External login validation in SMF

[taised]

Hi, i'm using SMF 2 with ezportal modification to use it as a portal and i'm quite happy with it. But what i'm trying to make now is the possibility to allow automatic login for user authenticated on another website (kongregate, actually).

So, here is the workflow: the user authenticates on the other website (kongregate), then opens the page where mine SMF is and call it with a userid a token provided by the website, i check that the token provided is correct (via kong API) and if it is i check if the userid is already registeredin my website (i've added a column in the SMF db where the kong user id is registered) and if it is not i give the user the possibility to register a new user or the link the other account to the one he already have. I hope is clear, till now.

Since i don't want to show the user the full SMF interface, i made a page where the SSI functions are loaded and uses that as interface. What i like to achieve is that the user opening the SMF page from the other account, should be automatically logged in without typing again username and password. I see that there are the integration hooks for this and i believe they're right for my purposes, but i'm not able to make it work. It's two days that i'm trying and i'm not able to make it work.

I'm specifically making the part where the user is trying to link his existing SMF account to kong. What i'm doing is to provide him a simple username/password form and then check with the integration hooks if the credentials are correct using the function i copied from LogInOut.php:

Code Select Expand

call_integration_hook('integrate_login', array($_POST['user'], isset($_POST['hash_passwrd']) && strlen($_POST['hash_passwrd']) == 40 ? $_POST['hash_passwrd'] : null, $_POST['cookielength']));

the problem is that this function doesn't seems to work and always come back an empty array, regardless what i provide in input.

I've tried also integrate_verify_user and also integrate_verify_password and always have the same behaviour: no results.

Could you help me? Thanks

[Arantor]

If you want to link the existing account to Kong, that part of your code just needs to be restricted to just updating the database table (with verification on the other end, of course)

The process you would follow is this:
* user logs in, goes to Kong
* auth process returns a token to your site
* site issues user a cookie relating to this
* integrate_verify_user hook looks for this cookie and if found, this function should return the user id it is related to
* if this is not found, fall back to standard SMF cookie handling/detection

[taised]

If you want to link the existing account to Kong, that part of your code just needs to be restricted to just updating the database table (with verification on the other end, of course)

The process you would follow is this:
* user logs in, goes to Kong
* auth process returns a token to your site
* site issues user a cookie relating to this
* integrate_verify_user hook looks for this cookie and if found, this function should return the user id it is related to
* if this is not found, fall back to standard SMF cookie handling/detection

The problem is that the authentication process should go the other way, not from SMF to kong, but from kong to SMF.

When a user login in kong he expect that inside the frame he sees SMF without the need to relogin.
To make this possible i made a script page (kongbridge) that doesn't load SMF itself, but interacts via SSI
So:

* user logs in kong
* kong issues a link to my kongbridge with a token
* my kongbridge checks the token (with a curl probably)
* if kong token is correct user should be automatically logged in SMF

(storing the kong token in SMF has no sense, since the token can change at any time)

What you mean is that without regular SMF creating a token, i cannot login from external?

[Arantor]

No, that's exactly how it works.

For SMF to be authenticated, it has to receive something from the user indicating their credentials. Since that's a cookie (as it's the only way this can be done), you have to notify SMF so SMF can issue the cookie - because cookies are bound to a single domain and you're not hosted on Kongregate's website.

Once your domain has issued a cookie, you can check the existence of that cookie to authenticate to SMF.

Oh, and SMF will fail to work properly in an iframe anyway, precisely because it has specific protection about being shown in iframes for security reasons (though the session handling has been known to misbehave that way too)

[taised]

No, that's exactly how it works.

For SMF to be authenticated, it has to receive something from the user indicating their credentials. Since that's a cookie (as it's the only way this can be done), you have to notify SMF so SMF can issue the cookie - because cookies are bound to a single domain and you're not hosted on Kongregate's website.

Ok, so how can i ask SMF to issue this cookie in an automatic way without authenticating through the interface? Or could i simply generate the cookie by myself with my kongbridge (that is on SMF domain)? What's the cookie content?

Once your domain has issued a cookie, you can check the existence of that cookie to authenticate to SMF.

I've tried that. I've logged in SMF via the normal website, then opened my kongbridge via the kongshell and i'm shown as correctly logged in and everything works. What i have to avoid is the external login and i really haven't understand how this could be achieved.

