching system?

My concern is that caching will cache the one-time token and give it to multiple users.  So if the page is cached every 5 minutes, only the first login would work in those 5 minutes until the cache expired. Is this a valid concern?

My other problem is escaping out the calls to create user etc.  I assume this is readily documented in a developer guide?  If not, does anyone want to point me in the right direction?

[Kindred]

Not sure about the cache question...

On the subject of integration....http://wiki.simplemachines.org/smf/Category:Integrating_SMF

[gamey]

Not sure about the cache question...

On the subject of integration....http://wiki.simplemachines.org/smf/Category:Integrating_SMF

It has been integrated already.  The caching turns out to all be done at the database level and didn't impact it.  (Well according to my tests and searching this forum)

However I am still unsure about the following. 

Reading the source code of Subs-Members I see this.

        int registerMember(array options, bool return_errors)
                - the strings used in the options array are assumed to be escaped.

^^ This is what I am not sure about.  Escaped to prevent sql injection attacks..  Escaped in what regard ?  I found this list of functions below but none of them seem to be a clean fit.  Escaping means different things within different contexts.

http://support.simplemachines.org/function_db/index.php?action=view_file;id=41 has a list of related functions but none of them seem like a clear fit.

[Arantor]

No, escaped to prevent persistent XSS. SMF does its own protection against SQL injection just fine with parameterised queries.

So let's just look at what's done in registration (Register.php, Register2()):
* list all the fields that are known to be strings or ints or floats or bools that could possibly be part of registration
* htmltrim everything (htmltrim__recursive() stripping \n or \r characters on $_POST)
* hash the secret answer if one is provided (for the 'security question if you forget your password')
* convert all whitespace into space characters, even the more esoteric Unicode ones
* sanitise the MSN/birthday fields to known formats
* strings get pushed through SMF's encoding-aware form of htmlspecialchars, ints/floats get cast as such, bools get cast to 0 or 1 rather than false or true (since they're stored in the DB as 0 or 1)
* anything left in the realms of user preference that can be supplied, which is not usually done via registration if I remember but left for integration cases, is pushed through htmlspecialchars too
* custom fields are checked against the masks etc. they get but registerMember() does not deal with these (other things do)

So yeah, that's the gauntlet to run for the various specific kinds of data that registration expects. Hard to know how much applies to you at this stage.