Matt,
Thanks for taking the time to reply. I do understand that I might be in the minority in how I plan to use Discourse.
As I am trying to lower the appearances of a separate application between the forum and my main site, I think I will have to make the modifications on my own, and track closely new releases.
Even with SSO if the user has registered at the forum, (on forum.wordadoplicus.com), and is now going to the main site (wordadoplicus.com) for the first time, then, barring a cookie, I have to ask them to re-enter their credentials. I have no way of knowing who they are the very first time they come to the site.
For future reference, and for people who are looking to do the same thing,
I modified /var/www/discourse/lib/auth/default_current_user_provider.rb
def log_on_user(user, session, cookies)
unless user.auth_token && user.auth_token.length == 32
user.auth_token = SecureRandom.hex(16)
user.save!
end
cookies.permanent[TOKEN_COOKIE] = { value: user.auth_token, httponly: true ,
secure: true, domain:ENV["DISCOURSE_HOSTNAME"]}
make_developer_admin(user)
enable_bootstrap_mode(user)
@env[CURRENT_USER_KEY] = user
end
You can see that I added the domain attribute. This allows me to use Nginx’s proxy_cookie_domain directive to change forum.wordadoplicus.com to wordadoplicus.com as the response header makes its way back to the user (although I could have hardcoded the main domain there instead).
Additionally, as I don’t want this _t token to leak outside of https, I have added the secure flag, as per this discussion:
https://meta.discourse.org/t/secure-cookie-flag/28058/21
I think these two additions might benefit others, but appreciate Sam’s comment (in the other thread) that this would have to be heavily tested for backward’s compatibility.
Thanks for all the great work, Discourse team.
daniel