Re: Admin automated login from external site

[Wazzu]

Hi again.

 

I'm building an external application and I need prestashop to automatically process admin login from this external app.

In other words: i want muy user clicks a button in my app and gets logged in as admin in prestashop.

Of course, my app stores the username and password, and can make use of prestashop API

 

I don't know where to start from. Any help?

 

P.S. I've already looked at the API docs, but still don't know how to do it

[hpar]

Hi,

 

 

I've created a library for a similar need : https://github.com/hparfr/prestashopBridge

It doesn't log in as employee yet but it will be straightforward to implement it.

Edited September 22, 2014 by hpar (see edit history)

[Wazzu]

Thanks, hpar

One of the problems I found with this library is:

 

should be served from the same domain:port than Prestashop (because of the auth cookie)

And that's exactly the problem I have: my app is in a remote server and will work with several shops, so domain and port will never be as prestashop ones :-(

For the same reason, I cannot include prestashop specific files from my remote application :-( :-(

Thanks very much for your help

[hpar]

Prestashop uses cookies for auth.

The main limitation with cookies  is that you can't create cookies for other domains.

 

So you have run code to each of your server in order to get all the cookies.

[Wazzu]

Yep, that seems to be my problem :-/

I'll try to use your code in the shop servers and call it from my app server.

Thanks again.

[hpar]

The user has to call each shop directly (to get the shop's cookie).

 

But during this call, the php code on your shop have to authenticate the user with your main server, you can use something like a token.

[Wazzu]

This is what I've done up to now (dirty code, no verifications, etc)

 

First I upload my "autologin.php" script to all my shops

Then I submit a form from my application sending employee's email and password:

<form method="post" action="http://www.example.com/autologin.php">
	<input type="text" name="user" value="">
	<input type="text" name="pass" value="">
	<input type="submit">
</form>

My autologin.php script will receive those post fields and will check them against PS database.

If user exists and password is correct, then it will create a psAdmin cookie so you can enter the admin panel without entering user/pass:

<?php

// If empty user or pass vars, die
$user = $_POST['user'];
$pass = $_POST['pass'];
if(!$user||$user=='' || !$pass||$pass=='') {
	die("Unauthorized");
}

// Prestashop global config
include('config/config.inc.php');

// Search employee in database
$passwd = md5(_COOKIE_KEY_ . $pass);
$sql = 'SELECT * FROM '._DB_PREFIX_.'employee 
WHERE email = "'.$user.'" AND passwd = "'.$passwd.'"';
$results = Db::getInstance()->ExecuteS($sql);

// If no employee found, die
if (!count($results)) {
	die("Auth failed");
}

// Get all employee data
$employee = $results[0];

// Create a new cookie with that data
$cookie = new Cookie('psAdmin', '', $cookie_lifetime);
$cookie->id_lang     = $employee['id_lang'];
$cookie->id_employee = $employee['id_employee'];
$cookie->lastname    = $employee['lastname'];
$cookie->firstname   = $employee['firstname'];
$cookie->email       = $employee['email'];
$cookie->profile     = $employee['id_profile'];
$cookie->passwd      = $passwd;

// Get into admin panel
echo '<script>window.location.href = "http://www.example.com/admin123"</script>;';
?>

Of course, this is just a WIP, but the logic seems clear to me, what do you think?

[hpar]

If you send the login/password to each of the autologin.php then there is no need of a central auth (with token / nonce as I suggested previously).

 

Don't forget to add CORS headers.

[Wazzu]

Thanks, hpar

 

If you send the login/password to each of the autologin.php then there is no need of a central auth (with token / nonce as I suggested previously).

 

Sorry, I think I don't get you

My "central" application creates an empolyee using PS API and stores email/passwd in database.

Then I use those parameters to remotelly generate a cookie in the shop side just before redirecting the user.

Isn't it too complicated creating a token for this situation? Anyway I would have to "authenticate" the token instead of the user/pass, isn't it? So how would you use the token?

 

 

Don't forget to add CORS headers.

 

I know, I know, this is just a proof of concept 

[hpar]

 

Isn't it too complicated creating a token for this situation? Anyway I would have to "authenticate" the token instead of the user/pass, isn't it? So how would you use the token?

Yes it's way more complex and probably overkill for your project.

[Wazzu]

Ok, that's the same image I had in mind.

In this moment, I will make it as simple as... my client will pay me xDD.

Thanks for sharing with me your point of view 

[Ahmad zakaria]

the master
I use the code above why it does not work, and how to add CORS header hehe. thank you

[Ahmad zakaria]

why when I run in localhost it goes well but  when I run it on my domain that does not run

please help me

[astriti]

dosent work for me anybody help plss

[Soporte Pixel Innova]

Hi,

The solution works until version 1.7.5, but after that it no longer works, they must have implemented some security method in later versions.

 

Any new ideas regarding this topic?

I found a module that did something similar, but it only works up to PrestaShop 1.7.5.

https://github.com/ExpressTech/auto-login-backoffice-prestashop-module/tree/master

Edited May 14 by Soporte Pixel Innova (see edit history)