Web Url token login

BillyS_

Hello, is it possible to login using a token via the url?

I am developing a mobile application, I receive a token by entering the e-mail/pass of the person via API and I want to use this token for automatic login in webview.

BillyS_

do you have any idea?

Method:Get;
www.my-site.com?token=adawdad12456

If I run the above https request in postman, it logs in. status:200

but when I want to do this in webview, I use it in the header tag, but I can't get any results.

clarkwinkelmann

It's definitely possible, but I'm not sure you will find a ready-to-use example.

"Remember me" session tokens can be created via the API and set in a cookie to perform login, but they can't be passed as query string parameters without extra code.

For a more advanced example you could see how my Passwordless extension create a custom login token, sends it by email and allows connecting via a URL that contains that token https://github.com/clarkwinkelmann/flarum-ext-passwordless For security reasons I am not re-using Flarum session tokens directly. By using a separate token for login I can control the expiration of those tokens separately from the actual session expiration, as well as revoke any unused login token when a new one is requested.

BillyS_

clarkwinkelmann

First of all, thank you for the plugin. This plugin does what I want but can you provide an api for it?

For example, if I send the username and password as a post, if it returns me the login link or code, I can easily use it in the mobile app and webview.

clarkwinkelmann

BillyS_ you should be able to re-use the API endpoint of the extension. You can take a look in the browser network tab under development tools to see the format of the request. If I remember correctly a POST request is made to /api/passwordless-request when Passwordless is enabled, and I think the payload is formatted similarly to the regular login payload from Flarum.

But hitting the API will just cause the email to be sent. You will probably want to modify the logic for your use case. Also my extension never validates password since the whole point is that email serves as the authentication factor.

You can see the source code for the controller here https://github.com/clarkwinkelmann/flarum-ext-passwordless/blob/master/src/Controllers/RequestTokenController.php

If you control the webview, you should be able to set cookies and you wouldn't need anything else than native Flarum API. You can directly create and set the remember cookie?

BillyS_

clarkwinkelmann

Thanks,

I canceled the mail sending by editing the RequestTokenController.php file. In addition, the password is entered in the API request, in this way, I create a token by taking both mail and password information.