PHP and WordPress Single Sign On (SSO) with optional JWT Addon

stmorales23

maicol07 Thank you so much for your help! I've successfully added the maicol07/flarum-ext-sso repository, however when I attempted using the login function on my main website to log me into Flarum, nothing happens. However now, I can't seem to sign in to Flarum at all. This wasn't occurring earlier so I don't know if I should attribute it to the changes I made on my main website now and my attempted login.

maicol07

stmorales23 I don't know... paste your composer.json to see if you have added correctly the repo

dartrax

Hi!
1) Let's say I have an admin account in flarum with username "a" and an admin account in wordpress with username "a". When I try to log into wordpress after enabling the extension, I get the error:

Fatal error: Uncaught TypeError: Argument 1 passed to Maicol07\SSO\Flarum::setCookie() must be of the type string, null given, called in C:\xampp\htdocs\wp_pub\wp-content\plugins\sso-flarum\includes\src\Flarum.php on line 160 and defined in C:\xampp\htdocs\wp_pub\wp-content\plugins\sso-flarum\includes\src\Flarum.php:331

I could solve it by renaming username "a" in flarum database, but it would be better to have a nicer error message ;-)

2) I did not manage to successfull log in yet. Can you please confirm that my dev setup could work or are this two different domains which would prevent saving the cookie?
Wordpress url: http://localhost/wp_pub/
Flarum url: http://localhost/flarum/

Thank you for this great plugin! =)

maicol07

dartrax
1) I think this is related to the minimum length of Flarum username (minimum 3 characters). I will definitely look after this 👍️
2) Yes, your setup is correct. Check the configs, along with instructions in the docs

dartrax

maicol07 Thanks for looking into it.
1) I'll report via the bugtracker once I've got my config right. If a bug remains, I'll report it.
2) I've tested with firefox now, I still do not get the flarum_remember cookie.

[Edit]: I had one successfull login. That was when I altered the admin user name dartrax to dartrax_ (only in flarum database). I get the flarum_remember cookie and a new user dartrax is added. This only worked once and only with this user, not with the test user(s). If I do not alter the admin user name, I get the fatal error from dartrax.

So, this should prove that some settings must be correct. The problem must be somewhere else, I'll have to investigate further tomorrow.

However, [End Edit]
can we please check some settings:
2.1) I do not use SSL on localhost. So I use this settings:

Enable SSO: x
Flarum URL: http://localhost/flarum
Root Domain: http://localhost/wp_pub
API Key: pvpwertrottusnvoqektbpcvrokwziwcjlsewtqu (random string, same as in database)
Password Token: cxvcllfubixcpfwivdewhdjnwzejagfehejzvgwq (random string)
Token Lifetime: 14
PRO features key:
Insecure mode: x

2.2) Wordpress Main settings:

WordPress-Adresse (URL): http://localhost/wp_pub
Website-Adresse (URL): http://localhost/wp_pub

2.3) Flarum Database:
Server: 127.0.0.1 »Database: cu-traxelalexander01_fl_3rux8 »Table: sd38so_api_keys
1 Record with:

key: pvpwertrottusnvoqektbpcvrokwziwcjlsewtqu
id: 1
user_id: 1

Server: 127.0.0.1 »Database: cu-traxelalexander01_fl_3rux8 »Table: sd38so_users
2 Records: 1st is admin:

id: 1
username: dartrax_ (I had to add the underscore in the table, otherwise I get the Fatal Error from dartrax when I try to login as Admin. Could this be the problem now?)
email: (my Email from flarum settings)

The 2nd record is added automatically when I login as admin:

id: 2
username: dartrax
email: (my Administrator Email from Wordpress settings)

My testuser does not get added. Why?

dartrax

maicol07 I've changed the admin pw via wordpress > edit my profile > generate password (insert user defined password) > update profile. I only check the database to see if something has changed.
The admin passwords are the same and admin can be logged in into flarum via wordpress - alright.
As soon as I change admin password in wordpress, login is broken with this dartrax fatal error.

I've checked my two testusers against the rules:
testuser #1 has a password of length 6 and the Mail is not unique, so that would not pass the flarum user validator.
testuser #2 has a dot (.) in its username so that would also not pass the flarum user validator. The Email is unique but disposable.

I've changed the password of testuser #1 to have 8 characters and I changed the Email in Wordpress.

