Differences

This shows you the differences between two versions of the page.

--- auth:cafu_phpbb3 [2011-03-17 20:51] – Aleksandr
+++ auth:cafu_phpbb3 [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
@@ Line 1: / Line 1: @@
-====== phpBB3 ======
-This backend authenticates against the user database of a phpBB3 forum.
-The code is deliberatively split into two files that are independent of each other.
-As such, the second file that handles the phpBB3 part of the authentication is easily replaced and generalized to other purposes.
-:!: This code doesn't work out of the box! File paths etc. must be customized before it will work.
-===== Code =====
-<file php cafu_phpbb3.class.php>
-<?php
-/**
- * A very simple authentication backend that authenticates against (e.g.) a phpBB3 system.
- *
- * Writing a phpBB3 integration is difficult because the two most self-suggesting
- * approaches are both somewhat twisted:
- *
- *     1. We cannot simply adapt/subclass the mysql.class.php to work with phpBB3, because
- * of their special password hashing algorithm. I've only done a very quick check, but it
- * seems that the best way to check if a phpBB3 password is valid is to use phpBB3 code.
- *
- *     2. Using instead phpBB3 code inside DokuWiki code (that is, implementing an auth
- * module not with via mysql.class.php, but with integrated phpBB3 code similar to [1])
- * suffers not only from plenty of name clashes (again, see [1]), but in fact seems
- * impossible since DokuWiki release 2010-11-07 "Anteater", also from [1]:  "Note that it
- * does not function any more after the merge of the requireall branch on 2010-03-12."
- *
- * To overcome these problems, our approach is to call a separate, "external" web script
- * with the username and password as parameters, then parse the returned output, which is
- * the string "ok" and the users email address if the given username and password were
- * valid, or an HTTP 401 error response otherwise.
- *
- * The big advantage is that this cleanly separates and never mixes DokuWiki and phpBB3 code:
- * In the external script, we use phpBB3 code to check the phpBB3 password, while in this
- * file we have DokuWiki include files only. Advantages and features (also compared to [1]):
- *     - Name clashes cannot occur.
- *     - No need for tweaks and hacks of DokuWiki internals (these hacks are a nightmare,
- *       because they must be reapplied and checked anew after each DokuWiki upgrade)!
- *     - Very simple, works correctly and robust (and is easy to debug).  ;-)
- *     - Doesn't hijack (ahm, re-use) the phpBB3 cookie, and is thus more stable, too.
- *     - It even works when the phpBB3 system is on a different host than DokuWiki.
- *     - It deliberately avoids HTTP Authentication, which doesn't work when PHP is run via
- *       via CGI (see https://www.phpbb.de/community/viewtopic.php?f=93&t=201405 for details).
- *     - Doesn't offer any advanced functionality.
- *
- * [1] http://www.dokuwiki.org/tips:integrate_with_phpbb3
- *
- * @license    GPL 2 (http://www.gnu.org/licenses/gpl.html)
- * @author     Carsten Fuchs
- * @see        http://www.cafu.de
- */
-class auth_cafu_phpbb3 extends auth_basic
-{
-    var $u2p_cache = array();
-    /**
-     * Constructor
-     * Carry out sanity checks to ensure the object is able to operate. Set capabilities.
-     */
-    function auth_cafu_phpbb3()
-    {
-        // Just use the base class defaults, which are false for everything but logoff.
-        // $this->cando['getUsers']     = true;
-        // $this->cando['getUserCount'] = true;
-        $this->success = true;
-    }
-    /**
-     * Checks if the given user exists and the given plaintext password is correct.
-     * @return  bool
-     */
-    function checkPass($user, $pass)
-    {
-        $http   = new DokuHTTPClient();
-        $output = explode("\n", $http->get("http://www.mydomain.de/forum/auth_dokuwiki.php?u=".$user."&p=".$pass));
-        if ($output[0]=="ok")
-            $this->u2p_cache[$user] = $pass;
-        return $output[0]=="ok";
-    }
-    /**
-     * Return user info
-     * Returns info about the given user needs to contain at least these fields:
-     *
-     * name string  full name of the user
-     * mail string  email address of the user
-     * grps array   list of groups the user is in
-     */
-    function getUserData($user)
-    {
-        $pass   = $this->u2p_cache[$user] ? $this->u2p_cache[$user] : PMA_blowfish_decrypt($_SESSION[DOKU_COOKIE]['auth']['pass'], auth_cookiesalt());
-        $http   = new DokuHTTPClient();
-        $output = explode("\n", $http->get("http://www.mydomain.de/forum/auth_dokuwiki.php?u=".$user."&p=".$pass));
-        if ($output[0]!="ok") return false;
-        // msg("mail: ".$output[1]);
-        return array('name' => $user, 'mail' => $output[1], 'grps' => array('WikiEditors'));
-    }
-}
-</file>
-<file php auth_dokuwiki.php>
-<?php
-/**
- *
- * Quellen:
- * [1] http://www.phpbb.de/community/viewtopic.php?f=93&t=201405
- * [2] http://wiki.phpbb.com/Using_the_phpBB3.0_DBAL
- * [3] http://php.net/manual/de/features.http-auth.php
- *
- * HTTP-Authentifizierung geht bei 1und1 leider nicht (PHP läuft als CGI, nicht als Apache Modul):
- * [4] http://hilfe-center.1und1.de/hosting/scripte_datenbanken/php/5.html
- *
- */
-define('IN_PHPBB', true);
-$phpbb_root_path = './';
-$phpEx = substr(strrchr(__FILE__, '.'), 1);
-include($phpbb_root_path . 'common.' . $phpEx);
-# Verwende request_var() statt $_GET, siehe [1] und <http://wiki.phpbb.com/Request_var>.
-$username=request_var('u', '');
-$password=request_var('p', '');
-# Besser mit "clean", siehe [1] und <http://wiki.phpbb.com/Utf8_clean_string>.
-$sql   ="SELECT user_password, user_email FROM " . USERS_TABLE .
-        " WHERE username_clean='" . $db->sql_escape(utf8_clean_string($username)) . "'";
-$result=$db->sql_query($sql);
-$row   =$db->sql_fetchrow($result);
-if (phpbb_check_hash($password, $row['user_password']))
-{
-    // Sende die Antwort in der vom Empfänger erwarteten Form.
-    echo "ok\n";
-    echo $row['user_email'];
-}
-else
-{
-    header('HTTP/1.0 401 Unauthorized');
-    echo "Sorry, the username or the password was invalid.\n";
-    echo "Please try again!";
-}
-?>
-</file>
-===== Live Demo ======
-If you want to see this auth plugin in live action, we're running it at our [[http://www.cafu.de|game and graphics engine website]]:
-[[http://www.cafu.de/forum/|Forum]] <-> [[http://www.cafu.de/wiki/|Wiki]].
-===== Discussion =====
-==== Plaintext password? ====
-It looks like the function ''getUserData()'' sends the entered password as plaintext in the url.  Could that be intercepted?  Does it open a potential security hole?  If so, could it be solved by encrypting before sending and then decrypting in auth_dokuwiki.php?  Thanks! --- [[user>rikblok|Rik Blok]] //2011/02/15 01:09//
-==== Files location ====
->Where do we put these files ?
->
->> cafu_phpbb3.class.php -> %%http://yourdomain.tld/wiki/inc/auth/%%
->>
->> auth_dokuwiki.php -> %%http://yourdomain.tld/forum/%%
->>
->> --- [[user>Aleksandr|Aleksandr Selivanov]] //2011/03/17 20:47//