I need a bit help in login in a backend user whos credentials have been verified by a remote server. The actual user and all its permissions are set in TYPO3, but the password is stored on a remote server.
So far I've created a small extension, that redirects the backend login to my Login provider:
$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['backend']['loginProviders'][1433416747]['provider'] = \User\MyExtension\Hooks\LoginProvider::class;
where I check the username and password combination on the remote server.
class LoginProvider implements LoginProviderInterface
{
public function render(StandaloneView $view, PageRenderer $pageRenderer, LoginController $loginController)
{
$view->setTemplatePathAndFilename(GeneralUtility::getFileAbsFileName('EXT:my_extension/Resources/Private/Templates/BELogin.html'));
// Check request
if (
isset($_POST['login_status'])
&& $_POST['login_status'] == 'login'
&& !empty($_POST['username'])
&& !empty($_POST['p_field'])
&& $_POST['interface'] == 'backend'
) {
// Get EXT connection data from settings
$EXT_CONFIG = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['my_extension']);
$this->extServer = $EXT_CONFIG['extServer'];
$this->extDC = $EXT_CONFIG['extDC'];
// Assign received login data
$this->username = GeneralUtility::_GP('username');
$this->password = GeneralUtility::_GP('p_field');
// Try to authenticate
if ($this->checkCredentials()) {
// #TODO: Need to log in the verified user credentials!
}
}
}
private function checkCredentials()
{
// Check if local user exists
$local = $GLOBALS['TYPO3_DB']->exec_SELECTcountRows("uid", "be_users", "username='{$this->username}' AND disable=0") ?? 0;
// Check credentials and recieve user object if correct, or false if wrong
if ($local > 0) {
$ext = new EXT($this->extServer, $this->extDC);
$this->extUser = $ext->authorize($this->username, $this->password);
}
return $this->extUser ? true : false;
}
}
Now I would need to log in the verified user, but can't understand how.
PS: I already found BackendUserAuthentication, but that only works once the user is already authenticated (or I don't know how to use).
A LoginProvider is only for rendering a different login form (e.g. for openID, which does not need a password field).
You need to implement an authentication service: https://docs.typo3.org/typo3cms/Typo3ServicesReference/Authentication/Index.html
Related
I have an external Joomla authenticator script, but it turns out that it ignores if the user didn't activate, and it even ignores if the user is blocked.
I've used the following script with some slight modifications, but the basics are the same:
Joomla 3 External authentication script
Here's my code:
...
if ($result)
{
$match = JUserHelper::verifyPassword($credentials['password'], $result->password, $result->id);
if ($match === true)
{
// Bring this in line with the rest of the system
$user = JUser::getInstance($result->id);
//perform the login action
$error = $app->login($credentials);
$logged_user = JFactory::getUser();
if($logged_user->block == 1 && $logged_user->activation) //some kind of check that's not working basically
{
echo $credentials['username'];
}
}
else
{
// Invalid password
die('');
}
} else {
// Invalid user
die('');
}
You can see that I tried playing around with the 'block' and 'activation' properties of the user object (as seen here) but it wasn't working properly.
What is the specific property (or properties) that I have to check, to deduct, whether a user that is trying to sign-in via this script is activated or not?
I have just installed codoforum (https://codoforum.com)
and want to use this feature https://codoforum.com/documentation/implementing-codoforum-sso
which consist of integrating Single Sign on in my website.
The website I which to integrate the forum into it is using Yii 1 Framework, I am not familiar with it unfortunately.
Following the documentation of codoforum, I filled in the configuation form and enabled the SSO plugin, what I should do now is complete the file client.php here : https://github.com/evnix/codoforum-sso.
Especially those lines :
if (USER_IS_LOGGED_IN) {
$account['uid'] = USERID; //Your logged in user's userid
$account['name'] = USERNAME; //Your logged in user's username
$account['mail'] = EMAILID; //Your logged in user's email id
$account['avatar'] = ''; //not used as of now
}
I filled in those filled manually and it worked, It detects if I am already connected to yii1 website and connect me to the forum using the email I provided.
What I want now is to get those information using the session, I put the file clien.php in the root of my website mywebsite.com/client.php
I have done some research and I found that this method in siteController is responsible for logging :
public function actionLogin() {
$model = new LoginForm;
// if it is ajax validation request
if (isset($_POST['ajax']) && $_POST['ajax'] === 'login-form') {
echo CActiveForm::validate($model);
Yii::app()->end();
}
// collect user input data
if (isset($_POST['LoginForm'])) {
$model->attributes = $_POST['LoginForm'];
// validate user input and redirect to the previous page if valid
if ($model->validate() && $model->login()) {
if (Yii::app()->session['type'] == 1 ) {
$this->redirect(Yii::app()->homeUrl . 'administration/team');
}else if (Yii::app()->session['type'] == 2 ) {
$this->redirect(Yii::app()->homeUrl . 'agenda');
} else {
$this->redirect(Yii::app()->homeUrl);
}
}
}
// display the login form
$this->render('login', array('model' => $model));
}
I have tried to add this code :
session_start();
$_SESSION['username']=$model->username;
(after : if ($model->validate() && $model->login()))
and use $_Session in the file client.php but it didn't work.