When I try to log in with that user, I do get a new user added in the flarum user database table. So I think this is one step forward. But I get this error:

Fatal error: Uncaught GuzzleHttp\Exception\ServerException: Server error:POST http://localhost/flarum/api/usersresulted in a500 Internal Server Errorresponse: {"errors":[{"status":"500","code":"unknown"}]} in C:\xampp\htdocs\wp_pub\wp-content\plugins\sso-flarum\vendor\guzzlehttp\guzzle\src\Exception\RequestException.php:113 Stack trace: #0 C:\xampp\htdocs\wp_pub\wp-content\plugins\sso-flarum\vendor\guzzlehttp\guzzle\src\Middleware.php(65): GuzzleHttp\Exception\RequestException::create(Object(GuzzleHttp\Psr7\Request), Object(GuzzleHttp\Psr7\Response)) #1 C:\xampp\htdocs\wp_pub\wp-content\plugins\sso-flarum\vendor\guzzlehttp\promises\src\Promise.php(203): GuzzleHttp\Middleware::GuzzleHttp\{closure}(Object(GuzzleHttp\Psr7\Response)) #2 C:\xampp\htdocs\wp_pub\wp-content\plugins\sso-flarum\vendor\guzzlehttp\promises\src\Promise.php(156): GuzzleHttp\Promise\Promise::callHandler(1, Object(GuzzleHttp\Psr7\Response), Array) #3 C:\xampp\htdocs\wp_pub\wp-content\plugins\sso-flarum\vendor\guzzlehttp\promises\src\TaskQueue.ph in C:\xampp\htdocs\wp_pub\wp-content\plugins\sso-flarum\vendor\guzzlehttp\guzzle\src\Exception\RequestException.php on line 113

After that, on wordpress and flarum, nobody is logged in.
I tried again, and - yey!! - testuser #2 is logged into flarum!
This only works if I use the Username for log in. If I use the Email for log in, testuser #2 is only logged into Wordpress, not into flarum, no flarum_remember cookie.

I've created a testuser #3 via wordpress backend with a unique email, username and password that match the flarums rules. It has the role "Subscriber". When I try to log in into flarum, the first time the same Exception occurs. When I reload the page with the exception, user is correctly logged in into flarum.

When I change password of testuser #3 via wordpress backend or frontend (no matter where), this user cannot login into flarum or wordpress by using his username, getting the following error. If I use the email for login, he will login into wordpress without error, but not into flarum (no flarum_remember cookie):

Fatal error: Uncaught TypeError: Argument 1 passed to Maicol07\SSO\Flarum::setCookie() must be of the type string, null given, called in C:\xampp\htdocs\wp_pub\wp-content\plugins\sso-flarum\includes\src\Flarum.php on line 160 and defined in C:\xampp\htdocs\wp_pub\wp-content\plugins\sso-flarum\includes\src\Flarum.php:331 Stack trace: #0 C:\xampp\htdocs\wp_pub\wp-content\plugins\sso-flarum\includes\src\Flarum.php(160): Maicol07\SSO\Flarum->setCookie(NULL, 1596632685) #1 C:\xampp\htdocs\wp_pub\wp-content\plugins\sso-flarum\sso-flarum.php(197): Maicol07\SSO\Flarum->login('testuser', 'ebay@xxxxxxx.de', '91433b63fbd9fb3...', NULL) #2 C:\xampp\htdocs\wp_pub\wp-includes\class-wp-hook.php(287): flarum_sso_login(Object(WP_User), 'testuser', '12345678') #3 C:\xampp\htdocs\wp_pub\wp-includes\plugin.php(206): WP_Hook->apply_filters(Object(WP_User), Array) #4 C:\xampp\htdocs\wp_pub\wp-includes\pluggable.php(539): apply_filters('authenticate', NULL, 'testuser', '12345678') #5 C:\xampp\htdocs\wp_pub\wp-includes\user.php(95): wp_authentic in C:\xampp\htdocs\wp_pub\wp-content\plugins\sso-flarum\includes\src\Flarum.php on line 331

(btw, with this error message the user's password '12345678' is saved in clear text into the logs... I'm no security expert, could this be an issue?)

This seems to be related:

lubos-h Another issue I found is when $token is null (invalid user name and password):
Uncaught TypeError: Argument 1 passed to Maicol07\SSO\Flarum::setCookie() must be of the type string, null given, called in ...\Forum.php on line 162

When I change the email of testuser #3 via wordpress frontend, log in with username still works, but the message, that a confirmation mail was sent, still shows the old mail address, not the new one. Also, in the flarum database users table, the email is still the old one.

This is a huge step forward. Now I want to debug the exception. How to do this?

So, because I'm loosing track of all my problems, here's a list:

Admin pw needs to be the same on wordpress and flarum. This should be documented.
Username, PW and Email must match flarums rules. How do we handle users that have symbols in their usernames or too short passwords? (Does disposable email matter?)
The Exception at first login should be resolved.
The Exception after password change should be resolved.
When the Email changes, it should change in flarum, too.
LogIn should work with Email and PW, not only with Username and PW.

