smd_access_keys: secure, limited access to content

Bloke · 2011-04-18 21:32:05

TXP is all about openness; your URLs and file_downloads are always available. Fight back and keep people out of certain areas or offer additional content to those that have earned it.

Download the plugin

Using this plugin you can very easily generate a unique, tamper-proof access key for almost any TXP URL (including file_downloads). Keys can either be generated from the admin interface or they can be generated via a public tag. The latter allows you to do some cool things, for example:

generate a key in a zem_contact_reborn thanks_form, permitting access to premium content in exchange for some user-submitted information
put an access key in a mem_self_register email_form to deliver access to a URL upon successful registration — this could also be used for account activation or double-opt-in schemes
allow people to generate access keys from an admin-side dashboard

The keys can be time-limited (granularity in seconds) and/or by number-of-accesses. Once the time limit has expired or the quantity of access attempts has been reached, the resource becomes unavailable. You can also schedule a resource to become available from a particular time in future, for a particular time period, which gives the opportunity to run time-limited promotions. Implementation deviousness is left to your imagination.

All keys are hashed and salted for security and even two keys generated for the same resource are different. You can lock entire pages or parts of pages (by using the protection tag as a container). An admin interface allows you to manage / delete keys and keeps track of access attempts; it will even (optionally) log IP addresses, integrating with the TXP visitor logs.

Take it for a spin and let me know any seriously cool uses you manage to implement. Also, as ever, I’m here for support, improvements or foibles that the plugin may throw your way.

Revision history
————————

All available versions and changes are listed here. Each entry indexes the relevant post(s) in the thread to learn about the features.

18 Apr 2011 | 0.10 | Initial release
30 Jan 2012 | 0.11 | Added expires to smd_access_key ; fixed no-criteria output ; plays nicely with gbp_permanent_links (thanks jakob) ; fixed subdir URL error, added section_mode attribute and fixed URL decoding (thanks sacripant)

Last edited by Bloke (2012-01-30 15:59:07)

PascalL · 2011-04-19 12:24:17

Excellent !
I will use it in conjunction with mem_public_article, for now users can post articles on my site, but not modify them. This will allow me to take advantage of the editing capabilities of mem_public_article, by sending an edit link to authors of articles which have been accepted.

Thanks Bloke, a great plugin again !

Last edited by PascalL (2011-04-19 12:24:43)

Zanza · 2011-04-19 14:05:35

It looks wonderful and also… overwhelming. :)

I have to try (not installed 4.0.4 yet… I should do, I know), for now I’ve just read the plugin page. Just to be sure, consider this scenario:

A site is willing to have premium content for paying users. People should register and then have access to certain contents for a year. Then, if they renew their account, another year will be added, and so on. This can be achieved with smd_ak? With a paypal or other bridging? And when people renew, the access key could remain the same, or do they have to follow a different link? Because I suppose that this system is more suite to one-shot content, than for subscription type. Am I wrong?
Second question: to secure the downloads, they have to be in another folder, and managed throug your smd_file plugin, aren’t it?

Thanks, just thinking ahead how to use your amazing works…

Bloke · 2011-04-19 14:54:45

PascalL

Sounds like a neat implementation. If you get a chance to share details some day, that would be great.

Zanza wrote:

I suppose that this system is more suite to one-shot content, than for subscription type.

Yes. Well, yes and no :-)

Primarily yes, it’s one-shot stuff. “You entered the coupon / submitted your valid e-mail address for a download and here is your personal copy. Use the link within the next 24 hours. You get two attempts to access it (if you don’t need both, send the link to a friend quickly!)”

But you could use it for subscription-based content if you made the token never expire. Thus you can protect, say, a section of your site by putting the tag at the top of your Page template (with the force="1" attribute). Send someone a link and they can access the section; without a key the content is locked. But there’s nothing to stop someone from passing the link to a friend.

For the scenario you mentioned, you could make the content expire after a year (that’s a LOT of seconds! :-) and in the access_protect’s <txp:else /> section you could put a message inside an <txp:if_access_error type="smd_akey_err_expired"> conditional that directs people to PayPal to renew their subscription (people who visit without a valid token can be shown a different message like “to gain access to this content, please subscribe”).

Initially you might think it makes sense to set the ‘return’ URL from the PayPal process to some TXP article like /account/get-code. Thus you could redirect the visitor to this page on successful payment. BUT there’s nothing to stop someone else finding this page and visiting directly to get a free access key so you would have to be cunning; perhaps employing PayPal’s IPN framework to validate the payment or something might work here (but that’s outside the scope of the plugin).

