Best way to auto-connect to Joomla site from node-webkit app

Question

Im building a node-webkit app that posts a sort of log entry every few minutes to my Joomla site. I am quite skeptical of storing the username/password in my app.

I found two solutions, both allowing login via URL (simple GET stuff).

1. Simple component that handles authentication via GET
2. API for using external Apps and Sites to communicate/login/register to a Joomla site

Both allow my local node-webkit app to login like so:

http://www.mysite.com/index.php?option=com_test&username=foo&password=foo

But the 2nd solution says this:

If get success I mean if the info is correct then you will get this information:

[{"status":"Login Successfull","user_id":"982","username":"user","session_key":"1e3fdgdt4454580ae78e2ab90f35856c17f3"}]

1. status
2. user_id
3. username
4. session_key

You can store all the information in your app for next time.

The question

Would storing the session key allow me to login to the website in the future, even days after the first login? I've tried searching around but can't find an answer on this. Or should I store the login credentials with some sort of local encryption. Again - this is node-webkit so am not sure on how secure I can store stuff.

Answer 1

Tested in Joomla 3.2

The two scripts I posted in the question did only half of what I wanted. I.e. They only checked if the login credentials were valid, returned a message and did nothing else.

What I have done is modified hocoi's script to log me in as well. NOTE: This happens after you've authenticated and made sure the user has given the right details. Then, to login the user, just use the JFactory::getApplication()->login($credentials) method like so:

$credentials = array();
$credentials['username'] = $username;
$credentials['password'] = $password1;

JFactory::getApplication()->login($credentials);

I also found this piece of code that adds the necessary header cookies once you've logged. This will be useful if you're planning to maintain the login.

if(!isset($_COOKIE['jsid'])){
    $user = & JFactory::getUser();        
    $temp_session = $_SESSION; // backup all session data
    session_write_close();
    ini_set("session.save_handler","files"); // set session saved hadler on file
    session_start();
    $_SESSION = (array)$temp_session['__default']['user']; // data that another php file need to know
    session_write_close();
    ini_set("session.save_handler","user"); // put back session saved handler on database
    $jd = new JSessionStorageDatabase();
    $jd->register(); // set required parameters
    session_start(); // restart //
    $_SESSION = $temp_session; // restore last session data
    $e = session_id();
    setcookie("jsid", $e, time()+3600,'/');
}

As @Valentin's answer, you probably want to create a basic API for this. Remote login like this should really be a last resort. I'm using it as an entry point for my local app to get connected via an API key.

Answer 2

I don't know exactly the internal functionality of plugin that handles the authentication via GET, but the general idea is like this:

• When you login, basically a session is generated and you receive the key of that session. Basically a browser would send this back as a cookie and Joomla would know it's the same user. The session is valid as long it does not expire (check you settings for the Joomla installation). When the session expires, it will get deleted from the database. So if the session is for days valid, you should be able to login.

• I haven't check the exact implementation lately, but from what I know the session is browser user-agent / IP (not sure about IP) sensitive. Meaning that if something changes in your environment, the session check fails and you need to re-login.

• Ideally you don't want to store the session for a too long time. If it's not something very time sensitive or very often that you do, I would just re-login for each time I need.

• If the authentication part is not working for you, consider also another approach (not ideal, but it may work for you): you make the component / API entry point as public (so you don't need to authenticate) and you send in your request a secret key (token based authentication), which you check in PHP before saving data / doing stuff. So each installation has an unique key and you insert the key from the website in your app (as a setting).