Integrate phpbb authentication system with external site

[robboZ]

I am in process of upgrading one of my forums from 3.0.14 to 3.2.7. On this forum registration/login system is connected with registration/login system of the main site, but everything was based on phpbb authentication. This was done via some dirty hacks and partial inclusions of forked phpbb files into the main site (which is powered by Symfony by the way).

So now I try to do this integration in much cleaner way and I thought that I share some ideas - I hope this may be helpful to some other devs. There are lots of questions of this nature and many different answers,
viewtopic.php?f=71&t=718245&start=60
viewtopic.php?p=3382184#p3382184
but in most cases they are very old and make no sense with phpbb>=3.1.

Ok, so my starting point is as follows:

1. I want API points in forum to allow login/logout/check session status etc.
2. I don't want to modify a single phpbb file - all must by done via extensions and hooks
3. Main site and forum are deployed in different locations, so the main site does not have access to forum files.

My (working!) solution at the time of writing is as follows:

1. I made a single extension with several controllers (API points) and connect to them (from Symfony) using Guzzle (via POST with cookies)
2. I have separate sessions for the main site and forum, so I send user auth cookies (_u, _sid, _k) to and fro.
3. phpbb auth system checks (in session.php->session_begin) for user IP and browser data, hence I send this data with guzzle and inject it via core.session_ip_after event.
4. In my extension I log in user by injecting $auth and

   Code: Select all

   $this->auth->login(username,password,...)

5. I loggout user by injecting user and

   Code: Select all

   $this->user->session_kill(true);

The solution may not be super clever, but it seems to work pretty stable. Performance is not great (my old dirty hacks where much faster), but I like code separation from the phpbb code.
I hope some people may find this useful.

[.m.]

Thanks for providing details of your work.
would you consider providing your work through GitHub (or similar site) ..

[robboZ]

Disclaimer: I do not claim that my remarks point to right direction with respect to the integration between external site and phpbb. In many cases there may be much better solutions, like external authentication system (used by both sites). There are also some obvious problems, like security issues with sending user data, forum's permissions system etc. For this reason I think that making a 'plug and play' extension out of this is very unlikely. I just wanted simple working solution, and that's it. I didn't found much info how to do that, hence I share my ideas.

As for the code, the typical Guzzle request to forum's API point looks like:

Code: Select all

$client = new GuzzleHttp\Client(['cookies' => true]);

Then you need to grab users forum's session cookies COOKIENAME_u, COOKIENAME_sid (in order to have access to them, forum and the main site should share domain). If you read cookies to $forumCookies, then you create CookieJar for Guzzle:

Code: Select all

$cookieJar=GuzzleHttp\Cookie::fromArray($forumCookies, COOKIE_DOMAIN);

With that data, a simple request for forums API looks like:

Code: Select all

 try {
	$response = $client->post(API_POINT_URL,
		['cookies' => $cookieJar,
                    'headers' => ['User-Agent' => USER_AGENT],
                    GuzzleHttp\RequestOptions::JSON => ['ip' => USER_IP, 
                    'sec' => SOME_SEC_TOKEN, 
                    'username' => USERNAME,
                    'password' => PASSWORD,...etc.]
                ]);
        } catch (GuzzleHttp\Exception\GuzzleException $ex) {
            SOME_FAILURE_LOGIC
        }

On the forum side, I need to subscribe to core.session_ip_after event and execute this kind of logic:

Code: Select all

public function changeIp(data $event)
    {
        if (!CHECK THAT YOU ARE IN API REQUEST) { //otherwise it gets executed on all sites
            return;
        }
        if (!$jsonPost = file_get_contents('php://input')) { //read json body request
            return;
        };
        $jsonData = json_decode($jsonPost, true);
        if ($jsonData === null) {
            return;
        }
        $ip = (string) $jsonData['ip']; 
        $ipSec = (string) $jsonData['sec']; //SOME security token
        if (SECURITY OK) {
            if (filter_var($ip, FILTER_VALIDATE_IP)) {    
                $event['ip'] = $retIp;
                SOME (ABSTRACT) CONTROLLER ::$data=$jsonData; //save data in static field for use in controller
            }
        }
    }

And controllers are very thin, for example login controller:

Code: Select all

    public function handle(): JsonResponse
    {
        if (self::$data === null || !isset(self::$data['username']) ||
            !isset(self::$data['password'])) {
            return ERROR_RESPONSE;
        }
        $result = $this->auth->login($data['username'], self::$data['password'], false, false, 0);
        $status = $result['status'];
        if (SOME LOGIC DEPENDING ON STATUS)
        ....
        return SOME JSON RESPONSE.
    }

Finally, one needs to send new forum's cookies (saved by Guzzle in $cookieJar) to the user - details depends on the backend used in the main site.

Then one needs to secure communication between Main site and forum, and restrict it to POST request - this is easily done in extension's routing.yaml.

Very sketchy, but this should give you the main idea.

[.m.]

^ Thanks robboZ I hope above guidance can be useful to the needy ...

[Stevenn]

Hi,

If I understand, your useryour user logs in through the site, which triggers a second connection (on the forum).
You only have one user table ? That of phpbb ?

And for "Remember me" feature, how do you manage it ?

Thanks