Autologin roundcube?

Hello, I have read that you do not want to implement autologin in Roundcube as other panels do. For us, this is very important.

Do you know if it could be done on a budget? Could you tell me the cost of implementing such functionality? If it is not too exorbitant, I would be willing to finance it.

Best regards!

The only way to give an admin access via auto login is to temporary overwrite the password and reset it after xx min.

I have zero interests in implementing via this route…

1 Like

I have seen, for example, that CWP accesses with tokens. Is there no way to do it in that manner?

Roundcube is nothing more then a passthrough towards dovecot…

I know, but this feature is quite requested by the end customer, so it would be interesting to have some form of automatic login to Roundcube. I have been reviewing, and the Roundcube plugin they use in CWP is something like this: (I don’t know if it will be useful)

/usr/local/cwpsrv/var/services/roundcube/plugins/cwpautologon/

<?php
class cwpautologon extends rcube_plugin{
    public $task = 'login';
    function init(){
        $this->add_hook('startup', array($this, 'startup'));
        $this->add_hook('authenticate', array($this, 'authenticate'));
    }

    function startup($args){
        if (empty($_SESSION['user_id']) && !empty($_GET['_autologin']) && $this->is_localhost())
            $args['action'] = 'login';
        return $args;
    }

    function authenticate($args){
        if (!empty($_GET['_autologin']) && $this->is_localhost()) {
            if(isset($_GET['sess'])){
                $token=base64_decode(base64_decode($_GET['sess']));
                $js=json_decode($token);

                $args['user'] =trim($js->user);
                $args['pass'] =trim($js->pass);
                $args['host' ] =trim($js->host);
                return $args;
            }
        }
    }
    function is_localhost(){
        return $_SERVER['REMOTE_ADDR'] == '::1' || $_SERVER['REMOTE_ADDR'] == '127.0.0.1';
    }
}

As I have mentioned, I am willing to cover the cost of this implementation. If you wish, provide me with a quote privately.

I believe this is a useful feature for end users. Additionally, I have seen that it has been requested in some message before, but it was indicated that there was no plan to implement it.

I think the correct way would be:

  • Generate a token and save the value along with the email that has requested to log in.
  • Validate that the token is correct and has not expired → perform the autologin.

We still need to have the authentication with the mail server. And we don’t store the passwords in plain text on the server …