GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
Drupal sins 2016 10-06
1. Drupal Sins
How I learned to stop thinking and love sites
that bomb.
By: Aaron Crosman
2. The Goal
Provide a custom authentication solution that
allows staff to have one backend and members
another.
3. The sinful solution
During login form validation check to see if the
user is a staff member, by authenticating the
user, checking their groups, and logging out
staff.
4. Taken from a .module file
/**
* Prevents staff members from logging in outside of staff login page. <<-- Why?
*/
function my_auth_staff_boot($form, &$form_state) { // NOT actually a hook_boot (thankfully) called as login form validator...
user_authenticate($form_state['values']);
global $user;
if (in_array('An Employee', $user->roles)) {
form_set_error($form['#id'], l(t('Staff must log in via staff-login', 'staff-login')), TRUE);
drupal_set_message('Staff must log in via ' . l(t('staff-login', 'staff-login')), 'error', TRUE);
// Load the user pages in case they have not been loaded.
module_load_include('inc', 'user', 'user.pages');
user_logout();
}
}
5. A Better Solution
Mimic LDAP or GAuth Modules’ approaches.
LDAP attaches a validator to the form and
takes over authentication (there are lots of
options so the code there is extensive). The
GAuth module adds a submit button to the form
and handles all processing for that form
directly.
7. GAuth Simplified 2
/**
* Login using google, submit handler
*/
function gauth_login_user_login_submit() {
if (variable_get('gauth_login_client_id', FALSE)) {
// .. skipping resource validation ...
$client = new Google_Client();
// .. skipping client setup ...
$url = $client->createAuthUrl();
// Send the user off to Google for processing
drupal_goto($url);
}
// ... skip errors
}
From there we pass through a menu router from the main module, and an API hook to get...
8. GAuth Simplified 3
function gauth_login_gauth_google_response() {
if (isset($_GET['state'])) {
// Skipping some error traps...
$redirect_url = isset($state['destination']) ? $state['destination'] : '';
if (isset($_GET['code'])) {
// Skipping a bunch of Client setup...
$oauth = new Google_Service_Oauth2($client);
$info = $oauth->userinfo->get();
if ($uid = gauth_login_load_google_id($info['id'])) {
$form_state['uid'] = $uid;
user_login_submit(array(), $form_state); // << That right there!!
}
else {
// Skipping other options....
}
}
drupal_goto($redirect_url); // << be nice and handle the destination parameter
}
}
<<Yeah I know three slides hardly counts as simplified.>>