How to fully integrate XMPP on a web site with registered users

Question

We have a social networking site where people have contacts and we want it to be integrated with XMPP. We currently use ejabberd XMPP server.

Here are my questions:

1. How to properly create account? Right now, what I'm thinking is on user registration on our web app, we'd call a script that would execute an ejabberd command to create a user.

2. User authentication. Upon user login on our website, the user would be automatically logged in on the chat system. How do you do this on the client side with strophe.js? As I understand, you need to provide JID and password for authentication, so I'm thinking that on login, there would be an ajax call to get user's password, then use the response text on strophe.js' login call. Is this secure? Are there other ways to do this?

3. Presence registration. Our web app has a contacts system, but XMPP has its own way of adding contacts through presence subscription, right? Example: When user1 tries to add user2, an authorization would be asked to user2 before user1 can be a contact of user2. But since we already have a contacts system on our web app, we want to bypass this authorization of XMPP or suppress it and just authorize with a script/command when user2 confirms user1 as a contact on our web site. It's not clear to me yet but a colleague said this is possible on ejabberd's module mod_admin_extra (a command that will create a subscription without having to client-side authorization). Is it possible or do I have to manipulate the ejabberd database manually with a script (provided I transferred from the default Mnesia db to another db, say MySQL).

Thanks in advance.

Answer 1

We (superfeedr) have a similar web app where XMPP is part of the application.

The choice we made is to not replicate the user data accross both the web app storage and the XMPP server. You can build your own authentication mechanism using the web app's data store with ejabberd, it's pretty easy. This way, you only have 1 single place where user data is stored and don't have to create ejabberd users.

By doing this, you can also login your users on the web app without knowing their password or even storing it in clear :) . The easy way is to do the session authentication (via Bosh) on the server and pass on the session id to the HTML response, as described here, by @metajack.

The 3rd part might be the trickiest, but i'm actually quite sure you can bypass this and not use the built-in "rosters"... however it may involve creating your very own component (internal or external).

Answer 2

Alright, here's what we did:

1) Instead of custom authentication/external authentication, we create user accounts on XMPP after a user registers.

2) The answer to this one is session attachment as Julien pointed out. We created a PHP script that would create the session and return the session ID and RID. Called through AJAX on login of user (after the document is ready).

3) As I said on a comment on Julien's post, we used mod_admin_extra. We coupled with mod_rest (w/c allows you to send stanzas/run commands REST style) to create the rosters. There is an *add_rosteritem* command on mod_admin_extra that gets called every time users create contacts on our web site.