Click anywhere to close this dialog

Farewell

Great is the art of beginning, but greater is the art of ending
Henry Wadsworth Longfellow

I announce that I cease all development and activity in the programming universe indefinitely. My career has reached the turning point I was not expecting for at least another year, leaving me highly off guard and without laid-out plans for this hobby's continuity. I have begun a 5-year residency program in Neurosurgery which is clearly not compatible, time-wise, with programming.

I gave in all my passion for developing, and you gave me back your loyalty and trust, even when I did not deserve that much. Now it is the time for payback. I release all my present and past work as Open Source software, in the hope some talented developer will continue maintaining and expanding my vision of a modern, sleek forum software. The intrinsic flexibility of MyBB is the true hidden gem of an otherwise outdated codebase; I do hope the project can continue and be updated complying to the latest coding standards.

I hereby thank Euan, kawaii, andrewjs18, Ben, Matt, Omar G., effone, Eric J., Devilshakerz, Wildcard, JordanMussi and all the other team members I have had the opportunity to work with when I was a MyBB team member. I thank Tomm M, my mentor, who inspired me to pick up coding with his piece-of-art plugins. And finally, I thank all of you MyBBoost subscribers who have helped me getting through my toughest university years economically.

Yours sincerely, Filippo

Flyover development

20 Nov 2015 Edited
#1

You are viewing page #3

Show original post
Enes Palit likes this post
Shade 29 Nov 2015 Edited
#21
I have been working on some Flyover enhancements during the weekend, which will be included in the next minor update going live in December 2015. Here are some previews on what's going on with Flyover's development.

Everyone's standard
Every social network chooses the authentication method they find the most suitable for their needs. There are currently 3 protocols used by the majority of them: OAuth 1, OAuth 2 and OpenID. Although they are different regarding the code implementation they don't differ much under the security and usability aspects. Nonetheless, every provider has the chance to choose what informations can or can't be retrieved during an authenticated request, resulting in a complete mess when it comes to handle informations such as users' identifiers. HybridAuth already has a standardized approach to all this pot of data, meaning that if Facebook returns the user's identifier encapsulated in an array and Google passes it in an object, HybridAuth will pass it to Flyover under the same piece of data.

One field that every provider makes available is the identifier, something used to uniquely identify the user on their server. It is equivalent to MyBB's uid, and it is used by Flyover to associate social accounts to MyBB accounts.

Identifiers are passed without any sort of hashing or encryption methods. This is not an issue related to security on the front end part, since the authentication of users is done using the protocols mentioned above; but this may be an issue on the back end part, in case a malicious user obtains a dump of the database. Eventually, he might become aware of someone's identity by tracking down their social account using the plain identifiers stored by Flyover. Plus, some providers still use URIs or usernames as identifiers, which is not fairly secure from a privacy point of view. Note that this is a privacy issue, not a security one.

Flyover 1.2 will no longer store identifiers as plain strings but it will hash them using MyBB's random string known as salt which is already used to hash passwords. This way, no one will ever know user's identifiers and database fields will be set to a defined length, resulting in a cleaner environment.

Email and passwords are for pricks
Logging in with a social network should already come emailless and passwordless by definition. However, MyBB performs tons of checks to ensure that email and passwords are present and they fit admin's preferred settings. I believed there was nothing like a hook to hack and play with the validator, but I was proven wrong: so emailless and passwordless accounts are actually possible.

Registrations should become even quicker and easier with this improvement, as your users won't need to enter an email and you won't need to send a password using the PM system. This feature has been already developed and it is available in beta testing on MyBBoost.
Shade 1 Dec 2015 Edited
#22
All seems to be working just fine. Passwords and emails have been 100% bypassed, you can now register without using them. Identifiers are now saved hashed (not with salt, but with the provider's name which is available prior the login procedures unlike the salt itself) as 128-bit strings, and old, plain identifiers are updated accordingly when an user logins (you won't need to run any upgrade script for this – the identifiers will be updated the first time someone will login with the new version installed).

Once I put everything in the updater (some templates need to be updated) Flyover 1.2 will be out and ready.
Eldenroot 15 Aug 2016 Edited
#23
I hope there will be 1.3 soon with support for custom profile fields ;) Thank you for your hard work! Kep it!
Dr.Jeet 8 Sep 2016
#24
After registration, PM sended to member but in this PM, Password is not sended means random password is not generated.

I see this PM after registration.
==========================================
Welcome on our Forums, dear XXX!

We appreciate that you have registered with Facebook. We have generated a random password for you which you should take note somewhere if you would like to change your personal infos. We require for security reasons that you specify your password when you change things such as the email, your username and the password itself, so keep it secret!

Your password is:

With regards,
our Team.
=====================================
Random generated password is blank.
can you fix it?
Shade 8 Sep 2016
#25
The password is not generated if you are using the emailless and passwordless option. The PM is customizable so you can setup your own message and remove the password notice.
lnx1001 18 Aug 2017
#26
Is this updated? I see that flyover 1.3 was supposed to be in 2015, 2 years ago. Since then all protocols have changed except facebook. Does it work? If not when will it be updated? Thanks.
Shade 19 Aug 2017
#27
Hi, you are not a subscriber so I guess you're using a pirated copy? If so, please support me by buying a premium subscription.

Flyover has been recently updated with the latest SDK available and it works fine with every tested provider. The 1.3 update introduces breaking changes like multiple account support which is something I still have to finish. Unfortunately my uni commitments limit myself from being active on its development. However, it's a stable release and works as seamless as it was released back in the days, with no major flaws reported.
WallBB 16 Sep 2017
#28
Never knew there is an awesome plugin like this, I am now a subscriber :)
Zinx 1 Jul 2018
#29
how do i download the development version?
Shade 1 Jul 2018
#30
Hi @Zinx, the development version is not available to the public. It will be available when it's ready. If you want to suggest or request something you want to see in the upcoming version, please open a thread in this forum, thank you.