Oh, and SMF will fail to work properly in an iframe anyway, precisely because it has specific protection about being shown in iframes for security reasons (though the session handling has been known to misbehave that way too)

Well, if you mean that the interface won't work that's not an issue since i've completely redrawn the interface with my kongbridge and it works. If you mean that all other SMF feature won't work, well, this could indeed be a problem, but i may overcome it.

[Arantor]

Last point first, any call to index.php will expose an anti-iframe protection. Though if you're not using an existing interface (and building it out of SSI), why not just build the entire thing? You will have to basically build everything anyway if you're not using index.php to do it...

What i have to avoid is the external login and i really haven't understand how this could be achieved.

There's a whole lot of misunderstanding about how this stuff works in general. None of the hooks work how you think they should.

Hooks work on the principle of 'SMF is running and when it gets to <this point in the code>, call <some other piece of code>'. As in 'when doing start up and seeing if the current user is actually logged in, defer to some other auth method'

For you to make it work, at some point the code from the Kongregate side must direct the user to call a page in SMF. Whether that's done via AJAX or via HTTP redirects, the reality is, the SMF code must issue a cookie to the user and this must be triggered by Kongregate via the user's browser since Kongregate->SMF will produce a cookie but the cookie will not get sent to the user.

It is not easy to do correctly.

[taised]

Last point first, any call to index.php will expose an anti-iframe protection. Though if you're not using an existing interface (and building it out of SSI), why not just build the entire thing? You will have to basically build everything anyway if you're not using index.php to do it...

The reason is that i'm not making something that will work only in kongregate, but a website that is a standalone project that i'd like it to make it work also in kongregate. The thing is easier that you could imagine because i've developed a lot of things externally and all of them work perfectly in an iframe outside SMF. The idea is that you can access the main subset of features via kong also, but if you want to use all the features you have to use the website.

There's a whole lot of misunderstanding about how this stuff works in general. None of the hooks work how you think they should.

Hooks work on the principle of 'SMF is running and when it gets to <this point in the code>, call <some other piece of code>'. As in 'when doing start up and seeing if the current user is actually logged in, defer to some other auth method'

ok, now it's clear. So the hooks are not possible. I have to find another way.

For you to make it work, at some point the code from the Kongregate side must direct the user to call a page in SMF. Whether that's done via AJAX or via HTTP redirects, the reality is, the SMF code must issue a cookie to the user and this must be triggered by Kongregate via the user's browser since Kongregate->SMF will produce a cookie but the cookie will not get sent to the user.

It is not easy to do correctly.

Ok, for the login i could make the login form in my kongbridge that will authenticate user via regular interface (SMF index.php) and i saw that is possible to make a redirect after login, so i could redirect to bridge again and everything should go. The problem here is that the whole process will happen in a iframe, thus it will be blocked.

I could also try an AJAX or a curl call made to the same domain (from kongbridge to SMF), in the end the only important thing is that this cookie is set out. I'll make some attempts and i'll let you know. This is much harder than expected, I hoped it would have been easier :/

Thanks a lot!

[Kindred]

This sounds like it is a task more suited for the API than for either SSI or hooks...

[Arantor]

You're still missing the point. You do not go directly from Kongregate to SMF. You have to get the user's BROWSER to do that. Though yes, Kindred is right, you probably want the API.

[Dragooon]

You can do something like what Facebook's Graph API or oAuth does, although handling security would be tricky. Basically it goes:
User's browser does an API call to FB's server, FB's server returns a token which the user's browser passes to server. Server validates the token by sending it back to FB and if it holds, logs the user in.

[Arantor]

That is the underlying thing I'm trying to say

[taised]

You're still missing the point. You do not go directly from Kongregate to SMF. You have to get the user's BROWSER to do that. Though yes, Kindred is right, you probably want the API.

I haven't understood. You mean, for the login? Because, beside the login/logout process, i've already been able to let SMF do any other thing i needed.

Anyway, these are the API right?

http://wiki.simplemachines.org/smf/SMF_API

I'll take a look, thanks.

You can do something like what Facebook's Graph API or oAuth does, although handling security would be tricky. Basically it goes:
User's browser does an API call to FB's server, FB's server returns a token which the user's browser passes to server. Server validates the token by sending it back to FB and if it holds, logs the user in.

The problem is that i don't think that i can save anything on kongregate, so, even thinking to develop a oAuth modification for SMF (I don't think there is one, right?) i cannot store the token SMF generates on kongregate, i should ask the user to generate the token any time which actually is the same that let the user login each time.