6 replies to this topic

[Nils]

I would like to allow my users to log into an external site using their IPB account details. What is the best way to validate IP.Board logins (username + password) remotely?

I would have expected there to be an XML-RPC method or something like that, but I can't find anything in the documentation. Does no such method exist or is it just not documented?


(I already posted this in technical support forums, but this forum may be more appropriate)

[Mark]

The way I would do it is create a php page somewhere on your server which returns XML or JSON.

Something like:

<?php

/* Variables */
$email		= $_GET['email'];
$md5Pass	= $_GET['md5pass'];

/* Init IPB */
define( 'IPS_ENFORCE_ACCESS', TRUE );
define( 'IPB_THIS_SCRIPT', 'public' );
require_once( './initdata.php' );/*noLibHook*/
require_once( IPS_ROOT_PATH . 'sources/base/ipsRegistry.php' );/*noLibHook*/
require_once( IPS_ROOT_PATH . 'sources/base/ipsController.php' );/*noLibHook*/
$registry = ipsRegistry::instance();
$registry->init();

/* Get Member */
$member = IPSMember::load( $email, 'none', 'email' );
if ( !$member['member_id'] )
{
	echo json_encode( array( 'success' => FALSE, 'message' => 'NO_MEMBER' ) );
	exit;
}

/* Authenticate */
if ( IPSMember::authenticateMember( $member['member_id'], $md5Pass ) )
{
	echo json_encode( array( 'success' => TRUE, 'message' => '' ) );
}
else
{
	echo json_encode( array( 'success' => FALSE, 'message' => 'BAD_PASS' ) );
}

[Nils]

Thanks, I am using a slightly adapted version of that now.

One question though - does IP.Board hash the raw password or the version with entities? E.g. if my password is "<>", what exactly does IP.Board use as the md5 hash? Is it md5('<>') or md5('&lt;&gt;')?

This would make things quite a bit more complicated, since I'd have to do some otherwise unnecessary postprocessing of the string before hashing it...

[bfarber]

Funny enough, we have documentation for that.

http://community.inv...in-ipboard-r501

This article describes the characters in the password that are converted, in the event you need to do the same on your end for comparison

http://community.inv...ogin-modules-r7

[Christophe Stevens]

bfarber, that link doesnt work anymore. Can someone provide a updated link on that?

[Ryan Ashbrook]

http://www.invisionp...gin-modules-r42

[skizzerz]

Sure,

 

https://www.invision...in-ipboard-r130

and

http://www.invisionp...gin-modules-r42

 

Also, you may wish to either utilize IPB's built-in brute force prevention (see admin/sources/loginauth/login_core.php, starting around line 287 -- you might be able to make use of it without duplicating code by instantiating the internal login class and calling authenticate() on that) or restrict access to your script so that only the IP of your other application can access it. This way people cannot brute force your user's passwords, which is probably a Good Thing™.

 

EDIT: Ninja'd by Ryan Ashbrook, but I'll keep this here anyway since it includes some information I feel is important and not covered above.

Edited by skizzerz, 22 March 2013 - 10:43 AM.