Provide a custom authentication solution that allows staff to have one backend and members another.

1. Drupal Sins
How I learned to stop thinking and love sites
that bomb.
By: Aaron Crosman

2. The Goal
Provide a custom authentication solution that
allows staff to have one backend and members
another.

3. The sinful solution
During login form validation check to see if the
user is a staff member, by authenticating the
user, checking their groups, and logging out
staff.

4. Taken from a .module file
/**
* Prevents staff members from logging in outside of staff login page. <<-- Why?
*/
function my_auth_staff_boot($form, &$form_state) { // NOT actually a hook_boot (thankfully) called as login form validator...
user_authenticate($form_state['values']);
global $user;
if (in_array('An Employee', $user->roles)) {
form_set_error($form['#id'], l(t('Staff must log in via staff-login', 'staff-login')), TRUE);
drupal_set_message('Staff must log in via ' . l(t('staff-login', 'staff-login')), 'error', TRUE);
// Load the user pages in case they have not been loaded.
module_load_include('inc', 'user', 'user.pages');
user_logout();
}
}

5. A Better Solution
Mimic LDAP or GAuth Modules’ approaches.
LDAP attaches a validator to the form and
takes over authentication (there are lots of
options so the code there is extensive). The
GAuth module adds a submit button to the form
and handles all processing for that form
directly.

6. GAuth Simplified
/**
* Implements hook_form_alter().
*/
function gauth_login_form_alter(&$form, &$form_state, $form_id) {
if ($form_id == 'user_login' || $form_id == 'user_login_block') {
$form['submit_google'] = array(
'#type' => 'submit',
'#value' => t(''),
'#submit' => array('gauth_login_user_login_submit'),
'#limit_validation_errors' => array(),
'#weight' => 1000,
);
drupal_add_css(drupal_get_path('module', 'gauth_login') . '/gauth_login.css');
}
}

7. GAuth Simplified 2
/**
* Login using google, submit handler
*/
function gauth_login_user_login_submit() {
if (variable_get('gauth_login_client_id', FALSE)) {
// .. skipping resource validation ...
$client = new Google_Client();
// .. skipping client setup ...
$url = $client->createAuthUrl();
// Send the user off to Google for processing
drupal_goto($url);
}
// ... skip errors
}
From there we pass through a menu router from the main module, and an API hook to get...

8. GAuth Simplified 3
function gauth_login_gauth_google_response() {
if (isset($_GET['state'])) {
// Skipping some error traps...
$redirect_url = isset($state['destination']) ? $state['destination'] : '';
if (isset($_GET['code'])) {
// Skipping a bunch of Client setup...
$oauth = new Google_Service_Oauth2($client);
$info = $oauth->userinfo->get();
if ($uid = gauth_login_load_google_id($info['id'])) {
$form_state['uid'] = $uid;
user_login_submit(array(), $form_state); // << That right there!!
}
else {
// Skipping other options....
}
}
drupal_goto($redirect_url); // << be nice and handle the destination parameter
}
}
<<Yeah I know three slides hardly counts as simplified.>>