Authentication of Joomla login from an external application

Question

Authentication of Joomla login from an external application

I need to check that Joomla username and password are valid from my external application. There is no need for a user to register in the system only if their account exists. How to do it?

+4

joomla joomla1.5

jax Feb 01 '10 at 12:34

source share

5 answers

You can also write an API component to use a URL to request an API and receive a JSON response, for example. http://www.domain.com/index.php?option=com_api&view=authenicateUser&user=root&password=12345&format=raw

Then you have a controller that selects this view and calls the model or helper class that has the code, as shown below. The advantage of this is that you store in the Joomla code base and make it more secure.

 function __construct() { // params $this->username = JRequest::getVar('user', ''); $this->password = JRequest::getVar('password', ''); $this->checkParameters(); } private function checkParameters() { // datatype checks if ($this->username == '') { die('ERROR: user is blank'); } if ($this->password == '') { die('ERROR: password is blank'); } } function execute() { // Get the global JAuthentication object jimport( 'joomla.user.authentication'); $auth = & JAuthentication::getInstance(); $credentials = array( 'username' => $this->username, 'password' => $this->password ); $options = array(); $response = $auth->authenticate($credentials, $options); // success return ($response->status === JAUTHENTICATE_STATUS_SUCCESS) { $response->status = true; } else { // failed $response->status = false; } echo json_encode($response); }

+3

Martin Jun 30 '11 at 10:59

source share

As @Martin's answer option, the component can return the JUser object associated with the specified credentials. In Joomla 2.5, the following component is tested:
View view.raw.php :

 defined( '_JEXEC' ) or die( 'Restricted access' ); jimport( 'joomla.application.component.view' ); class ExtauthViewLogin extends JView { function display( $tpl = null ) { $username = JRequest::getVar( 'username', 'John Doe' ); $password = JRequest::getVar( 'password', 'rattlesnake' ); jimport('joomla.user.authentication'); $app = JFactory::getApplication(); $credentials = array( "username" => $username, "password" => $password); $options = array("silent" => true); $authorized = $app->logout(null, $options); $authorized = $app->login($credentials, $options); $user = JFactory::getUser(); echo json_encode($user); } }

Pay attention to the exit before login . After a successful login, all subsequent calls with incorrect credentials will still return the user of the first call without logging out!
Also note the silent parameter. This causes the input function to return gracefully with true or false, without spawning.
controller.php :

 defined( '_JEXEC' ) or die( 'Restricted access' ); jimport( 'joomla.application.component.controller' ); class ExtauthController extends JController { function display($cachable = false, $urlparams = false) { $view = JRequest::getVar( 'view', 'login' ); $layout = JRequest::getVar( 'layout', 'default' ); $format = JRequest::getVar( 'format', 'raw' ); $view = $this->getView( $view, $format ); $view->setLayout( $layout ); $view->display(); } }

Pay attention to the raw format. This is necessary so that joomla returns pure json code instead of the entire html page.
A component can be invoked (via ajax) using url:
index.php?option=com_extauth&task=view&format=raw&username=John&password=Doe

The returned JSON object will contain NULL values for most fields if the login fails.

The full component is the simplest, based on com_hello without a model or tmpl.

+3

Erik bongers Jun 05 '13 at 10:08

source share

Your external application must have access to the joomla application database to check in the database, regardless of whether or not the user exists. To verify this, you should run some query in your external application to verify the existence of the user like this:

 $query = "select user_id from your_table where user_id = id_here"; // and more code afterwords.

0

Sarfraz Feb 01 '10 at 12:40

source share

I do not know how safe this is, but I did not want to create an API component and came up with this:

 <?php define("LOGIN_USER_DOES_NOT_EXIST", 0); define("LOGIN_USER_OK_INCORRECT_PASSWORD", 1); define("LOGIN_USER_OK_PASSWORD_OK", 2); define("LOGIN_NO_AUTH_SERVER", 3); $user = $_GET["id"]; $userpassword = $_GET["pw"]; $mysql = mysql_connect("localhost", "login", "password") or die(LOGIN_NO_AUTH_SERVER); mysql_select_db("joomladb") or die(LOGIN_NO_AUTH_SERVER); $query = "Select password FROM j25_users WHERE username='" . $user . "'"; $result = mysql_query($query) or die(LOGIN_NO_AUTH_SERVER); if (mysql_num_rows($result) != 1) { $send = LOGIN_USER_DOES_NOT_EXIST; } else { while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) { foreach ($line as $col_value) { $hashparts = explode(':', $col_value); $userhash = md5($userpassword.$hashparts[1]); if ($userhash == $hashparts[0]) $send = LOGIN_USER_OK_PASSWORD_OK; else $send = LOGIN_USER_OK_INCORRECT_PASSWORD; } } } echo $send; mysql_free_result($result); mysql_close(); ?>

The result (only one character) can be easily analyzed by any kind of application.

0

yvanvds Aug 15 '13 at 9:41

source share

Gmonc · Accepted Answer · 2010-02-03T00:55:17+0000

I assume that your external application will have access to the Joomla database and is also written in php.

I already answered a similar question about creating a user outside of joomla , you can use the same approach, but instead of calling the save method from JUser , you can use bind to check the password is correct.

Or something better : just copy and paste your own Joomla authentication mechanism after creating the "environment" outside of Joomla ! Check out JOOMLA_PATH/plugins/authentication/joomla.php :

  function onAuthenticate( $credentials, $options, &$response ){ jimport('joomla.user.helper'); // Joomla does not like blank passwords if (empty($credentials['password'])){ $response->status = JAUTHENTICATE_STATUS_FAILURE; $response->error_message = 'Empty password not allowed'; return false; } // Initialize variables $conditions = ''; // Get a database object $db =& JFactory::getDBO(); $query = 'SELECT `id`, `password`, `gid`' . ' FROM `#__users`' . ' WHERE username=' . $db->Quote( $credentials['username'] ) ; $db->setQuery( $query ); $result = $db->loadObject(); if($result){ $parts = explode( ':', $result->password ); $crypt = $parts[0]; $salt = @$parts[1]; $testcrypt = JUserHelper::getCryptedPassword($credentials['password'], $salt); if ($crypt == $testcrypt) { $user = JUser::getInstance($result->id); // Bring this in line with the rest of the system $response->email = $user->email; $response->fullname = $user->name; $response->status = JAUTHENTICATE_STATUS_SUCCESS; $response->error_message = ''; } else { $response->status = JAUTHENTICATE_STATUS_FAILURE; $response->error_message = 'Invalid password'; } } else{ $response->status = JAUTHENTICATE_STATUS_FAILURE; $response->error_message = 'User does not exist'; } }

Authentication of Joomla login from an external application

More articles: