Integrating Flarum in mobile app

hanilkathuria

Hi, I am developing a mobile application in which I have to integrate discussion forums. And, I am using flarum for that.
My requirement is like when the user logs in into my mobile app, he/she will automatically be logged in into the flarum i.e, no need to show the user that he/she is using another software.
And, for that I have done the following steps:

When a user creates a new account on the app, I call the /api/users api of flarum to create a new account for the user on the flarum.
When an existing user logs in into the app, I call the /api/token api of flarum to create a token for the user, set the
flarum_remember={token} as cookie and redirect the user to my forum.
The user is able to see his/her profile. But, since I am new to development, I just want to confirm that whether the proccess I am doing is right and whether it is secure enough?
If not, please enlighten me with the necessary steps.
Also, How can I get my user logged out of flarum when he/she logs out of the app because I am not able to find any api which can log the user out or revoke his/her token.
Thanks in advance for the help.

clarkwinkelmann

hanilkathuria if you got it working that way, it looks good enough! The remember cookie method is the only method that doesn't require adding new code to Flarum for third-party login.

You can hit the logout endpoint of Flarum to destroy the active cookie session.

However you're correct that a token cannot be revoked. This is a known issue and will be addressed in a future update There's also a second related issue causing tokens to never expire flarum/core2075

hanilkathuria

clarkwinkelmann

My requirement for logout is like if the user logs out from the mobile app. He/She will automatically be logged out from the flarum without them knowing. But using the logout endpoint with flarum_remember token(/logout?token={flarum_remember}), it is returning me with HTML page asking "Are you sure you want to logout". While, I require an endpoint which will destroy the user session directly without confirming.

Also, I have noticed that if I press yes on the confirming html page, the logout endpoint destroys all the active sessions for the user, which is, I guess is not right because the same user can be logged in into the flarum at a time with different devices. And, this will create problems on other devices.

Can you suggest me something about this?

clarkwinkelmann

hanilkathuria I don't think there's any solution out of the box. Flarum uses CSRF tokens, which is what it expects as part of the logout request. The token can only be obtained by requesting a page first. You could use an extension to add an endpoint that allows logging out by passing a session token.

Looking at the code I see we delete all tokens, but not the cookie sessions. So with the web client this just means logging out of the remembered sessions and not the active sessions https://github.com/flarum/core/blob/master/src/Forum/Controller/LogOutController.php#L108 This is probably something I will change in flarum/core2074 once we add a new "log out from everywhere" button in the settings.

hanilkathuria

clarkwinkelmann What do you mean by remembered sessions and active sessions here?

clarkwinkelmann

hanilkathuria right now it's a bit confusing and I'm hoping to ship some changes in a coming release.

Right now "user tokens" can be used either as a way to start a cookie session, or directly as an authentication header. There is no way to revoke a specific token. (And there's also a known security issue where tokens don't expire flarum/core2075)

Logging out is a feature that destroys a cookie session, but it also deletes all the "user token" belonging to the user. It's currently the only way to delete "user tokens" natively.

If you want to invalidate a specific "user token" only, you'll need to wait until Flarum implements that feature (this is part of the PR I shared above) or create an extension to add it.

A remember session is actually just an additional cookie containing a "user token", and Flarum will start a new cookie session with that token if no user is currently authenticated in the current cookie session.

A limitation of Flarum right now is that deleting a "user token" won't automatically invalidate the cookie sessions that were started with it. This will change with the PR.

If you want to use Flarum's native logout endpoint from an embedded browser, you'll need to use the native logout button from within the embedded browser, or find a way to read the CSRF token from the page's header in order to use it as part of the logout payload.

I hope this clarifies things.