How I implemented "Cross Authentication" with Flarum

AbhishekSagar

I had an existing website with already existing users and an auth system in place. I wanted to integrate Flarum without having my users feel like a separate account is being used for discussions. I have seen a lot of threads where people have been asking this as a feature. This thread is to help those newbies. All the things are pretty basic but the value comes from having the complete flow documented in one place. P.S. this was done in a 2 days time by a total newb so the approach may not be perfect but it works for me.

So, I had 3 components to work with here a) my slim framework based php webapp b) my api server and c) the flarum app itself. These are the steps I followed:

Generate a root api token to be used for calling create user api of flarum.
a) generate a 40 characters random string
b) add it in the api_keys table of flarum.
Create a route in my api server for getting a flarum user token. A GET on this route does following things:
a) Hits "/api/token" endpoint with the username/password of flarum. If successful, we are done, o/w follow the next steps. Note that you can also pass a "lifetime" key for token's validity.
b) Hits "/api/users" endpoint with the root api key created in step 1. Need to set the "Authorization" header as "Token <your_api_key>; userId=1". I also set the avatarUrl in this step itself. You can choose anything for the password field. I chose a base64 encoding of the creation time unix timestamp of the user.
c) Now, that the user is created, hit the "/api/token" again to get the token for this user.
Once we got the token we set a cookie "flarum_remember" with the lifetime requested in step 2. Now, in my php webapp I have the following logic in a prehook(which runs before every route request):
a) If my user is logged in and "flarum_remember" cookie is set, we are all done.
b) If my user is logged out, unset the flarum_remember cookie too
c) When the user logs out of my site, unset the "flarum_remember" cookie too.
d) If my user is logged in but "flarum_remember" cookie is not set, we call our api server to get the user token as in step 2.
Last step, write an extension to update flarum's view to remove separate login/signup
a) Update the logIn and signUp items from HeaderSecondary to point to my site's login url (with proper redirection logic) instead of opening the modal
b) remove the "account" item from the SettingsPage

TODO:
1. When a user changes their profile picture in my site, call flarum's user update api to udpate the avatarUrl. I haven't done that part yet but it is fairly trivial to do

kaiserlos

Thank you very very much.

martiboy

On signing in with your site and trying to logout with flarum, it seems to throw a token mismatch error. How can you solve this?

Thaonguyenvan89

At the main site how I can set a cookie "flarum_remember" for Flarum.

ryanvade

Thaonguyenvan89 Get the user token and set it like any other cookie.

vijeetgv

Thanks for the process. Is there an assumption here that flarum server & the main app server are in same domain? What if we want to show the flarum logged in another domain? (because we can't set the cookie/session in another domain from app in one, unless the other app does that for the first one)

Is there a way to directly login a user with a user specific token in GET params? The api allows creation of users, but what about their 'authentication'/impersonation?

pwFoo

Any example how to login to flarum with remember / cookie from the parent / cms site by php?

lupyo

Somebody can give me a example of tuto for create GET or POST request to an api ? We use "Socket_connect" for PHP right ?
Edit : or with Curl ?

luceos

lupyo I've created a very simple API client that does not cover everything Flarum can do, but it is an API client in essence:

https://github.com/flagrow/flarum-api-client/blob/master/src/Client.php

woganmay

I've had to go through this exercise myself, and I've documented every step - creating new users, authenticating, pushing avatars across, and modifying Flarum's navigation to send users back to your main site.

https://wogan.blog/2017/02/12/integrating-laravel-and-flarum/

XiaozhouSong

woganmay Hi Thanks for your great tutorial. I am really new to PHP, and there are things that I didn't really understand. I am still not too sure where I should implement the coding, Is it should be in dispatch(new \App\Jobs\SyncUserToForum($user))? for create the user or active the user...and why we need $generated_password?
Do you have an example of code so I could get more idea about it please?
Thanks a lot!!!

OpenStudioOne

woganmay I tried to follow your tutorial is great for the authentication and the registration process! Well done!

The problem come when I need to login, because once I get to the auth.php?token=12345 page, this is the message I get;

The page you requested could not be found.

Anyone had the same problem and managed to solve? 😁

wuethrich

I've built a simple extension which implements this workflow.

@AbhishekSagar Thanks for give me the idea how to implement SSO.

AbhishekSagar

wuethrich good job with the extension.

ctml

OpenStudioOne if your website is built on PHP I recommend using the PHP plugin / sso extension here. The extension is installed on flarum normally, then you include the PHP plugin on your site and add a few lines in your existing auth function.

juligabani

Hello @AbhishekSagar , your solution is work ! Thanks. I have one issue is my project is a multi tenancy project. and each tenant is work on different domain. so can I set token cookie from different domain to my flarum domain ?

Thanks!

hynsey

I'm trying to implement something for this between my .net Core web site, and the flarum app.
site url: example.com
flarum: forum.example.com

Would anyone be able to diagram the workflow in such a way:

- Flarum

user opens site - clicks login
Navigates to my site
-My site
Executes login successfully
<Does it make an API call to some endpoint now for setting login cookie on flarum?>

etc.
etc.

Would appreciate a little more clarity on the process if possible. Thanks!