The problem is that I have no idea how yii1 framework work, and it will take me sometime to be familiar with it, I know that there is session in Yii1, but I don't know how to use it and where to put the file client.php and how can I make it detect the Yii Session.
But if I can use the global session it would be better.
Thank you so much for your time and your answer.
I have being trying to implement wordpress login with just the user id.
Here is my code, but it does not work. The code does not log the user in.
// check if user has an account...
$details = get_user_by("email", $user->emailAddress);
//check user if not empty...
if ($details != null) {
// create a cookie and log user in...
wp_set_current_user($details->ID, $details->user_login);
wp_set_auth_cookie($details->ID);
do_action('wp_login', $details->ID);
//redirect to homepage...
header("Location: " . site_url());
}
Well the documentation states that the function get_user_by() returns false on failure and user object in case of success but in your code you are checking for NULL, so perhaps you can try for this:
if (is_object($details)) {
//your code
}
or
if ($details != false) {
//your code
}
I had to do a basic login system to protect a page, and I have no access to database so i store the username and password hard coded in php page.
My question is, can this login system hold againts an attack? I need it to hold about 1 month.
Any sugestions to improve will be helpefull.
The code is not in laravel, even if it might look like.
The username and password, will be changed to something stronger of course.
Thank you in advance.
<?php
class UserController {
private $username;
private $password;
private $isLoggedIn = false;
// Credentials
public function credentials() {
$credentials = array(
array(
"username" => "telekom",
"password" => "1234"
),
array(
"username" => "telekom2",
"password" => "1234"
)
);
return $credentials;
}
// Basic login
public function login() {
foreach ($this->credentials() as $credential) {
if ($this->username == $credential['username'] && $this->password == $credential['password']) {
Session::put('username', $this->username);
Session::put('password', $this->password);
$this->isLoggedIn = true;
}
}
}
// Get login status
public function isLoggedIn() {
return $this->isLoggedIn;
}
// Logout
public function logout() {
// Delete all sessions
Session::all();
redirect('/telekom/');
}
// Telekom
public function telekom() {
$form = new Form();
if (Input::get('logout') == 1) {
$this->logout();
}
// Post Data from login form
if (Input::has('username') || Input::has('password')) {
if (!$form->isCsrfValid()) {
$form->errors['CSRF'] = "CSRF Token";
} // CSRF protection is on, comment to disable
if (empty($form->errors)) {
$this->username = Input::get('username');
$this->password = Input::get('password');
// Check Login
$this->login();
if (!$this->isLoggedIn()) {
Session::put('login', 'Username and password do not match.');
} else {
redirect('/telekom/');
}
} else {
Session::put('login', '<p class="color-dark-red"><strong>Errors:</strong></p>
<p>' . $form->displayErrors($form->errors) . '</p>');
}
// Check if session has username and password
} elseif (Session::has('username') && Session::has('password')) {
$this->username = Session::get('username', false);
$this->password = Session::get('password', false);
// Check Login
$this->login();
}
}
}// EOF Class User
// Outside class
$user = new UserController();
// Outside class
if (!$user->isLoggedIn()) {
// display login form
} else {
// display protected content
}
?>
My comments are getting lengthy, so I'll just move them here. I would not recommend you put the username and password in the same file. If PHP ever fails to process the page, it will be dumped as plain text to the user. Even for database connections (where the un/pwd almost have to be stored plain text), most people don't put the information in the same file.
You have a couple options:
Make a separate PHP file that sets your UN/PWD variables, put it somewhere that isn't accessible from outside your server, and include it in index.php. In this case, I wouldn't include the file until right when you're going to compare the variables and let the local scope dump it as soon as possible.
Since this is such basic authentication, you could use Apache's built in password authentication module.
in my opinion, this solution is safe enough when you don't plan to use it forever.
What would I check is setting of your web server - some text editors makes backup copies of edited files, like index.php~, index.php.bkp or so. Make sure whether your web server do not serve those files, if any.
The problem with temporary solutions is that they've never temporary.
Never hard code passwords. Some of the reasons are:
It is harder to keep source code secret than it is a key.
Any vulnerabilities in your site that allow reading of source code may reveal the password.
Passwords from development will end up in production.
It is impossible to change passwords without redeploying.
Is this function good for a quick login function with only one user?
function auth($post, $session)
{
if(isset($post["username"]) && isset($post["password"]))
{
$session["user"] = new stdClass();
$session["user"]->username = $post["username"];
$session["user"]->password = $post["password"];
}
if(isset($session["user"]))
if(is_object($session["user"]))
if($session["user"]->username == "admin" && $session["user"]->password == "test")
return true;
return false;
}
It works but, must it be improved?
Use the session to track whether the user is logged in or not. For example, in the login page, only set the username in the session if the user authenticates properly. Logout page clears it. Then your other pages can check if the username is set in the session or not. No need to store entered password (recommend against).