Creating persistent connection between Converse JS and Openfire Server

Question

Using

• Converse JS v0.9.5 as web frontend for messenger
• Openfire XMPP Server v3.10.2 as messenger's backend
• Web application itself is written in PHP.

For now, Openfire and website has separate databases but they are synchronized.

What I want to achieve is:

when user signs in to website, Converse JS also must login and create persistent connection with Openfire XMPP Server during whole user session untlil logs out.

What I've found

Googled a lot and researched on both Converse JS and Openfire websites.

Read that, there is prebind property and Single Session Support for Converse JS which allows to achieve what I want. They also, provide PHP library example for website.

What I've done

Initial script for Converse JS looks like that:

converse.initialize({
    bosh_service_url: 'https://bind.example.com',
    keepalive: true,
    jid: '[email protected]',
    authentication: 'prebind',
    prebind_url: 'http://example.com/api/prebind',
    allow_logout: false
});

As far as I understand whole process goes like below:

1. sends jid to prebind_url which is http://example.com/api/prebind (take a look at configuration properties above)
2. PHP backend receives jid (which is username). To authenticate in XMPP server password, login must be in plain text format. Converse JS, as far as I know, to keep user logged in messenger, may send request to http://example.com/api/prebind pretty much everytime when it needs (jid, sid, rid). So, from PHP side plain text authentication is required to be ready everytime.
3. PHP backend gets results from XMPP Server (jid, sid, rid) using PHP library
4. Returns back jid, sid, rid as JSON

So question is

Confusion starts in 2nd step: should I save user's XMPP password and login in plain text format in PHP sessions because of XMPP authentication? Or am I getting it wrong and there is more secure way to achieve it?

And in 3rd step, while testing with working username and password getting Invalid challenge response received error. Is there any working library for authenticating from PHP?

Answer 1

Confusion starts in 2nd step: should I save user's XMPP password and login in plain text format in PHP sessions because of XMPP authentication? Or am I getting it wrong and there is more secure way to achieve it?

You need some way to authenticate against the XMPP server. One way is to store the username and password in plaintext and to use those to log in. There are obvious drawbacks to this.

Another way is to let the XMPP server in turn authenticate against some external service (so-called external authentication). Often, you'll want this external service to be your own backend application.

So for example, you can send the JID and a special generated token as password to the XMPP server. The XMPP server then uses external authentication to call some other webservice (for example your webapp) to check whether that JID and token are valid.

Each time you authenticate, you generate a new token. This way you don't need to store any password at all, but you'll need to keep track of (and invalidate) the temporary tokens.

Here are some examples of external authentication scripts for ejabberd: https://www.ejabberd.im/extauth

And in 3rd step, while testing with working username and password getting Invalid challenge response received error. Is there any working library for authenticating from PHP?

As far as I know, the library linked to from the converse.js docs works. It's used by various people.