An alternative approach might be to generate a new code for the subscription-only page in the ‘else’ portion of the subscription-only Page itself (i.e. when the page has expired/had an unauthorized visit) and pass this silently to PayPal as the return address. On successful payment, the subscription content is displayed, whereby you can instruct the subscriber to bookmark the URL for future use.

As you can see, there are a few ways to approach this. Just depends on your level of cleverness. Either way, it is best to renew the access key. In fact, once a key has expired the only way you can extend it is by altering the page code to increase the expires attribute, but that affects everyone.

Second question: to secure the downloads, they have to be in another folder, and managed throug your smd_file plugin, aren’t it?

Nope. The beauty of this is that you can securely offer files from TXP’s standard /files directory. However, such files are directly accessible via /files/some-file-name so you do need to prohibit this kind of access, either by moving /files to a non-web-root location or using the .htaccess file in the /files dir shipped with TXP 4.4.0.

Once your directory is secured from direct access, the only route to the files is via TXP’s /file_download/id/some-file-name mechanism and then you can use smd_access_key to protect any of the files.

Does that help?

Zanza · 2011-04-19 15:35:04

Bloke wrote:

Does that help?

Definitely on the second part. On the first, let me tune my level of cleverness up a bit and I’ll let you know. Based on my actual level, it may take a while, though… :)

Bloke · 2011-04-20 15:02:07

Although this may be obvious to some, I’ve just stumbled upon something I didn’t realise the plugin could do. For account activation purposes I’d been using this type of tag:

<txp:smd_access_key
     url="/account/activate"
     trigger="new_user"
     extra='<txp:mem_username />'
     max="1" />

i.e. I was protecting the ‘activate’ article in the ‘account’ section. That returns a URL like this: http://site.com/account/activate/new_user/c4050a2f8a5511ec5399d7ca22b08c819a101d78/4daef315.1/testme

It turns out that I can protect the ‘activate’ article and combine the trigger in one, making a leaner URL:

<txp:smd_access_key
     url="/account/"
     trigger="activate"
     extra='<txp:mem_username />'
     max="1" />

Which returns this: http://site.com/account/activate/da287fe84c957de91fb29b635053ff3cc4c755c3/4daef06b.1/testme.

I was pleasantly surprised when it worked. I like that kind of surprise. Will document it in the plugin at some point.

Last edited by Bloke (2011-04-20 15:05:18)

johnstephens · 2011-05-06 15:57:46

Excellent plugin!

I just found an odd behavior, but maybe it’s expected: It doesn’t like long URLs. The site editor created an article with a very long title, resulting in a 172 character url-title. With the access key, that became 254 characters, and it returned the “Nice try” error message.

When I manually changed the url-title to something 45 characters long, it worked fine again.

Bloke · 2011-05-07 07:41:36

johnstephens wrote:

Excellent plugin!

Thanks.

It doesn’t like long URLs.

Yeah it’ll he hitting the TXP limit which, I think, is something like 200 chars by default. If your site editor is creating huge URLs you might want to look into increasing the limit in Advanced Prefs.

Using POST instead of GET in the plugin is not really an option ‘cos you wouldn’t be able to share the URLs so I’m afraid we’re stuck with it.

whaleen · 2011-05-14 19:18:30

Potential Use Case:

I’m building a little classifieds site for a barter and trade community. I was thinking a great way to build up the user base was by invites like gmail had back in the beginning.

How I image it working out:

Public side generation of access keys for a registered site user being 10 “invites” per user. Those keys would be generated possibly the first time they visit their “settings” page or their “do stuff with their account” page. The keys would have to be stored for use by only them as they use them up one by one so that they can be fired off in an email form allowing them to specify the recipient and also can load in the next of the remaining access keys into the email message. Tricky thing is where the access keys remain and can they be knocked off one at a time from the list of that users own keys with the sending of an invite form.

I wanted to post this idea here as this seems like a place for those kinds of ideas. There may be another way and I don’t know if I’ll have any success but will certainly share if I do and would appreciate any thoughts or ideas.

Another great plugin Stef!

Bloke · 2011-05-15 08:10:21

whaleen

I think this plugin’ll fit quite nicely into that use case. As an alternative, how about when they do their “account stuff” first time you generate one key and set its max limit to 10 impressions? Then the person is free to send it to ten other people. If they send it to 11 then only the first ten get in.

Question: what is the ‘resource’ you are thinking of protecting? You need a destination url. Would that be a welcome message or something? And a signup form?

