Totara 10 removal of the Moodle mobile tool and authentication endpoint

During Totara Learn 10 development the decision to remove both the Moodle mobile tool and token based authentication endpoint was made.

Prior to this both the tool and authentication endpoint were included in the distributed release.

Regrettably this decision, the reasoning behind it, and advice for those affected was never communicated with the Partners or community.

The purpose of this document is to provide insight into this decision, and advice for those affected by it.

Considerations leading to the decision

While working on the Moodle 3.2 migration path during the development of Totara Learn 10 we were reminded that the Moodle mobile tool was still included in Totara Learn, and we became more aware of the fact that it had not been updated to reflect the unique functionality provided by Totara.

In reviewing the options available to us the decision was made to remove both the tool and the entry point.

The following were the major impactors in this decision.

Changes being made by Moodle to core code

The way in which Moodle were modifying core code to support the mobile app didn't sufficiently account for the context of use correctly. This meant not only that there were likely to be security issues with the mobile app but that changes could lead to security holes within Totara. We would reject those changes in Totara Core to avoid the security risk, but that would mean the specific mobile functionality that depended on the core code would break in unexpected ways.

The only fix would have been to rewrite the core code in a secure way, but for that to offer any benefit we would also have had to rewrite the Moodle mobile app code to match. Since we decided against using the Moodle mobile app in Totara (also for security reasons) that approach wouldn't have made sense.

Security surface of the product

Together the tool and authentication endpoint allows for a user to authenticate and access Totara using the web service layer, and the Moodle mobile web service functionality specifically.

Both increase the security surface of the product. The authentication endpoint in particular was a concern in this consideration as it allowed a user to gain access to the site by means of a token returned by this script.

Unused functionality

Neither the tool, nor the authentication endpoint were used by Totara Learn, or any other Totara product or service. Both were developed by Moodle to facilitate this for their Moodle mobile app.

Over time development of Totara functionality had left functional holes in the tool and end point. It had simply not been a consideration as Totara did not have its own mobile offering and therefore had never answered the questions on how the functionality unique to it was integrated into a mobile experience.

We work very hard to keep our code base in order. This helps us keep down the product's footprint, aids maintainability and our ability to support our product, and leads to less work being required during refactoring and new feature development. Rather than ignore the problem a decision was made on the future of the tool and authentication entry point.

Difference in web services

Previously the services written by Moodle for their mobile app did not get reviewed or updated to ensure they fit within the product, or to ensure that they respect the functionality unique to Totara Learn. Those that were not used directly within the product were included with minimal review and little to no testing.

We now review and choose the functionality that we cherry-pick from Moodle, and for the functionality we choose to take we ensure that it integrates with the entire Totara Learn feature set. This can lead to services not being taken as functionality was not taken, or to the results of services changing from that of the same service when run in Moodle.


For anyone using the Moodle mobile app with Totara Learn in order to continue using the app after upgrading to Totara 10 they will need to restore the Moodle mobile tool and authentication entry point. The same is true for anyone who implemented their own mobile app and used the same entry point as the Moodle mobile app.

Without the authentication entry point app users will not be able to authenticate with Totara and will not be able to acquire a token for further communication.

Without the mobile tool the Moodle mobile service will not be created, and the Moodle mobile app will not be able to negotiate with the site nor pick up its settings.

If this change did affect you please let us know through support. We would like to know how this affected you.