One-Click login to any RoundCube account from DirectAdmin (SKINS)

Version 1.582


BETA NOTE: RoundCube 1.3.10 requires version 0.2 of the direct_login module. If you're having issues, please: ./build update ./build roudcube Issue report: -------------- New feature, found on the E-Mail Accounts page of the User Level, where the "Login" column will show extra characters (arrow and letter) to signify that the one-click login method is enabled. By default it's disabled (for now), with the internal default being: one_click_webmail_login=0 to enable it, run: cd /usr/local/directadmin ./directadmin set one_click_webmail_login 1 service directadmin restart cd custombuild ./build update ./build dovecot_conf ./build exim_conf ./build roundcube Requires CustomBuild build script at least rev 2148. ========================== FUNCTIONALITY 1) When the "Login" URL is clicked for the given email account, a javascript function will post to: CMD_WEBMAIL_LOGIN 2) This user and a new random crypted pass is setup in /etc/virtual/, eg: fred:$1$5jhn5mhn$q8oyAqlkAYXd7KJlSRqlY.::::::created=1566594254 with only the created timestamp as additional information, as the is only used as the dovecot passdb, not the user info (which still uses the passwd file) 3) DA also creates a token file for the RoundCube login: /var/www/html/roundcube/direct_login/tokens/TOKENHASH Where the TOKENHASH file contains the encoded email,password,client IP, and creation time. 4) DA outputs an auto-submitting form to <host>/roundcube/direct_login/index.php with token=TOKENHASH 5) The direct_login/index.php reads in the TOKENHASH to ensure it's all correct. There is a 10 second window from the time in the token or the token is denied. The TOKENHASH file should be delete regardless if it worked or not. Only the IP used to create the token through DA/2222 is allowed to use this token. 6) The direct_login/index.php then logs the User into RC and creates the cookies, etc. ---- 7) The fully tally run in dataskq will check/clear old RoundCube tokens, and old passwd_alt entries. The direct_login code in RC only allows tokens to live for 10 seconds. The tally check cleans them up if they're more than an hour old (only runs once a day, so they could sit a while if the request didn't go through) passwd_alt entries are cleaned up if they're older than 16 hours old. Any changes/additions to a passwd_alt by DA would do the check to clear them out sooner, but the task.queue would still clean them up daily if they're more than 16 hours old at the time of the check. This means your login is at most 16 hours. Should be plenty. ========================== TECHNICAL You shouldn't need to know this, but RoundCube, Dovecot, and the do require changes for this to work. CustomBuild will be able to do this for you, just run: ./build update ./build dovecot_conf ./build roundcube after enabling the directadmin.conf setting. Very rough (not for anyone to use, just as a reference) wget -O /etc/dovecot/conf/alternate_passwd.conf cd /var/www/html/roundcube wget tar xvzf roundcube_direct_login-0.1.tar.gz chown -R webapps:webapps direct_login chmod 700 direct_login chmod 700 direct_login/tokens /etc/ needs to be version 28 or higher, to parse the passwd_alt files. ========================== SKINS user/email/pop.html added JS+form to be triggered by the login column: |*if HAVE_ONE_CLICK_WEBMAIL_LOGIN="yes"| <script type="text/javascript"> <!-- // start preload code function webmail_login(email) { document.getElementById("webmail_email").value = email; document.getElementById("webmail_form").submit(); } // done with preload code --> </script> <form id='webmail_form' action='CMD_WEBMAIL_LOGIN' method='POST'> <input id='webmail_email' type='hidden' name='email' value=''> </form> |*endif| ========================== JSON You'll see this token: "HAVE_ONE_CLICK_WEBMAIL_LOGIN": "yes", which can be used to POST the above form to CMD_WEBMAIL_LOGIN as needed.

Interested to try DirectAdmin? Get a 30-day Free Trial!