Jump to content

How to deal with jsonapi auth / token

Recommended Posts

I try to integrate Flarum forum with PW via JSONAPI. First tests are fine (register user, create discussions, get data, ...).

To get a valide token I send the username and password as a api call. If auth was successful I'll get the uid and a token back. This token have to be renewed after 30 minutes.

To get the token I need username and (plain!) password. So how should I save the user credentials / handle the users? 

  1. Just additional fields in the user profile
  2. username, password, token and uid as array (serialized + base64 encoded)
  3. Sync PW users with the remote app (hook PW auth and send a auth request via API call -> token returned = login OK)

1 and 2 would be flexible, but user credentials are saved as plain text!

3 is a secure solution (no plain credentials needed), but PW have to use a remote user backend / auth and maybe some things could be less flexible...

Do you see any problems with that solution? Could it break features / modules?

Share this post

Link to post
Share on other sites

I'll use user backend plugins.

Default is PW users (add fields to save flarum credentials). Additional planned plugin is Flarum user backend (hook PW login and check via Flarum API call).

First tests are fine. Syntax at the moment:

Create a discussion

// create a WireArray item, type "discussions" (= api endpoint)
$res = $flarum->makeBlankItem('discussions');

$res->title = "My discussion...";
$res->content = "My demo content";

// new discussion will be created by a api call

Get discussions, filter a object by PW api and update it...

// get discussions with pager (jsonapi filter is used)
$wireArray = $flarum->discussions->get(array('filter' => 'page[size]=3'));

// just use the PW api...
$discussion = $wireArray->get('title=MyTitle');

// modifiy the object
$discussion->title = "New title...";

// save to Flarum...

Delete a user

// delete a user by known id...

// get users...
$flarumUsers = $flarum->users->get();  // all users

// get one user by ID | username
$flarumUser = $flarum->users->get(array('id' => $userId); // by userId
$flarumUser = $flarum->users->get(array('id' => 'MyUsername'); // by username

// delete a user object

Share this post

Link to post
Share on other sites

Hi @MadeMyDay,

I haven't finished the module because of some problems with api auth / token  of the used flarum version. 

On 4.1.2016 at 10:31 PM, pwFoo said:

To get a valide token I send the username and password as a api call. If auth was successful I'll get the uid and a token back. This token have to be renewed after 30 minutes.

To get the token I need username and (plain!) password.

Maybe it's easier with a current flarum version, but I haven't looked into it for a long time...

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By benbyf
      HELLO! Anyone ever used Authy.com or Google authenticator on they processwire projects?
    • By pwFoo
      At the moment I do some tests with a jsonapi and wrote a simple client before I found the WireHttp module:
      jsonapi needs also PATCH (edit, update) and DELETE method. I opened an issue at github for that. Maybe Ryan could add these two methods.
        WireHttp isn't hookable. That was my second feature request, because it would be great to hook into the module to check response and renew the api token if needed.  patch() and delete() could be added as hook or by extend the WireHttp class, but added as native feature would be great.
      Anyone use the WireHttp class? I wrote a simple module to handle api requests before I found the WireHttp class. Would you recommend to switch to the WireHttp or use a custom json api module (based on file_get_contents() for example)?
    • By Mike Rockett
      Got home to some strange behaviour on one of my development sites - not able to login.
      I have seen this: processwire.com/talk/topic/4011-cannot-login-to-admin-area/
      But nothing there works. If I try changing the password, still can't sign in.
      Using SessionHandlerDatabase, and have cleared those caches too. Could that module be an issue in 2.5.25? I am running another few local sites on that version, but am not experiencing the same issue.
      Nothing in any error logs anywhere. Login form doesn't show any errors either.
      Wondering if the installation in question has gone all bonkers on me...
      Update: I also have the Forgot Password module enabled. Interestingly, when I click on it, it just shows the normal login form... Isn't it supposed to just show email? The URL does include ?forgot=1...
    • By GuruMeditation
      Thought some of you might find this interesting. Free and open source, and they will be providing migration scripts.

    • By Jennifer S
      I am stuck. Seven days ago, something changed such that when users try to upload images to my PW site, the images are posted to the page, but they show up as zero bytes. The folder is created in the files folder, the image name is recorded, the type of file is recorded, but the byte size is zero. 
      When I looked into the problem this morning, I received the "This request was aborted because it appears to be forged." message whenever I tried to upload images. Turning off protectCSRF in the config file suppresses the aborted image message and now I just get the zero-byte image bug, but I don't know why.
      I've checked permissions on the files directory, changed it recursively to 777 and then back to 755 with no change. I checked that I have active sessions, logs, and cache folders. I checked on the permissions of the config.php file. I changed the sessionName, and turned off the challenge and fingerprint functions but nothing is budging. 
      I installed a new PW site yesterday and so I keep thinking something is colliding but it looks like the images have been failing to write to the files directory for the last week.
      I'm getting the same results in multiple browsers after any number of cache-clears so I don't think it is client-side. 
      This is a look at the PHPinfo for the site.
      Best wishes,
  • Create New...