Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

What am I supposed to do next?

edited January 2013 in Vanilla 2.0 - 2.8

I have just set up Vanilla with this plugin installed.

I followed the instructions so that my existing site and login system output the JSON required. I click on the "Test URL" button and see the information when I am logged in.

When I visit the forums, I can see in the inspector that it makes a GET request to the correct URL however as the request does not include the timestamp or signature, my response page returns the empty object as it is supposed to.

The URL it requests is /vanilla_authenticate?client_id=xxxxxx&Target=%2Fdiscussions&callback=jQuery16208908228778745979_1358429350725&_=1358429350850 where xxxxxx is the correct client ID.

What am I supposed to do now?

Edit: vanilla_authenticate is the page in my site that returns the JSON when it is asked the right things


  • Are you sure, the parameters aren't included? Because they actually should be. Do you have a link for me to see for myself?

  • Thanks to the prompting of HalfCat, there was a small oversight in my logic that returned the JSON.

    Using CodeIgniter (and an extension of the session class to manage the user), your code should(could) look something like this (step 3 is the most important):

    $inputs = $this->input->get();
    $secret = "SECRET";
    $client_id = "CLIENTID";
    try {
        if (is_object($this->session->currentuser)) {
            //step 1 - check for client_id
            if (!isset($inputs['client_id']))
                throw new Exception("invalid_request||The client_id parameter is missing.");
            //step 2 - check client_id is correct
            if ($inputs['client_id'] !== $client_id)
                throw new Exception("invalid_client||Unknown client.");
            //step 3 - check for timestamp
            //       - if there is no timestamp, echo a modified blank user to trigger login process
            if (!isset($inputs['timestamp']))
                echo $inputs['callback'].'({"name": "Username", "photourl": ""});';
            else {
            //step 4 - check timestamp value occured before one minute in the past and one minute in the future
                if ((int)$inputs['timestamp'] < time() - 60 && (int)$inputs['timestamp'] > time() + 60)
                    throw new Exception("invalid_request||The timestamp is invalid.");
            //step 5 - check for signature
                if (!isset($inputs['signature']))
                    throw new Exception("invalid_request||Missing signature parameter.");
            //step 6 - check signature is valid
                if (md5($inputs['timestamp'].$secret) != $inputs['signature'])
                    throw new Exception("access_denied||Signature invalid.");
            //step 7 - build array of details for signature, order is important
                $details = array(
                    'email' => $this->session->currentuser->email,
                    'name' => $this->session->currentuser->displayname,
                    'uniqueid' => $this->session->currentuser->id
            //step 8 - make the signature
                $signature = md5(http_build_query($details).$secret);
            //step 9 - finish off the details array
                $details['client_id'] = $client_id;
                $details['signature'] = $signature;
            //step 10 - output and done
                echo $inputs['callback'].'('.json_encode($details).');';
        else {
            echo $inputs['callback'].'({"name": "", "photourl": ""});';
    catch (Exception $e) {
        $error = array("unknown_error", "An unknown error has occurred");
        $message = $e->getMessage();
        if (strlen($message) > 0 && strpos($message, "||") !== false) $error = explode("||", $message);
        echo $inputs['callback'].'({"error":"'.$error[0].'","message": "'.$error[1].'"});';
  • Are you aware of the libraries for this? When I was advising you, I just assumed that you were using one of them:

  • The system I have developed is a bit complicated so I did not want to incorporate too much code developed by other people. Trying to keep it as simple as possible hence the above code :-)

  • I understand. The library will actually not replace all of this script you wrote. You will still have to check if your user is actually logged in or not. It just takes the work of step 1-10 off of you. And I still recommend to use the library for that or look closely at it because it actually handles things a bit differently.

  • sorry I should have said, the check for the object at the top checks if the user is logged in as that will be an object for the users details or the value of false :-P

    The library is slightly different but I was just following the documentation to accomplish the basics and used the try catch to avoid a plural of echos ^_^

  • Ultimate newb, I cannot find the "this answered my question" button to endorse HalfCat for his efforts...

Sign In or Register to comment.