Logging into a website using PHPAuth/PHPAuth via Chrome Extension

Question

I have developed a Chrome Extension which calls some APIs on my website, which in turn uses PHPAuth/PHPAuth for authentication. Basically, I have the user enter the Username and Password for the website as an Extension Option and I call a Login API on my website as follows.

if (isset($_POST['email']) && isset($_POST['password'])) {
                $email = $_POST['email'];
                $password = $_POST['password'];

                if($auth->isLogged()) {
                    $userId = $auth->getSessionUID($_COOKIE[$authConfig->cookie_name]);
                    echo json_encode([
                                'userId' => $userId,
                            ]);
                    die();
                }

                $login = $auth->login($email, $password, true);

                if($login['error']) {
                    die($login['message']);
                } else {
                    $userId = $auth->getSessionUID($login['hash']);
                    echo json_encode([
                                'userId' => $userId,
                            ]);
                    die();
                }
            } else {
                die('Error');
            }

This works to temporarily consider the user authenticated, but does not actually log the user into the website. In other words, when I open a password protected page via an iFrame, it shows me the User Login form.

Can someone tell me what I am doing wrong, or a better way to go about what I need.

Basically, I am saving the user the need to keep logging in every time and open protected pages, once he is made to log in.

Answer 1

Check if manifest.json does contain your website URL and all required subdomains for example

"permissions": [
  "http://example.com/",
  "http://*.example.com/",
  "https://example.com/",
  "https://*.example.com/"
],

Also, you can communicate with website in a bit different way for example:

• first time when you login to your website it could return a token which you can store in the browser local storage and on the server side against the user.

• This token should send later from the extension along with the request to your website.

• on the website side you should check if this token exists ; if it belongs to the right user ; and didn't expire. if is correct then perform requested by user action.

And to be honest much more secure would be to use OAuth_2.0 which is more secure then username / password authentication within extension context