Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla Auth Focused Login Integration

edited January 2011 in Vanilla 2.0 - 2.8
Hello, first off let me mention how after using PHPBB for almost 10 years I was amazed at what Vanilla Forums offers. Everything just seems to be so much better, easier to mod, easier to skin, more relevant technologies.

Anyways, we have a wordpress + vanilla site coming up and we want to merge the logins. The problem is that we want to use Vanilla's user system and registration as it just seems to be quicker, and seamless along with providing a better, more responsive UX than using Wordpress's with ProxyConnect. Not to mention I really want to be able to allow twitter people to login through the site or the forums as well and post comments. Which I'm going to just kind of hide wordpress's comments and either use the embed function or write my own plugin based off of Vanilla's modules to use discussion topics from the forums as article's comments as I've tested with an older PHPBB site, this really helps make discussion for topics keep going even if users or your community aren't on the homepage.

Basically I want to write a wordpress plugin (which I have already learned the architecture) that will allow me to use Vanilla's cookies and login services to authenticate & register including the twitter system. Wordpress's user system would still be used but only our writers and admins would have access which in theory would be a bit more secure anyways and I can write a simple plugin to at least link their Vanilla profile to their Wordpress profile.

It's a little messy I know but I wondered if anyone has any information on that or if ProxyConnect can work like that and I just haven't used it properly. Any help would be very appreciated :)


  • Hi - I'm looking for a similar solution -

    I'd like to find/create a plugin which allows my vanilla users to comment on pages in wordpress with their vanilla ids (so that clicking on their name takes to vanilla profile etc) ...
    so it needs to do the reverse of what proxyconnect does, plus a bit more.
    I'd also like single sign-on so that the the comment link on a wordpress page to incorporates an easy vanilla log-in/register (ideally which you can login via linkedin and twitter also...!)

    Any pointers greatly appreciated - I've a bit of experience with wordpress but am completely new to vanilla.
  • Hello, I'm glad I'm not the only one looking for this! Anyways, I did get to work on a plugin which I have no ETA on the completion of it. I've found vanilla's auth/session/identity modules and I am in the process of adding/converting them into a plugin for Wordpress so we can validate/verify the cookie data and get their profile data.

    Even when they use something like twitter to login it creates those cookies so in theory this should work quite well.

    I too want my vanilla users to be able to use their vanilla ID's to comment on the articles as discussion posts. I'm going to try and spend the time & effort needed to make a module that uses what I can of Vanilla's to update the discussions from within the wordpress page. Though I do wonder if the embed function can do that already if it just shows comments from a single discussion.
  • As I read about what you have planned, it got me interested in seeing how you will use vanilla as a commenting system for wordpress. That is what you are trying to do, right?
  • edited January 2011
    Well vanilla wont be the commenting system to wordpress. I'm intending to bypass wordpress's commenting system and use a vanilla discussion as the comments for an article. Then on the wordpress page get the posts from the assigned discussion topic and then when people post a comment from that page it just adds a reply to the discussion so that there's two ways to access/reply to articles.

    That's the plan anyways.

    In good news I got the cookie verification function converted to my wordpress plugin. Luckily Vanilla is very well written so even without a lot of code comments it's not too challenging to figure out how it works.

    I'm debating now whether it's worth the effort to verify the session data from the database after the cookie is accepted and considered valid. Though at this point I'm not even sure if Vanilla does that, but I'm assuming it does and I just haven't found it yet.
  • It might be a better idea to rewrite the ProxyConnect plugin for better synchronization, better profile management for users, and make WordPress use Vanilla's database as the main user source instead of the way it is now. The ProxyConnect plugin does have its flaws like the display name being used as the username on Vanilla, for example.

    Creating a thread for an article on your blog would be extraneous as you can try to create a better integration solution or call the username variables into the input field of the comments form.

    Add Pages to Vanilla with the Basic Pages app

  • rewrite the ProxyConnect plugin for better synchronization, better profile management

    I would love to see this. I have been trying to work out for a long time how to get ProixyConnect to pull across any arbitrary profile information (i.e. anything that is given to it) and then be able to pass that information onto a custom plugin in Vanilla to apply that information to the user's account, both when a user is created and when when they login subsequently.

    The difficulty I have had is documentation - logging in seems to jump around all over the place and there does not seem to be a logical place to put a hook or event to handle the custom profile information. When the profile information is available in ProxyConnect, the user may not have yet been created; by the time the user is created, the additional profile information is long gone.

    I would dearly love for some documentation on how this stuff works. Even just developer's notes that list the sequence that a ProxyConnect login goes through.

    The alternative would be to move to OpenID instead, and provide SSO using that, since transferring profile information is pretty much a core feature of OpenID these days.
  • ShadowdareShadowdare r_j MVP
    edited February 2011
    I'm not so sure how OpenID works. Maybe we can take a look at this WordPress plugin called External DB Authencation and @Lincoln's VBWPGlue plugin to see how their functions work so we can try to improve ProxyConnect or rewrite theirs for our CMSs.

