I run a site that uses SMF 2.0 as the backend for account registration, login/logout etc., using SSI.php. To allow login, I currently have a login form on my website that posts the information to SMF ($scripturl?action=login2) which handles the actual authentication, sets the cookie and then redirects back to the main page.
This has been working quite well, but now I am now working on a mobile app for my site. That means I won't be able to simply let SMF handle the login anymore, since everything will have to go through the custom API that I'm writing. That API is required for returning data in JSON format for example, since I couldn't display HTML in the app.
I have read through the SMF source code a bit and it looks like I could implement logins like this:
- Set $_POST['user'] and $_POST['passwrd'] to the username and password
- Call Login2() from LogInOut.php
- If there is an error, $context['login_errors'] will be non-empty. Send those as JSON to the client.
- If there were no errors, Login2() will call DoLogin() and the login cookie should be set in $_COOKIE[$cookiename] - send JSON response with that cookie and use it in all future requests
I think this should work, however it seems quite hacky. I also don't know how to work around the fact that DoLogin() looks like it calls redirectexit() at the end, which I think will just stop execution at that point. That obviously wouldn't work, since it would print out HTML and exit() the PHP script at that stage, so I would never be able to actually send back a response to the client. I also see that there are several places in Login2() and DoLogin() where fatal_lang_error() is called, which I think would cause similar problems.
Is there a proper way to do this? Has anybody else tried to implement SMF login for a mobile API? There must be a better way to do this...