For best control I would put an “invite” button on your user control panel / dashboard and only make it visible if the access attempts count is < 10. For that to work you have to stash the key somewhere, linked to the invitee’s account and set no time limit. A field in smd_bio is one option. You can then retrieve the key’s details via smd_query to find out how many are left. You should be able to reverse engineer the record in the smd_akeys table by extracting the t_hex part of the key you have saved on the user’s behalf. The structure is:

url/trigger/token/t_hex.max_limit/extras

As long as you don’t have two people doing initial account stuff at exactly the same second the t_hex will be unique. You could always add some unique extra info to the key itself at generation time, although that’s not stored so I’m not sure how much use that’ll be to guarantee that you’re looking at the right record. Perhaps a better way is to use a unique trigger; probably part of the unique info. You can protect the page using the ‘begin’ trigger_mode. Then you have another mechanism to verify that the record you look up in the database is definitely the one linked to the account.

Ultimately, if you look that up, you can extract the accesses and test if it’s less than maximum. If it’s been exceeded just don’t display the Invite button (or perhaps display a “get more invites” button if you like the smell of the user?!)

I could probably make this easier actually by supplying some hooks or other record access functions, or at the very least allow you to query an access key and separate it into its components so you can do your own logic. I’ll look into that, but in the meantime have a play with the above and let me know how you get on. We can go from there to make your job easier once you’ve hit any potential roadblocks.

sacripant · 2011-07-14 12:37:00

Hello TxP users, Hi Steve,
Another Plug’in seems to me very practical, but I once again struggling to make it work.
I want use this plug’in to create a page that allows multiple people to download files

The site is locally in a subfolder:
http://localhost/client/trunk

Permanent link mode : /section/id/title

For my test I created a section private and a page private.

The URL of the page to be protected is:
http://localhost/client/trunk/private

private page :

<txp:smd_access_key trigger="steve" />

<txp:smd_access_protect expires="0" trigger="john" force="1">
	<h1>JOHN</h1>
	<p>Content only for John </p>
</txp:smd_access_protect>

<txp:smd_access_protect expires="0" trigger="steve" force="1">
  	<h1>STEVE</h1>
	<p>Good plug'in Steve</p>
</txp:smd_access_protect>

First problem, smd_access_key generate the following URL:
http://localhost/client/trunk/client/trunk/private/steve/…
He has written two client/trunk/

If I add the url attribute
<txp:smd_access_key trigger="steve" url="/private"/>
it generates a url like:
http://localhost/zenith/trunk/private/steve/e68a6af8b900c8d881a782fa8c27ee308259301c/4e1ed778
It seems ok.

But if I ask this url to the browser, textpattern me back to the page error. As if it interprets the trigger as the title of an article he does not find.

Is it possible to protect a part of a section? Or it is only possible for articles/files contexts ?
Why is the automatic generation of the URL does not work, because the site is in a subfolder ?

Bloke · 2011-07-16 14:40:12

sacripant wrote:

has written two client/trunk/

Ah yes, a bug with subdir installs.

As if it interprets the trigger as the title of an article he does not find.

That’s exactly what’s happening. Txp thinks the token is part of link to an article and complains. This’ll happen in pretty much all permlink schemes.

As it happens, I was working on an update to fix a bug with gbp_permanent_links that jakob alerted me to. I also added the ability to permit the key to expire (as well as, or instead of, the protected resource itself). I rolled in the subdir fix and have tentatively added a facility whereby you can specify whether you would like the plugin to operate in “section mode”. The tokenized URLs are then made more section-friendly (which does have some side effects, but most of them can be worked around).

This version is currently with sacripant, and I’m awaiting feedback on whether it works or not. If anyone else would like to try it, please let me know.

Last edited by Bloke (2011-07-16 14:53:02)

Textpattern CMS

Textpattern CMS support forum

#1 2011-04-18 21:32:05

smd_access_keys: secure, limited access to content

#2 2011-04-19 12:24:17

Re: smd_access_keys: secure, limited access to content

#3 2011-04-19 14:05:35

Re: smd_access_keys: secure, limited access to content

#4 2011-04-19 14:54:45

Re: smd_access_keys: secure, limited access to content

#5 2011-04-19 15:35:04

Re: smd_access_keys: secure, limited access to content

#6 2011-04-20 15:02:07

Re: smd_access_keys: secure, limited access to content

#7 2011-05-06 15:57:46

Re: smd_access_keys: secure, limited access to content

#8 2011-05-07 07:41:36

Re: smd_access_keys: secure, limited access to content

#9 2011-05-14 19:18:30

Re: smd_access_keys: secure, limited access to content

#10 2011-05-15 08:10:21

Re: smd_access_keys: secure, limited access to content

#11 2011-07-14 12:37:00

Re: smd_access_keys: secure, limited access to content

#12 2011-07-16 14:40:12

Re: smd_access_keys: secure, limited access to content

Board footer