Confirming a correct User+Pass combination via API?

Hi everyone,

I need some guidance please on logging people in to a remote web site using their existing Discourse user/pass.

I don’t think I need SSO… here’s why.

First, some background around my existing use case and why I don’t like it.

I currently have a website at https://www.example.com and it has a login button.

When a user clicks the login button they are asked to enter their existing Discourse username and email address (note: user + email, NOT a password)

I then take these two pieces of information and fire an API GET request to:

"https://mydiscourse.comm/admin/users/list/all.json?email=" + strEmail

In the headers of this API call that I make, I include the “system” user account name and the associated API key for the system user.

If an email address match is found, I compare the Username they gave me in my form to the Username returned in the API response for that given email address.

If it matches I then consider this user logged in on my site at https://www.example.com

I built this three or four years ago and it still works fine to this day.

But…

  1. It is very confusing for a user to enter a Username + Email address combination in a login form
    – Most people always enter a user+pass
    – Despite massive instructions all over my form, people still naturally get it wrong

  2. It’s not secure
    – You only need to know the username + their email address and armed with those two (trivial) pieces of information you can log in to https://www.example.com “as them” with very little trouble

What I’d like to do is have the user click the Login button on https://www.example.com and enter their existing Discourse User + Pass (instead of user+email !)

My website at example.com would then fire a quick API request over to my Discourse, confirm the supplied user/pass combination is correct and return their existing Discourse user id.

Hope this is making sense :grimacing:

I’ve been all over the API documentation and for the life of me I can’t seem to find a simple “login” endpoint? :thinking:

I do not need or want to log people in or out of my Discourse itself, I simply need to confirm their user/pass is correct really.

Any pointers, guidance, links or advice very much welcomed :blush:

There is no API route that will return a users raw password, so I don’t think this approach is going to work. From your description, it sounds like you want to use Discourse as the SSO provider for your website. That could be made to work. Details about how to set that up are here: Use Discourse as an identity provider (SSO, DiscourseConnect).

4 Likes

Thanks @simon - a quick glance at that link suggests it may be exactly what I need.

I’ll get reading :nerd_face:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.