Flyover development

20 Nov 2015 Edited

Upcoming version checklist

Currently there are no known bugs or improvements planned.

WARNING SIGN There is no ETA. Please refrain to ask when the new version is out. The checklist might not be emptied before a new version is released. A WHITE HEAVY CHECK MARK mark indicates the item has been implemented and/or fixed.

Version 2.3 (released: 16 April 2020)

FIRE HybridAuth update to 3.3, with the most notable change occurring to Facebook's Graph API switching from v2.12 to v6.0. Version 2.12 will be deprecated starting from 5 May 2020
BUG fixed [BUG] Facebook registering results in email = 1

Version 2.2 (released: 5 January 2020)

FIRE HybridAuth update to 3.1.1
SQUARED NEW Suggestion: Disabling mybb login/registration in 1.6. Force operational status has been extended to cover both logging in and registering
SQUARED NEW use provider-specific custom fields to avoid overwriting profile data. Requested in Facebook profile link/url by @Enes Palit
SQUARED NEW Feature request: disable unlinking from provider
SQUARED NEW profile URL and email as new custom profile fields. Requested in Facebook profile link/url by @Enes Palit
SQUARED NEW Amazon provider. Requested in Amazon Request by @Omniscient
BUG synchronization does not occur upon registering. Reported by @Enes Palit in Facebook profile link/url
BUG synchronization options do not save upon registering
BUG "language" field is missing from the language files. Reported by @Enes Palit in Facebook profile link/url

Version 2.1 (released: 1 August 2019)

LOCK Fixed medium priority vulnerability. To ensure a responsible disclosure, it will not be disguised publicly. If you want to know more about this vulnerability, please PM me. Reported by @Omniscient
BUG fast registration is breaking login and registration. Reported in Flyover 2.0 - GitHub Authentication not working

Version 2.0 (released: 2 April 2019)

FIRE code rewrite from the ground up
FIRE HybridAuth update to 3.0.0 RC9
SQUARED NEW custom scopes per every provider
SQUARED NEW new redirect URI
SQUARED NEW new providers: GitLab, Mailru, Odnoklassniki, Spotify, WeChat, Yandex
SQUARED NEW new data point for synchronization: language

Version 1.5 (released: 8 May 2018)

BUG Fixed critical issues with MySQL Strict Mode
LOCK Fixed medium priority vulnerability. To ensure a responsible disclosure, it will not be disguised publicly. If you want to know more about this vulnerability, please PM me

Version 1.4.1 (released: 4 May 2018)

BUG Hotfix

Version 1.4 (released: 3 May 2018)

BUG Fixed privately-reported issues with certain environments

Version 1.3 (released: 1 Oct 2017)

FIRE HybridAuth update to version 2.9.6 with notable performance improvements
SQUARED NEW Custom Profile Fields support in registration page
SQUARED NEW Migrator from other plugins offering login capabilities, including MyFacebook Connect, MyTwitter Connect and Steam Login
SQUARED NEW Discord provider
BUG Redirection fix using MyFacebook Connect 3.6 code
BUG Multiple accounts support
BUG Fix No password
SQUARED NEW Added website and identifier as new data points you can choose to synchronize as part of a complete rewrite of data points handling, which will let easier additions in the future

Version 1.2 (released: 6 Dec 2015)

SQUARED NEW Who's Online support
SQUARED NEW Email and passwordless accounts support
SQUARED NEW Standardized identifiers
SQUARED NEW Added updater
BUG Warning in ACP when using 3 or less providers
BUG New users are registered with a number instead of a username if the one-click registration option is disabled

Version 1.1 (released: 25 Nov 2015)

BUG MyBB 1.6 support
BUG Popup mode out of the beta with closing support for errors
BUG Username synchronization option
BUG Registration was not working properly because the identifier was empty
BUG Registration PMs were not delivered by the right sender
BUG Registration messages were not displayed properly
BUG Settings were not updated properly
BUG StackExchange was not working due to missing decompression during response handling
Enes Palit likes this post
Shade 29 Nov 2015 Edited
I have been working on some Flyover enhancements during the weekend, which will be included in the next minor update going live in December 2015. Here are some previews on what's going on with Flyover's development.

