Monday, September 5, 2016

Logging into a website using PHPAuth/PHPAuth via Chrome Extension

By Hường Hana 12:30 AM , , Leave a Comment

I have developed a Chrome Extension which calls some APIs on my website, which in turn uses PHPAuth/PHPAuth for authentication. Basically, I have the user enter the Username and Password for the website as an Extension Option and I call a Login API on my website as follows.

if (isset($_POST['email']) && isset($_POST['password'])) {                 $email = $_POST['email'];                 $password = $_POST['password'];                  if($auth->isLogged()) {                     $userId = $auth->getSessionUID($_COOKIE[$authConfig->cookie_name]);                     echo json_encode([                                 'userId' => $userId,                             ]);                     die();                 }                  $login = $auth->login($email, $password, true);                  if($login['error']) {                     die($login['message']);                 } else {                     $userId = $auth->getSessionUID($login['hash']);                     echo json_encode([                                 'userId' => $userId,                             ]);                     die();                 }             } else {                 die('Error');             }

This works to temporarily consider the user authenticated, but does not actually log the user into the website. In other words, when I open a password protected page via an iFrame, it shows me the User Login form.

Can someone tell me what I am doing wrong, or a better way to go about what I need.

Basically, I am saving the user the need to keep logging in every time and open protected pages, once he is made to log in.

1 Answers

Answers 1

Check if manifest.json does contain your website URL and all required subdomains for example

"permissions": [   "http://example.com/",   "http://*.example.com/",   "https://example.com/",   "https://*.example.com/" ],

Also, you can communicate with website in a bit different way for example:

  • first time when you login to your website it could return a token which you can store in the browser local storage and on the server side against the user.

  • This token should send later from the extension along with the request to your website.

  • on the website side you should check if this token exists ; if it belongs to the right user ; and didn't expire. if is correct then perform requested by user action.

And to be honest much more secure would be to use OAuth_2.0 which is more secure then username / password authentication within extension context

If You Enjoyed This, Take 5 Seconds To Share It

0 comments:

Post a Comment