Hello,
i have a running AngularJS App and use Stamplay as the backend. Discourse is running in a Subfolder.
If the user login on the main App (Javascript) and it’s approved by the Stamplay backend i redirect him to the SSO.php file (with the sig, sso, userID and userName parameter), where is use the PHP Helper from @cviebrock.
This works and the user is logged in in both apps (AngularJS Main App and forum).
This flow is insecure, because if the user copy the sig and sso parameter from the Discourse redirect and hits the SSO.php file with this parameter + the user parameter he can login in the forum as any user he want’s. http://example.com/SSO.php?sso=bm9uYRnNlc3Np%0Ab24lbG9naW4%3D%0A&sig=f02b4e38afb1d&userId=1234567&userName=Joe
What do you mean with signature? The verification that the credentials are correct, or the sig parameter in the posted url?
If your refer to the sig in the url, it’s generated by Discourse if the user click on the Discourse Login button.
user click on the Discourse login button
he will be redirected to the sso url from the Discourse settings and the sig and sso parameter are append
the user fill the login form with email and password (angular app)
angular app sends the credentials to the Stamplay backend and if the credentials are correct it will set a token in the local storage
angular app redirects to the user to the SSO.php with the sig and sso parameter
SSO.php validates the sig and sso parameter with the sso secret from the Discourse settings and redirects the user to the /session/sso_login?sso=payload&sig=sig
now the user is logged in the angular app and Discourse
The problem is that the part where the sig and sso parameter are validated with the sso secret. It must be done on the server side, because the sso secret must be hidden.
I also can’t get the current logged in user by php. Thats why i have to send the userID and userEmail via url parameter to the ‘SSO.php’. It’s bad because the user can manipulate the params and can login in Discourse as any user he like.