    I just tested that public display name thing. 1) If the user exists on WordPress and has changed their public display name to something else than their username, ProxyConnect uses that for Vanilla.

    But what happens if I change the username in Vanilla? If there is a column value in the DB table with an ID to connect the two accounts together that exists, then I shouldn't have any problem. Maybe there should be an on demand synchronization tool.

    I think one way to solve this with the way ProxyConnect works now is to move the registration process on Vanilla hook onto the end of the registration process on WordPress instead of having to go to the forum page, login, and doing it there.

    Vanilla's system is obviously better because it has a better password HashMethod than WordPress. I'm currently using the ProxyConnect plugin and I hope to somehow convert my users' passwords to Vanilla's HashMethod once another integration plugin with improved functionality is released.

    Another thought has come up, haven't looked at the ProxyConnect code deeply but what would happen if I delete a user off WordPress and vice versa?

    One thing we can hope for is to see functionality such as posting the CMS's updates to the user's Vanilla activity wall. For example, if the user makes a comment or posts a post on WordPress, the user's Vanilla activity wall will be updated.

    Add Pages to Vanilla with the Basic Pages app

  • I'm not going to rewrite ProxyConnect...

    The system in my first post is what I'm going to use. Having my discussion posts double as article comments has actually improved discussion quantities drastically on one of my older sites where I merged PHPBB with my framework that I wrote so that when an article was created, it created a topic in the forums for it and any post was shown as a comment when viewing it from the article page and any comment made from that page was really just a post in the article's forum topic. I'm not going to do that again because I think it will work, but because I've tested it and it has improved the quantity, size, and quality of discussions drastically.

    One thing to note is that no matter what you login vanilla from OpenID, Twitter, Facebook, vanilla creates a login cookie for it so I'm basically going to use that to develop my plugin with as it can definitely be used to verify that the user has a proper login cookie and then that can be checked against the database to make sure they have a token or session. At least that's the way it seems to work but now I'm trying to find a relation to the stuff in the cookie to the stuff in the database. Then once we have that module complete we can do two things:

    1.) Carry on a login session (provided the user logins from/at vanilla at this point)
    2.) Get the user-id (since it's stored in the cookie)

    From there you can make a call to a database to get their vanilla profile, show a members only page, quite a bit.

    I'll be posting a link to the this project on github soon. I just gotta document the code a bit better, give proper credit to the Vanilla team in the readme since at this point I'm mostly just copy & pasting functions. Along with solidifying how I want the system/plugin to work. I'm thinking of making a couple of different plugins:

    1.) The login/signup/session plugin (which is the one I've been working on now)
    2.) The article/comment/discussion plugin (which I have yet to begin)

    Then I'm going to make a vanilla plugin to get info from a discussion and such then put it into an XML or JSON object so that I can use it with the article/comment/discussion plugin to display the posts in that discussion as article comments. Writing this system also gives me the ability to use vanilla's system for this stuff which will save time and make it more flexible if they change something about how it fundamentally works. Plus I can make it so it uses a jQuery plugin on my actual article page to load the data asynchronously after the page loads.
  • @Jaybydesign

    Sounds exciting! I can't wait to see a demo of your work once you have everything put together.
  • edited February 2011
    Thanks @chuckD hopefully by breaking it down into smaller pieces it will be easier for others to adapt for other things.

    Anyways, I've continued to go through Vanilla Forum's code and I'm definitely liking the structure of the Garden Framework. It's a bit tricky to find specific functions or classes as they can be scattered about. Like it took me a long time to find that the UserModel was in the dashboard application's model folder.

    More importantly: Unless I'm mistaken I can't find anything in the code I've read through to see if the cookie data is valid and there is a proper authentication. I'll keep checking the session class, I suspect that is where it may happen at this point.

    I've also discovered the built in Vanilla API for querying the posts in a discussion this greatly reduces the amount of work I need to do to display the discussion topic's posts as comments. This means my vanilla plugin only has to display a properly working login form with all the external services sign-in options as Vanilla natively offers. Followed by showing the vanilla reply form when they are. That's just more copy & pasting pretty much so it shouldn't take too long when I get to that point. I just want to exhaust all the necessary effort to see if Vanilla is checking the login cookie against the database.

    If it's not, then that means a user could be subject to someone stealing their login cookie which could be a big problem if they sign-in at a public wifi and someone has that blasted Firesheep. I might be able to use Vanilla's hook system to write another cookie which stores an encrypted IP Address + key so if it doesn't match the current ip-address with a specific encryption key then it destroys the session. This would prevent a stolen cookie from functioning properly unless they get into your code and get your encryption key.

    Another thing I noticed is that in one of Vanilla's own login system functions, it just uses an md5 hash to check the password. I hope that's a fallback when other, more advanced, hash/encryption options are not available. I'm pretty sure the md5 algorithm has been compromised.
  • It would be very very useful for me if you could pass defined the wp-usermeta into the vanilla profile and display it with a hook there.
Sign In or Register to comment.