• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

xfCheck [Deleted]

Mythotical

Well-known member
#1
Mythotical submitted a new resource:

xfCheck - License validation storing encrypted tokens.

Like the new me or updates being released, ask me how you can donate any amount of money to help in maintaining the environment I develop on and keep the support free.

Description: xfCheck is a license validation system for XenForo. If you want your site to validate XenForo licenses before allowing access to the full site then this add-on does just that. The user will input their generated token and domain, the generated token is encrypted and stored. This provides a sense...
Read more about this resource...
 

Mythotical

Well-known member
#5
How about adding the token and domain fields to the registering page, if it fails, it prevents registering for the forum
Good idea, that would require me to do another part where it can be enabled for current users and upon registration do the check or just registration or after registration using cron.

Thank you :)

But, what is the difference with this add-on?
tyteen4a03 is correct. Reading the description of KK's and mine you will see the significant difference.

This addon stores your tokens while KK's addon does not.

You didn't post your actual encrypted content. Cheating :p
Here is the code when I download my blob and open with a text editor: Äs ?ûN∫t=K ¿ÌNÅxú∂äÒ>ÄÅ◊_`Ÿ˘

Figure that code out. LOL
 

Sheratan

Well-known member
#8
I mean, if user A validating himself with his token and domain, can user B validating himself with user A token and domain?
 

Mythotical

Well-known member
#9
Yes but the only way that can even be possible is for User B to hack User A and grab a token hence User A can change their password on the XenForo site and generate a new token making the token User B has invalid. So more or less it is yes and no.
 

Mike Edge

Well-known member
#10
Yes but the only way that can even be possible is for User B to hack User A and grab a token hence User A can change their password on the XenForo site and generate a new token making the token User B has invalid. So more or less it is yes and no.
I think what he means is, make the field in the database unique, so if a valid token gets distributed though a warez site, 50 people all can't verify using the same token.
 

Mike Edge

Well-known member
#12
Damn good suggestion Mike one I was considering in going to make but was unsure whether it was possible. +1 and Liked Suggestion
Yeap, would love to see my idea added. If not in the full form. Maybe as 1st step, sort of like how vB uses enter your age to continue. Once you validate your domain and token, it takes you to step 2. Also would like to have the domain used saved to database as custom user title.
 

Lisa

Well-known member
#13
I think what he means is, make the field in the database unique, so if a valid token gets distributed though a warez site, 50 people all can't verify using the same token.
If people change their token after validating it a) 50 people can't verify using the same token and b) saving the token via the addon is pointless.
 

Mythotical

Well-known member
#14
I think what he means is, make the field in the database unique, so if a valid token gets distributed though a warez site, 50 people all can't verify using the same token.
If people change their token after validating it a) 50 people can't verify using the same token and b) saving the token via the addon is pointless.
I can see where Mike is coming from because my addon grabs the permanent token and holds it in encrypted form. That way it could be unique, the thing is that with encryption I'm not sure I could make the field unique. I would have to include a system that reports to admins duplicate tokens then let the admin handle it.
 

Lisa

Well-known member
#15
I can see where Mike is coming from because my addon grabs the permanent token and holds it in encrypted form. That way it could be unique, the thing is that with encryption I'm not sure I could make the field unique. I would have to include a system that reports to admins duplicate tokens then let the admin handle it.
Yes but if someone uses a token to validate somewhere using your addon and then changes their token straight after validation takes place.. then the existing token no longer exists... so what's the point in keeping it on record?
 

Shelley

Well-known member
#16
Yes but if someone uses a token to validate somewhere using your addon and then changes their token straight after validation takes place.. then the existing token no longer exists... so what's the point in keeping it on record?
Good point.

I think just a easy means of confirming they are legit and that is the end of that. I don't think records are needed and keeping the simplicity is probably the better step to take without it making it overly complicated.
 

Mythotical

Well-known member
#19
Yes but if someone uses a token to validate somewhere using your addon and then changes their token straight after validation takes place.. then the existing token no longer exists... so what's the point in keeping it on record?
The record that is stored is the returned license_token, the generated token is replaced by that which is a permanent token. I did it that way for future validation if site owners need to have yearly validations or whatever then the user would generate a new token, if the license token returned matches what is in the database then the validation is successful otherwise it is failed and the user is unvalidated at that time. Permanent license tokens are unique in that they can be returned when validating but that is it. The purpose I'm implementing for them is to keep things unique as Mike stated above in turn I will set a cron to run daily and to check returned license tokens against current entries then upon registration reject if there is a match and if some one slips by then the admin is notified.

As I stated in the original post, this does not save the generated token, it saves the returned permanent token that no one will know or have access to unless you are the license owner.
 

Mythotical

Well-known member
#20
One more update once XF1.2 is release then xfCheck will reach EOF as I don't see it being used too often but I will leave the current version for those who may wish to use it. I will update it as well to work with any XF that is released and it breaks.

If you wish to use a version that does not store anything you can use @King Kovifor [XI] License Validation