Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Logging into a website using PHPAuth/PHPAuth via Chrome Extension

I have developed a Chrome Extension which calls some APIs on my website, which in turn uses PHPAuth/PHPAuth for authentication. Basically, I have the user enter the Username and Password for the website as an Extension Option and I call a Login API on my website as follows.

if (isset($_POST['email']) && isset($_POST['password'])) {
                $email = $_POST['email'];
                $password = $_POST['password'];

                if($auth->isLogged()) {
                    $userId = $auth->getSessionUID($_COOKIE[$authConfig->cookie_name]);
                    echo json_encode([
                                'userId' => $userId,
                            ]);
                    die();
                }

                $login = $auth->login($email, $password, true);

                if($login['error']) {
                    die($login['message']);
                } else {
                    $userId = $auth->getSessionUID($login['hash']);
                    echo json_encode([
                                'userId' => $userId,
                            ]);
                    die();
                }
            } else {
                die('Error');
            }

This works to temporarily consider the user authenticated, but does not actually log the user into the website. In other words, when I open a password protected page via an iFrame, it shows me the User Login form.

Can someone tell me what I am doing wrong, or a better way to go about what I need.

Basically, I am saving the user the need to keep logging in every time and open protected pages, once he is made to log in.

like image 548
Shahid Thaika Avatar asked Nov 09 '22 10:11

Shahid Thaika


1 Answers

Check if manifest.json does contain your website URL and all required subdomains for example

"permissions": [
  "http://example.com/",
  "http://*.example.com/",
  "https://example.com/",
  "https://*.example.com/"
],

Also, you can communicate with website in a bit different way for example:

  • first time when you login to your website it could return a token which you can store in the browser local storage and on the server side against the user.

  • This token should send later from the extension along with the request to your website.

  • on the website side you should check if this token exists ; if it belongs to the right user ; and didn't expire. if is correct then perform requested by user action.

And to be honest much more secure would be to use OAuth_2.0 which is more secure then username / password authentication within extension context

like image 187
Pawel Wodzicki Avatar answered Nov 14 '22 23:11

Pawel Wodzicki