Discourse login by cookie token

LeBlanc · May 22, 2022, 10:52am

We use Discourse as our community site and we have a we have an official web site .
So, we hope that discourse can be automatically logged on after user logged on our official website .
Our official website will add a cookie when user loggin and we use cookie sharing in discourse . Discourse get authorization in cookie , and get user info to login.
The code implementation is as follows：

application_controller.rb
  before_action :check_cookie_login
  def check_cookie_login
    if !current_user && cookies[:authorization]
      external_id = get_external_id cookies[:authorization]
      cookie_log_on_user external_id
    end
  end

current_user.rb
 def cookie_log_on_user(external_id)
    sso_record = SingleSignOnRecord.find_by(external_id: external_id)
    user = sso_record.user
    log_on_user(user)
  end

default_current_user_provider.rb
 def log_off_user(session, cookie_jar)
    ……
   cookie_jar.delete('authorization')
 end

I wonder if there’s anything wrong with me doing this? Is there a better way？

michaeld · May 22, 2022, 4:04pm

This is insecure. A user could tamper with the cookie in their browser and log in as someone else.

You should use DiscourseConnect instead.

LeBlanc · May 23, 2022, 5:40am

Thanks for your suggestion. I am a newbie for Discourse . If i use DiscourseConnect instead it , should I have an web api to return a nonce that DiscourseConnect needs？

Topic		Replies	Views
Cookie Based Authentication in discourse via Plugin SSO	6	2112	September 5, 2018
How do I make discourse use my platform's autentication system? Dev	1	851	July 22, 2022
Allow my application users to login to discourse Support	1	1038	January 17, 2022
Any other way to authenticate user without redirecting to session/sso SSO	2	909	November 7, 2022
Customized login auth plugin Feature	5	5353	September 4, 2016

Discourse login by cookie token

Related Topics