From _t cookie how to get the current user id?

(Vikas Kedia) #1

I am trying to develop an app using the same DB as discourse.

Discourse is run from:

The app is run from:

Inside /app/ app on server side I have access to _t token.

From the _t token how do I get the user id by querying the Postgres DB.

I know I can use SSO but that requires making a request to the client side. So I want to keep things simple and get the logged in user’s identity by just querying the postgres DB directly from inside the app running at

In postgres table user_auth_tokens the field auth_tokens has the value “Gzfb6AV4VkGvumpIm54u6hxdBuU”

In the cookie _t the value is 35d802b49d5565441aedf58410064505

From “35d802b49d5565441aedf58410064505” how do I derive “Gzfb6AV4VkGvumpIm54u6hxdBuU” ?

I have the following hypothesis:

  1. In the DB table user_auth_tokens the field auth_tokens is storing the hashed value of the cookie _t.

  2. The hashing is being done by discourse/user_auth_token.rb at c68999e1283ea7f9bc50fe6e8df3c4ddc05b7df0 · discourse/discourse · GitHub


  1. To get the value of GlobalSetting.safe_secret_key_base from redis I will get the value of SECRET_TOKEN> get SECRET_TOKEN

ref: discourse/global_setting.rb at a1ee61ec25d8de128faf46d765d1aeda9d880654 · discourse/discourse · GitHub

Are my hypothesis correct?

When I do sha1 for


I get


And base64digest for 1b37dbe805785641afba6a489b9e2eea1c5d06e5 is: MWIzN2RiZTgwNTc4NTY0MWFmYmE2YTQ4OWI5ZTJlZWExYzVkMDZlNQ==

Why is it not matching the value stored in the table user_auth_tokens the field auth_tokens?

(Kane York) #2

Putting aside the part where this is a Bad Idea™ because eventually Discourse will update and this will break…

Are you sure you did that last step correctly?

(Vikas Kedia) #3

Thank you. it works!!