Authentication with Flarum server in android application

ravi99

I am developing a mobile application and planning to integrate Flarum as a discussion forum.
Now the main issue where we are stuck is authenticating the user and maintaining the session.

On many threads I got following approach :-

1) Request for token from /API/token
2) Set remember_flarum cookie to that token.

Could anyone please provide me simple steps to follow for authentication.
I have local server where Flarum is to be setup
I am integrating flarum into my android application

clarkwinkelmann

ravi99 there are no official instructions for that at this time.

If your app is a native app and not a webview, you can request a token with the user credentials, then use that token in every API request to Flarum.

If your app is a webview, you will have to either hit the /login endpoint to get a session cookie, or use the remember cookie with a token to start a session on the next request automatically.

hanilkathuria

clarkwinkelmann Can you tell me the request headers and parameters to pass in the request to /login endpoint? Although, I have checked it through the Network tab. But, when I try to perform the same request through Postman, I am receiving 400 Bad Request. I guess this is because of the X-CSRF token that I am passing in header, it is duplicate. Can you help me here on how to get a positive response from it?

ravi99

Hey... my app is a web view. Could you please elaborate on that further... I mean from the point where new user registers himself.

clarkwinkelmann

ravi99 I'm not familiar with webviews. Can't the register/login forms of Flarum be used from inside the webview ?

ravi99

Okay. Not an issue. Could you please connect me with someone who knows it and could guide me further on this.

clarkwinkelmann

hanilkathuria does the body of the 400 response contains anything?

If it says invalid CSRF token, then you need a find a way to first fetch the token somehow.

hanilkathuria

clarkwinkelmann It returns me a html page with text "You have been inactive for too long. Go back, to try again".

clarkwinkelmann

hanilkathuria oh right now I remember the error message is different on those endpoints. But it's essentially the same, the CSRF token you passed is invalid.

I'm not really sure what you have so far and what you are trying to do. Can you explain what you are trying to implement? Even the original post in this discussion doesn't go into deep details so it's impossible to tell if your situation is exactly the same or not.

The easier for a kind of login-to-webview or "global login from external app" implementation is usually to request a token through the /tokens API endpoint, then use that token to start a session via the "remember me" cookie.

I think that by default /tokens is still CSRF-protected, but the protection can be disabled via our extenders or by creating a proxy script that will call that endpoint with an API Key.