DokuWiki

It's better when it's simple

User Tools

Site Tools


Sidebar

Translations of this page?:

Learn about DokuWiki

Advanced Use

Corporate Use

Our Community


Follow us on Facebook, Twitter and other social networks.

auth:cafu_phpbb3

phpBB3

This backend authenticates against the user database of a phpBB3 forum.

The code is deliberatively split into two files that are independent of each other. As such, the second file that handles the phpBB3 part of the authentication is easily replaced and generalized to other purposes.

:!: This code doesn't work out of the box! File paths etc. must be customized before it will work.

Code

cafu_phpbb3.class.php
<?php
/**
 * A very simple authentication backend that authenticates against (e.g.) a phpBB3 system.
 *
 * Writing a phpBB3 integration is difficult because the two most self-suggesting
 * approaches are both somewhat twisted:
 *
 *     1. We cannot simply adapt/subclass the mysql.class.php to work with phpBB3, because
 * of their special password hashing algorithm. I've only done a very quick check, but it
 * seems that the best way to check if a phpBB3 password is valid is to use phpBB3 code.
 *
 *     2. Using instead phpBB3 code inside DokuWiki code (that is, implementing an auth
 * module not with via mysql.class.php, but with integrated phpBB3 code similar to [1])
 * suffers not only from plenty of name clashes (again, see [1]), but in fact seems
 * impossible since DokuWiki release 2010-11-07 "Anteater", also from [1]:  "Note that it
 * does not function any more after the merge of the requireall branch on 2010-03-12."
 *
 * To overcome these problems, our approach is to call a separate, "external" web script
 * with the username and password as parameters, then parse the returned output, which is
 * the string "ok" and the users email address if the given username and password were
 * valid, or an HTTP 401 error response otherwise.
 *
 * The big advantage is that this cleanly separates and never mixes DokuWiki and phpBB3 code:
 * In the external script, we use phpBB3 code to check the phpBB3 password, while in this
 * file we have DokuWiki include files only. Advantages and features (also compared to [1]):
 *     - Name clashes cannot occur.
 *     - No need for tweaks and hacks of DokuWiki internals (these hacks are a nightmare,
 *       because they must be reapplied and checked anew after each DokuWiki upgrade)!
 *     - Very simple, works correctly and robust (and is easy to debug).  ;-)
 *     - Doesn't hijack (ahm, re-use) the phpBB3 cookie, and is thus more stable, too.
 *     - It even works when the phpBB3 system is on a different host than DokuWiki.
 *     - It deliberately avoids HTTP Authentication, which doesn't work when PHP is run via
 *       via CGI (see https://www.phpbb.de/community/viewtopic.php?f=93&t=201405 for details).
 *     - Doesn't offer any advanced functionality.
 *
 * [1] http://www.dokuwiki.org/tips:integrate_with_phpbb3
 *
 * @license    GPL 2 (http://www.gnu.org/licenses/gpl.html)
 * @author     Carsten Fuchs
 * @see        http://www.cafu.de
 */
 
class auth_cafu_phpbb3 extends auth_basic
{
    var $u2p_cache = array();
 
    /**
     * Constructor
     * Carry out sanity checks to ensure the object is able to operate. Set capabilities.
     */
    function auth_cafu_phpbb3()
    {
        // Just use the base class defaults, which are false for everything but logoff.
        // $this->cando['getUsers']     = true;
        // $this->cando['getUserCount'] = true;
 
        $this->success = true;
    }
 
    /**
     * Checks if the given user exists and the given plaintext password is correct.
     * @return  bool
     */
    function checkPass($user, $pass)
    {
        $http   = new DokuHTTPClient();
        $output = explode("\n", $http->get("http://www.mydomain.de/forum/auth_dokuwiki.php?u=".urlencode($user)."&p=".urlencode($pass)));
 
        if ($output[0]=="ok")
            $this->u2p_cache[$user] = $pass;
 
        return $output[0]=="ok";
    }
 
    /**
     * Return user info
     * Returns info about the given user needs to contain at least these fields:
     *
     * name string  full name of the user
     * mail string  email address of the user
     * grps array   list of groups the user is in
     */
    function getUserData($user)
    {
        $pass   = $this->u2p_cache[$user] ? $this->u2p_cache[$user] : PMA_blowfish_decrypt($_SESSION[DOKU_COOKIE]['auth']['pass'], auth_cookiesalt());
        $http   = new DokuHTTPClient();
        $output = explode("\n", $http->get("http://www.mydomain.de/forum/auth_dokuwiki.php?u=".urlencode($user)."&p=".urlencode($pass)));
 
        if ($output[0]!="ok") return false;
 
        // msg("mail: ".$output[1]);
        return array('name' => $user, 'mail' => $output[1], 'grps' => array('WikiEditors'));
    }
}
auth_dokuwiki.php
<?php
/**
 *
 * Quellen:
 * [1] http://www.phpbb.de/community/viewtopic.php?f=93&t=201405
 * [2] http://wiki.phpbb.com/Using_the_phpBB3.0_DBAL
 * [3] http://php.net/manual/de/features.http-auth.php
 *
 * HTTP-Authentifizierung geht bei 1und1 leider nicht (PHP läuft als CGI, nicht als Apache Modul):
 * [4] http://hilfe-center.1und1.de/hosting/scripte_datenbanken/php/5.html
 *
 */
 
define('IN_PHPBB', true);
$phpbb_root_path = './';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
 
include($phpbb_root_path . 'common.' . $phpEx);
 
 
# Verwende request_var() statt $_GET, siehe [1] und <http://wiki.phpbb.com/Request_var>.
$username=request_var('u', '');
$password=request_var('p', '');
 
# Besser mit "clean", siehe [1] und <http://wiki.phpbb.com/Utf8_clean_string>.
$sql   ="SELECT user_password, user_email FROM " . USERS_TABLE .
        " WHERE username_clean='" . $db->sql_escape(utf8_clean_string($username)) . "'";
$result=$db->sql_query($sql);
$row   =$db->sql_fetchrow($result);
 
if (phpbb_check_hash($password, $row['user_password']))
{
    // Sende die Antwort in der vom Empfänger erwarteten Form.
    echo "ok\n";
    echo $row['user_email'];
}
else
{
    header('HTTP/1.0 401 Unauthorized');
    echo "Sorry, the username or the password was invalid.\n";
    echo "Please try again!";
}
 
?>

Live Demo

If you want to see this auth plugin in live action, we're running it at our game and graphics engine website: ForumWiki.

Discussion

Plaintext password?

It looks like the function getUserData() sends the entered password as plaintext in the url. Could that be intercepted? Does it open a potential security hole? If so, could it be solved by encrypting before sending and then decrypting in auth_dokuwiki.php? Thanks! — Rik BlokRik Blok
rikblok

2011/02/15 01:09

You can replace http with https this would make the connection secure, or you can implement the same phpbb_hash() as phpBB3 and then make a simple compare. 2012/01/06 00:00

Files location

Where do we put these files ?
cafu_phpbb3.class.php → http://yourdomain.tld/wiki/inc/auth/

auth_dokuwiki.php → http://yourdomain.tld/forum/

Aleksandr SelivanovAleksandr Selivanov
Aleksandr

2011/03/17 20:47

Unless I'm Missing something I get Fatal error: Call to a member function sql_query() on a non-object in /home/free/public_html/cccforum/includes/cache.php on line 51 djSupport

Does this a solution work with the current releases and latest updates for phpBB3 and Dokuwiki as of 24 December 2012? PerryRaptor

auth/cafu_phpbb3.txt · Last modified: 2012-12-24 18:21 by 69.254.130.129