Discourse login by cookie token

We use Discourse as our community site and we have a we have an official web site .
So, we hope that discourse can be automatically logged on after user logged on our official website .
Our official website will add a cookie when user loggin and we use cookie sharing in discourse . Discourse get authorization in cookie , and get user info to login.
The code implementation is as follows:

application_controller.rb
  before_action :check_cookie_login
  def check_cookie_login
    if !current_user && cookies[:authorization]
      external_id = get_external_id cookies[:authorization]
      cookie_log_on_user external_id
    end
  end
current_user.rb
 def cookie_log_on_user(external_id)
    sso_record = SingleSignOnRecord.find_by(external_id: external_id)
    user = sso_record.user
    log_on_user(user)
  end
default_current_user_provider.rb
 def log_off_user(session, cookie_jar)
    ……
   cookie_jar.delete('authorization')
 end

I wonder if there’s anything wrong with me doing this? Is there a better way?

This is insecure. A user could tamper with the cookie in their browser and log in as someone else.

You should use DiscourseConnect instead.

2 Likes

Thanks for your suggestion. I am a newbie for Discourse . If i use DiscourseConnect instead it , should I have an web api to return a nonce that DiscourseConnect needs?