Jump to content
anttila

App password to ProcessWire

By anttila, in General Support

Recommended Posts

anttila    28

anttila
Posted

We are developing an App that sends data over the Internet to ProcessWire (POST/JSON). We want password to be protected somehow when sending it, but I should be able to compare it to PW's passwords. We were thinking of using md5 encryption, but PW uses different encryption.

How can I be sure that user has active account when they use the App?

Share this post

Link to post
Share on other sites

gebeer    1,107

gebeer
Posted

You might want to have a look at my REST API tutorial.

It implements basic HTML authentication which is a standard that is quite secure when used over SSL.
If you use that appoach, then you need to to send base64-encoded credentials (username:password) when your App authenticates with PW.
Then on the PW side you need to decode those into username and password. See how this is done in the Rest Helper php
Then do the login attempt with $session->login('username', 'password'); to see whether the credentials are valid.

 

 

 

  • Like 3
  • Thanks 1

Share this post

Link to post
Share on other sites

anttila    28

anttila
Posted

They don't actually login to the website when they use the API - I just need to know if the password is correct and send confirmation or false. Although, I could use $session->login to check if the credentials are valid. Thanks for help, I'll look into it.

  • Like 1

Share this post

Link to post
Share on other sites

BitPoet    2,428

BitPoet
Posted
2 hours ago, anttila said:

Although, I could use $session->login to check if the credentials are valid.

Do that. Rely on the built-in mechanisms for user authentication and authorization as much as you can, and you have already eliminated three quarters of the security pitfalls of writing a client app. Let your app deal with regular http status codes like 401 instead of custom status messages and you have another ten percent.

:)

  • Like 2

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • Lewis Newson
      Password field without confirmation
      By Lewis Newson
      Hi All,
      Im working on streamlining my email sending setup for SMTP. I have a page where the user of the website can input the SMTP host, port, connection type email and password etc but the password field has an additional box underneath it for 'Confirming' it as if it were a new password. The placeholder text also says 'New Password' but I want to be able to change that. I just need an input field where they can enter their SMTP password without it being plain text.
      Thanks for your help!
    • Tyssen
      Login problems
      By Tyssen
      I have a client who is reporting that in the last couple of days they can no longer login to their site with their normal browser (Chrome). Using another browser or an incognito window works.
      I've tried logging into the site using the same login details in my usual browser (Firefox) and have had no problems.
      The site is a membership site and today other members are reporting the same problem.
      The site is running 3.0.148 and has the session handler DB and login throttle modules installed. It was recently upgraded to 3.x from 2.x. But no changes have been made to the site between the time when they were able to login OK and when the problem started happening.
    • Robin S
      Password Generator
      By Robin S
      Password Generator
      Adds a password generator to InputfieldPassword.

       
      Usage
      Install the Password Generator module.
      Now any InputfieldPassword has a password generation feature. The settings for the generator are taken automatically from the settings* of the password field.
      *Settings not supported by the generator:
      Complexify: but generated passwords should still satisfy complexify settings in the recommended range. Banned words: but the generated passwords are random strings so actual words are unlikely to occur.  
      https://modules.processwire.com/modules/password-generator/
      https://github.com/Toutouwai/PasswordGenerator
    • AndZyk
      Clear password before encryption
      By AndZyk
      Hello,
      can somebody tell me, if it is possible to get the clear password of an InputfieldPassword inside a module, before it is encrypted?
      I have made a custom module which sets the password of an Auth0User after the hook publishReady with a random generated password. When I try to get a clear password from a InputfieldPassword in this hook, it is of course already encrypted (which is of course good). But is there a hook before the encryption, so I could get it one time to send it to Auth0?
      If there is not such thing, could be another possibility to add a jQuery script to get the value directly from the DOM and save it somewhere temporarily?
      I know this might be an unusual question, but I would appreciate any feedback. 
      Regards, Andreas
×
×
  • Create New...