I could create bug reports for those issues in your bugtracker, if you like 😉

dartrax

Thanks for the fast reply!
1) has actually 7 characters (that you may guess quite easily now) - it was just a (bad) example.
2) I‘ll check that again tomorrow. User gets added to flarum database but not logged in. Root domain has to be set to "http://localhost/" or "http://localhost/wp_pub/"?

maicol07

dartrax
1) Will test and see what causes it. If you want you can add this to the bug tracker to organise better all the work
2) The first one

dartrax

1) I tried, but the bug tracker does not let me in 😅 Either getting "OAuth 2.0 Error - Invalid Request. Please try again or contact your administrator." or Cloudflare states "Web server is returning an unknown error" or "Origin is unreachable". I will try again later - and not "log in with github".

2) Thanks, I set "http://localhost/" as root domain. But I can't get this to work. I've read your Docs again and checked every instruction. I'd be happy if you could give me some hint how to debug this. I have a new useraccount in wordpress and I login into that account with wordpress.
I have 5 wordpress cookies then:

PHPSESSID
wordpress_4f1ea.......
wordpress_4f1ea.......
wordpress_logged_in_4f1ea.......
wordpress_test_cookie

When I reload the flarum site after that, I have 2 cookies:

PHPSESSID
flarum_session

What am I missing?

maicol07

dartrax
1) Problem solved. There was a network error.
2) Try only localhost. The flarum_remember cookie is missing, this is the one that let you login to Flarum

dartrax

1) I tried to sign up instead of log in with github now, but upon submitting my data, Cloudflare says "origin does not respond". I tried a second time, now:
HTTP ERROR 500 Request failed.
URI: /hub/api/rest/oauth2/interactive/register
STATUS: 500
MESSAGE: Request failed.
SERVLET: MainServlet
Powered by Jetty:// 9.4.26.v20200117
But, one of those two attempts must have been successfull because I can log in into the bugtracker now.

2) So I have set the parameters like this:

Flarum URL: http://localhost/flarum
Root URL: localhost

It's like dartrax again. No error, no flarum_remember-cookie.
What should I try next? Chrome tootips the cookies with Cookies used by frames from http://localhost so I tried that as root, too, but no change. http://127.0.0.1/ also does not work.

dartrax

1) Seems that I can "trigger" this network error by clicking on the github logo on the trackers login/register page. Cloudflare says "Error 524 • 2020-07-15 12:30:16 UTC A timeout occurred" and "For some reason the login request was rejected. Probably the server is too busy. Please try again a little bit later."
I'll just try to register next time, github login seems not be working right now.

2) So I set "localhost" as domain and "localhost/flarum" as flarum url. Now I get this message after logging in with wordpress:
Client error:POST localhost/flarum/api/localhost/flarum/api/tokenresulted in a404 Not Foundresponse: {"errors":[{"status":"404","code":"not_found"}]}

maicol07

dartrax
1) Very strange... 🤔 I will check what causes this issue
2) Try to keep the protocol in the Flarum URL, while root domain doesn't change

maicol07

dartrax
1) I've found out that my VPS disconnects itself from the network... I'll try to fix it
2) I will perform some tests about this case with XAMPP and I'll get back to you soon!

maicol07

dartrax
1) Problem should be solved
2) I've tested it with 2 values for root domain: localhost and https://localhost/<wp_dir>. The two tests were successful. So I don't know what's wrong with your enviroment. Try first the two values above, then try maybe with another browser (I used Firefox). If that doesn't work you can try on a different server

maicol07

dartrax I think the error is related to your password. Maybe your password on WP isn't the same as Flarum?

dartrax

I‘m away from home atm, but password manager on my mobile says they are different... 😬
I‘ll try with same password later. May be that‘s the cause of it all...

maicol07

dartrax The extension works only with the same password. There is a system where your password is automatically changed on Flarum when a user change it on WP

dartrax

Hi,
I‘ve changed the admin password in wp to match the admin password in flarum as I could not find a way to change it in flarum.
When I change it back in wp to the old value, the pw in flarum does not change. So I‘ll leave it to the flarum pw for now to have them the same.
I can login as admin now, but the testusers still do not work. (not logged in, no flarum remenber cookie) When a testuser logs in, a new row should appear in flarums user database table, right? (doesn‘t as of now)
Are there any restrictions (pw length / special chars, email, username etc) that may apply to flarum but not to wp?

maicol07

dartrax You should change it via the WordPress feature, not in the database.
These are the rules of Flarum about users credentials:

Username:
- No symbols except - and _
- Min. length: 3
- Max. length: 30
- Unique in the DB
Email:
- Unique in the DB
Password:
- Min. length: 8

Grabbed from https://github.com/flarum/core/blob/eaac78650ffa0cf23321fcf624172bc1bd202036/src/User/UserValidator.php#L40

maicol07

dartrax I agree with you, although I didn't know WP allows the login with email. I have some thoughts about how to solve the errors but I'll get a deeper look into the code as soon as possible. If you can report them to the tracker, feel free to add them! 😉
About the exception: I think it's related to the not allowed email login

« Previous Page Next Page »