User Attribute changes (Password/Username) via API?

GorchPortley

The issue

Hello! I am trying to finish off my SSO system in my laravel based website. I am able to create users and log in using remember cookies however i need to implement the rest of the authentication functions like update password and update email/username.

Here is how i am currently handling user login which creates a user if they don't exist, gets the token and sends a POST to forum/login and sets a cookie (but im more focused on the create user, i feel like since this deals with user attributes, the solution would be most like that:

<?php
namespace App\Listeners;

use Illuminate\Auth\Events\Login;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Http;
use Illuminate\Support\Facades\Cookie;
use Illuminate\Support\Facades\Response;

class UserLoggedIn
{
    public function handle(Login $event)
    {
        $this->createUser($event);
    
        $token = $this->getToken($event);
        
        if ($token) {
            $lifetime = 60 * 24 * 14;
            $this->loginUser($token, $event);
            Cookie::queue('flarum_remember', $token, $lifetime, '/forum');
            Log::info('Set Flarum cookie with token: ' . substr($token, 0, 10) . '...');
        } else {
            Log::error('Failed to set Flarum cookie - no token available');
        }
    }

    public function loginUser($token, Login $event)
    {
        $user = $event->user;
        $response = Http::withHeaders([
            'Authorization' => 'Token ' . $token . '; userId=1'
        ])->post('http://127.0.0.1:80/forum/login', [
            'identification' => $user->email,
            'password' => $user->password,
        ]);
        return $response->json();
    }

    public function createUser(Login $event)
    {
        $user = $event->user;
        $response = Http::withHeaders([
            'Content-Type' => 'application/json',
            'Authorization' => 'Token ' . env('API_KEY') . '; userId=1'
        ])->post('http://127.0.0.1:80/forum/api/users', [
            'data' => [
                'type' => 'users',
                'attributes' => [
                    'username' => $user->username,
                    'email' => $user->email,
                    'password' => $user->password
                ]
        ]
                ]);
        return $response->json();
    }

    public function getToken(Login $event){
        $user = $event->user;
        $tokenResponse = Http::post('http://127.0.0.1:80/forum/api/token', [
            'identification' => $user->email,
            'password' => $user->password,
            'lifetime' => 60 * 24 * 14,
            'remember' => 1
        ]);
        if ($tokenResponse->successful()) {
            $responseData = $tokenResponse->json();
            $token = $responseData['token'] ?? null;
            return $token;
        }
        
    }

}

My question is, what would be a good route to handle user attribute updates between my two systems? I have tried the maicol07 plugin with limited success (it was very inconsistent) however these API and POST calls that i am making myself seem to work every time, so i'd like to continue this path, im just not sure where to go from here, since the password reset option currently is via email, i was unable to inspect how a password change works fully.

Any help wuold be appreciated!

Flarum information

Post your output of php flarum info here. Without this information providing support will take longer!

Flarum core: 1.8.10
PHP version: 8.3.19
MySQL version: 8.0.41
Loaded extensions: Core, date, libxml, openssl, pcre, sqlite3, zlib, ctype, curl, dom, fileinfo, filter, hash, iconv, json, mbstring, SPL, session, PDO, pdo_sqlite, standard, posix, random, readline, Reflection, Phar, SimpleXML, tokenizer, xml, xmlreader, xmlwriter, mysqlnd, bcmath, exif, gd, intl, pcntl, pdo_mysql, redis, sodium, zip
+----------------------------------+---------+--------+
| Flarum Extensions | | |
+----------------------------------+---------+--------+
| ID | Version | Commit |
+----------------------------------+---------+--------+
| flarum-flags | v1.8.2 | |
| flarum-approval | v1.8.2 | |
| flarum-tags | v1.8.4 | |
| justoverclock-keywords | 2.0.1 | |
| isaced-email-verification-switch | 1.0.1 | |
| fof-links | 1.3.0 | |
| fof-default-user-preferences | 1.2.1 | |
| flarum-suspend | v1.8.4 | |
| flarum-subscriptions | v1.8.1 | |
| flarum-sticky | v1.8.2 | |
| flarum-statistics | v1.8.1 | |
| flarum-pusher | v1.8.1 | |
| flarum-mentions | v1.8.5 | |
| flarum-markdown | v1.8.1 | |
| flarum-lock | v1.8.2 | |
| flarum-likes | v1.8.1 | |
| flarum-lang-english | v1.8.0 | |
| flarum-emoji | v1.8.1 | |
| flarum-embed | v1.8.0 | |
| flarum-bbcode | v1.8.0 | |
| dem13n-topic-starter-label | 0.1.8 | |
+----------------------------------+---------+--------+
Base URL: http://127.0.0.1/forum
Installation path: /var/www/html/SDLabs/public/forum
Queue driver: sync
Session driver: file
Mail driver: smtp
Debug mode: off

clarkwinkelmann

If you handle the login from your main application, you probably shouldn't use the Flarum password system at all. Just set the password to a random value when creating the account in the background, and never change it.

The following attributes and extensions can be useful if you are building a custom implementation:

Pass isEmailConfirmed: true attribute when creating a user so skip the email verification logic.

Readonly Profile extension allows you to block every edit on the Flarum side, so you can force all edits to be done on your main app, and you have confidence you only need a one-way sync from the main app to Flarum and nothing in the other direction.

More Editable User Attributes extension lets you edit the join date and avatar.