HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

I want to let my users to login another site (PHP) using vanilla login details.

I want to let my users to login another site(Simple PHP or laraval) using vanilla login details.

how can i do this. can you give me an idea?

Answers

  • LincLinc Detroit Admin

    This is very difficult to do safely.

    The standard way is to use a single sign-on method. Unfortunately, Vanilla doesn't support operating as an OAuth 2.0 IDP (Identity Provider). In other words, it can only receive SSO connections rather than originate them.

    Many years ago, I built a set of Vanilla and WordPress plugins to allow a user to login to WordPress using their Vanlla username and password (as in, ONLY login this way - it removes the normal WordPress accounts). It's extremely finicky & developer-oriented, it has several restrictions, I haven't tested it in a few years, and I'm only like 90% certain it doesn't have any security flaws. All that said, the code is here: https://github.com/linc/vanilla-glue

  • @Linc cant I do it connecting laravel to same database?

  • LincLinc Detroit Admin

    That's a requirement of the code I posted above.

    You'll find that simply pointing it at a different database table is insufficient, due to differences in how passwords are stored and cookies are generated. There's a lot more going on in authentication than it sounds like you're accounting for.

  • @Linc using the laravel connecting to the vanilla user table I can get the user name & email. but i dont know how to compare the password

  • LincLinc Detroit Admin

    Yes. There will be much for you to figure out if you want to build this. My code posted above can guide you to an extent. I'm not going to crack open Laravel and start working on it with you.

  • @Linc if i use phpass in laravel can I do this?

  • LincLinc Detroit Admin

    Might work, since PHPass is (I believe) what Vanilla is still using.

  • edited April 2020

    @Linc think this is the requirement

    My forum user want to see his pro pic by login a another simple php application using same username and password,

    or user login to forum and then he have permissions to visit other site.


    what is the best way to do that.

  • R_JR_J Ex-Fanboy Munich Admin

    I would implement a simple Vanilla plugin which takes

    • password
    • user name
    • some long "secret" key

    as parameters and then basically does this comparison:

            if (Gdn::request()->post('secret', '') !== Gdn::config('myplugin.secret')) {
                return false;
            }
            $authenticator = Gdn::authenticator()->authenticateWith('password');
            $userID = $authenticator->authenticate(
                Gdn::request()->post('email', ''),
                Gdn::request()->post('password', '')
            );
            if ($userID == 0) {
                return false;
            }
            // return whatever info you want from that user
    

    You can then make a post request to that endpoint from out of your laravel code and get the user info you need.

    This is slower than directly accessing the database, but it is future proof and I think not assuming that one application can access the database and codebase of another application is a good habit, too

  • Can I do it using API v2?

    How to authenticate tokens using laravel?

  • R_JR_J Ex-Fanboy Munich Admin
    edited April 2020


    I see, you do not really enjoy reading. I have answered to your PM with this link: https://github.com/R-J/apitoken where the relevant code snippet is taken from.

    edited sorry for being so snappy

  • @R_J I cant enable it.


  • R_JR_J Ex-Fanboy Munich Admin

    ... and there is really no reason to do so.

    I guess you have put it in a folder called /plugins/rj-apitoken-master while it should be in /plugins/rj-apitoken. But that is only a plugin which has some useful lines. 90% of that plugin doesn't have anything to do with your requirement.

  • R_JR_J Ex-Fanboy Munich Admin

    Sure. The current Vanilla version has an api which require a token for some functionalities. That token can be created by users in the profile page. Let's assume you create a mobile app for accessing the forum, you will not send your users to the forums web page to let them create an apitoken which they then have to insert into tht app. You want them to have them enter their credentials and let the apitoken be created automatically. So that plugin creates an endpoint which accepts a post request with username and password, then creates that token and returns it.

    Things like that should include a rate limit or some other ways to secure that endpoint, so I would advice nt to use it as it is right now. it is just an example implementation to show how to validate user credentials and create an api token.

Sign In or Register to comment.