Drupal: customizing user registration workflow for communicating with another webapp

Question

I'm new to Drupal6 and spent long time searching how to implement the following feature without success: I use Drupal as front-end/doc board for a web-app. I want to mirror all user account creation, update and deletion on this web-app, i.e. send user name and password.

I started coding a little module implementing hook_user (http://api.drupal.org/api/function/hook_user/6), but I am still wondering on several question concerning this hook:

1) I can't find a doc concerning the $account fields, and thus don't know how to retrieve the user name and password.
2) The insert operation informs that "The user account is being added". Is that triggered when the user query an account or when his/her pending account creation has been approved?
3) User management on the 'slave' webapp is done through a URL interface. I only know the header("Location: http://webapp/users/add?user=martin&pwd=bla") PHP primitive, but I fear this will make a redirection, instead of just hiting the target page and continue code flow. Any suggestion?

Maybe some of you already programmed such a module, or would have links for more documentation?
Thanks in advance,
Martin

Answer 1

Here is the final piece of code that works. Note that the password is retrieved md5ified, so the slave webapp must be able to do so as well:

function mirror_registration_user($op, &$edit, &$account, $category = NULL) {
 $cmd = 'http://www.example.com/register?name='.$account->name.'&pass='.$account->pass;

 if($op == 'insert'){
$cmd .= '&op=insert';
drupal_http_request( $cmd );
 }
 else if($op == 'delete'){
$cmd .= '&op=delete';
drupal_http_request( $cmd );
 }
 else if($op == 'after_update'){ // 'update' is a "before update event"
$cmd .= '&op=update';
drupal_http_request( $cmd );
 }
}

Remark: in our case, registration requires admin approval. In this case, there's an 'update' event. The 'insert' event is triggered as soon as the user queries an account.

Informations for other newbies:

When trying to debug the code, one can echo $cmd to have the content of $cmd writen on top left of the following page.

If you write crapy php code and get a blank page when using the hook, you may add to Drupal/index.php the following calls: error_reporting(E_ALL); ini_set('display_errors', TRUE); ini_set('display_startup_errors', TRUE); that allow having debug info.

Answer 2

Taking a step back and looking at the big picture, you have several options.

1. Use OpenID (there's a core Drupal module for it) for both sites
2. Use LDAP (there's a really good Drupal contrib module for it)
3. Look at other modules offer user login sharing with other apps (such as http://drupal.org/project/phpbb or http://drupal.org/project/moodle or many others) for inspiration
4. Have your web app use Drupal's user table. This is relatively easy as the username is there in plaintext and the password is just MD5'ed (so no salts or anything to muddy up the waters).

Answer 3

Basically, hook_user is wrong. What you need to do is use hook_form_alter to change the '#validate' parameter of the login form. That way, the validate is passed to your function in your module where you are getting $form_values['username'] and $form_values['password']. You pass that on to your URL via curl. If it returns correctly, return nothing. If it doesn't return, use form_set_error and it will deny the login.

Good luck!

Answer 4

In order to just retrieve a response from a page, you can use drupal_http_request()

And a general security note, make sure you're authenticating and validating the requests between applications. Passing passwords in plain text via GET parameters over HTTP also makes me a little queasy, but I don't know your application set up.