Discourse Auth Proxy

(Maestro Magnifico) #1

Okay, so I have a website that doesn’t have any users on it. I don’t need them, I used phpBB users before, now I want to use Discourse users on site. Decided to setup this now, but got lost immediately:

Is this a plugin or independent thing?
Do I have to run it manually?
Should I run it from host or from container?
And what does this means?

At the moment only “admin” users on the sso endpoint will be allowed through.


(Sam Saffron) #2

Can you describe exactly what you are trying to do?

(Maestro Magnifico) #3

I’m trying to catch Discourse session on example.com, when my Discourse is on forum.example.com. To be able to check current user’s privilegies, and allow moderators from Discourse also use moderator’s tools on my site, for example.

If I understand correctly, this plugin (plugin?) will redirect Discourse auth end-point to example.com, right? So if someone logs in or out, it will be Discourse -> my script -> back to Discourse. If so, then this will allow me to write my own cookie for example.com with user’s session id, and a pair session id + user’s id in DB. This way I will remember user on example.com and will be able to check he’s privilegies.

Btw, will I’ll be able to see user’s id when someone logs in or out? What data Discourse sends in this moments?

(Sam Saffron) #4

It’s not a plugin it’s a proxy instead of pointing traffic at website a you point it at proxy and it only lets through discourse admins

(Maestro Magnifico) #5

So I will be able to catch only admin’s sessions this way?) What’s the point of this “not plugin” then? @riking sugested me this here. You should punish him, for giving bad advice. :smile:

ADD: @sam, could you maybe help me with my “catching session” dilemma here? Tell @eviltrout that it is safe to pass user’s session id via CORS, he doesn’t believe me. :sob:

(Khoa Nguyen) #6

No passing user session via cors is not safe. Cors can be easily fake. And anyone can impersonate any user

(Maestro Magnifico) #7

How? The only way to fake it is to get user’s cookie first. And if you already have user’s cookie, you don’t need CORS to impersonate him. This is how CORS works, only cookie owner can send it to server and get answer about this cookie, as it done here. And in addition to that, you can send it only from allowed on server origins. So it’s very safe. It’s as safe as passing user’s session in requests here, on meta.