Jump to content

Re: Admin automated login from external site


Wazzu

Recommended Posts

Hi again.

 

I'm building an external application and I need prestashop to automatically process admin login from this external app.

In other words: i want muy user clicks a button in my app and gets logged in as admin in prestashop.

Of course, my app stores the username and password, and can make use of prestashop API

 

I don't know where to start from. Any help?

 

P.S. I've already looked at the API docs, but still don't know how to do it

Link to comment
Share on other sites

Thanks, hpar

One of the problems I found with this library is:

 

should be served from the same domain:port than Prestashop (because of the auth cookie)

And that's exactly the problem I have: my app is in a remote server and will work with several shops, so domain and port will never be as prestashop ones :-(

For the same reason, I cannot include prestashop specific files from my remote application :-( :-(

Thanks very much for your help

Link to comment
Share on other sites

This is what I've done up to now (dirty code, no verifications, etc)

 

First I upload my "autologin.php" script to all my shops

Then I submit a form from my application sending employee's email and password:

<form method="post" action="http://www.example.com/autologin.php">
	<input type="text" name="user" value="">
	<input type="text" name="pass" value="">
	<input type="submit">
</form>

My autologin.php script will receive those post fields and will check them against PS database.

If user exists and password is correct, then it will create a psAdmin cookie so you can enter the admin panel without entering user/pass:

<?php

// If empty user or pass vars, die
$user = $_POST['user'];
$pass = $_POST['pass'];
if(!$user||$user=='' || !$pass||$pass=='') {
	die("Unauthorized");
}

// Prestashop global config
include('config/config.inc.php');

// Search employee in database
$passwd = md5(_COOKIE_KEY_ . $pass);
$sql = 'SELECT * FROM '._DB_PREFIX_.'employee 
WHERE email = "'.$user.'" AND passwd = "'.$passwd.'"';
$results = Db::getInstance()->ExecuteS($sql);

// If no employee found, die
if (!count($results)) {
	die("Auth failed");
}

// Get all employee data
$employee = $results[0];

// Create a new cookie with that data
$cookie = new Cookie('psAdmin', '', $cookie_lifetime);
$cookie->id_lang     = $employee['id_lang'];
$cookie->id_employee = $employee['id_employee'];
$cookie->lastname    = $employee['lastname'];
$cookie->firstname   = $employee['firstname'];
$cookie->email       = $employee['email'];
$cookie->profile     = $employee['id_profile'];
$cookie->passwd      = $passwd;

// Get into admin panel
echo '<script>window.location.href = "http://www.example.com/admin123"</script>;';
?>

Of course, this is just a WIP, but the logic seems clear to me, what do you think?

Link to comment
Share on other sites

Thanks, hpar

 

If you send the login/password to each of the autologin.php then there is no need of a central auth (with token / nonce as I suggested previously).

 

Sorry, I think I don't get you

My "central" application creates an empolyee using PS API and stores email/passwd in database.

Then I use those parameters to remotelly generate a cookie in the shop side just before redirecting the user.

Isn't it too complicated creating a token for this situation? Anyway I would have to "authenticate" the token instead of the user/pass, isn't it? So how would you use the token?

 

 

Don't forget to add CORS headers.

 

I know, I know, this is just a proof of concept  :blush:

Link to comment
Share on other sites

 

Isn't it too complicated creating a token for this situation? Anyway I would have to "authenticate" the token instead of the user/pass, isn't it? So how would you use the token?

Yes it's way more complex and probably overkill for your project.

post-821341-0-14613200-1411395579_thumb.png

  • Like 1
Link to comment
Share on other sites

  • 1 year later...
  • 8 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...