Everyone's standard
Every social network chooses the authentication method they find the most suitable for their needs. There are currently 3 protocols used by the majority of them: OAuth 1, OAuth 2 and OpenID. Although they are different regarding the code implementation they don't differ much under the security and usability aspects. Nonetheless, every provider has the chance to choose what informations can or can't be retrieved during an authenticated request, resulting in a complete mess when it comes to handle informations such as users' identifiers. HybridAuth already has a standardized approach to all this pot of data, meaning that if Facebook returns the user's identifier encapsulated in an array and Google passes it in an object, HybridAuth will pass it to Flyover under the same piece of data.

One field that every provider makes available is the identifier, something used to uniquely identify the user on their server. It is equivalent to MyBB's uid, and it is used by Flyover to associate social accounts to MyBB accounts.

Identifiers are passed without any sort of hashing or encryption methods. This is not an issue related to security on the front end part, since the authentication of users is done using the protocols mentioned above; but this may be an issue on the back end part, in case a malicious user obtains a dump of the database. Eventually, he might become aware of someone's identity by tracking down their social account using the plain identifiers stored by Flyover. Plus, some providers still use URIs or usernames as identifiers, which is not fairly secure from a privacy point of view. Note that this is a privacy issue, not a security one.

Flyover 1.2 will no longer store identifiers as plain strings but it will hash them using MyBB's random string known as salt which is already used to hash passwords. This way, no one will ever know user's identifiers and database fields will be set to a defined length, resulting in a cleaner environment.

Email and passwords are for pricks
Logging in with a social network should already come emailless and passwordless by definition. However, MyBB performs tons of checks to ensure that email and passwords are present and they fit admin's preferred settings. I believed there was nothing like a hook to hack and play with the validator, but I was proven wrong: so emailless and passwordless accounts are actually possible.

Registrations should become even quicker and easier with this improvement, as your users won't need to enter an email and you won't need to send a password using the PM system. This feature has been already developed and it is available in beta testing on MyBBoost.
Shade 1 Dec 2015 Edited
All seems to be working just fine. Passwords and emails have been 100% bypassed, you can now register without using them. Identifiers are now saved hashed (not with salt, but with the provider's name which is available prior the login procedures unlike the salt itself) as 128-bit strings, and old, plain identifiers are updated accordingly when an user logins (you won't need to run any upgrade script for this – the identifiers will be updated the first time someone will login with the new version installed).

Once I put everything in the updater (some templates need to be updated) Flyover 1.2 will be out and ready.
Eldenroot 15 Aug 2016 Edited
I hope there will be 1.3 soon with support for custom profile fields ;) Thank you for your hard work! Kep it!
Dr.Jeet 8 Sep 2016
After registration, PM sended to member but in this PM, Password is not sended means random password is not generated.

I see this PM after registration.
Welcome on our Forums, dear XXX!

We appreciate that you have registered with Facebook. We have generated a random password for you which you should take note somewhere if you would like to change your personal infos. We require for security reasons that you specify your password when you change things such as the email, your username and the password itself, so keep it secret!

Your password is:

With regards,
our Team.
Random generated password is blank.
can you fix it?
Shade 8 Sep 2016
The password is not generated if you are using the emailless and passwordless option. The PM is customizable so you can setup your own message and remove the password notice.
lnx1001 18 Aug 2017
Is this updated? I see that flyover 1.3 was supposed to be in 2015, 2 years ago. Since then all protocols have changed except facebook. Does it work? If not when will it be updated? Thanks.
Shade 19 Aug 2017
Hi, you are not a subscriber so I guess you're using a pirated copy? If so, please support me by buying a premium subscription.

Flyover has been recently updated with the latest SDK available and it works fine with every tested provider. The 1.3 update introduces breaking changes like multiple account support which is something I still have to finish. Unfortunately my uni commitments limit myself from being active on its development. However, it's a stable release and works as seamless as it was released back in the days, with no major flaws reported.
WallBB 16 Sep 2017
Never knew there is an awesome plugin like this, I am now a subscriber :)
Zinx 1 Jul 2018
how do i download the development version?
Shade 1 Jul 2018
Hi @Zinx, the development version is not available to the public. It will be available when it's ready. If you want to suggest or request something you want to see in the upcoming version, please open a thread in this forum, thank you.