Author Topic: Custom login page  (Read 2574 times)

Offline mrakopes

  • Newbie
  • *
  • Posts: 3
Custom login page
« on: February 28, 2017, 01:07:01 PM »
Hi, I'd like to create custom login page and I need some hints about how to do it the best way.

The basic idea is to get completely rid of the login page. In my other webapp the user (already authenticated) clicks on "login" button and gets redirected to Roundcube with some "auth token" in URL. Roundcube then get the login credentials via custom plugin based on provided "auth token". The plugin then returns the host/user/pass information and user gets logged in as usual.

I know how to create the authentication plugin. What I don't know is how to "remove" the login page and replace it with page that only accepts the "auth token" and make RC to proceed with logging in. Is there any way to achieve this via plugin or do I need to alter the Roundcube login page code directly?

One possible solution could be to redirect the user to URL rc.example.com/?_task=login and insert the "auth token" somewhere to POST data. But I don't know what would RC's CSRF protectoin say about it and also i need to prevent the user from accessing the login page directly.

Thanks. Dave.

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,518
    • http://SKaero.com/
Re: Custom login page
« Reply #1 on: February 28, 2017, 03:10:16 PM »
I think you could use the ready hook https://github.com/roundcube/roundcubemail/wiki/Plugin-Hooks#ready to check if the user isn't logged in and redirect them to you login page.

You can overwrite the CSRF checks in your plugin as demoed in the autologin plugin https://github.com/roundcube/roundcubemail/blob/master/plugins/autologon/autologon.php

Offline mrakopes

  • Newbie
  • *
  • Posts: 3
Re: Custom login page
« Reply #2 on: February 28, 2017, 06:33:48 PM »
Thank you for quick reply.

I think that "ready" hook is triggered only if the user is logged in, so you can't use it to check if the user is not logged in. But it pointed me to right direction i believe.

Now I use the "startup" hook for disabling the login form:

Code: [Select]
public function startup($args)
{
  (...)
  if (($task == "login" && $action != "login") || $task == "logout")
  {
    header("HTTP/1.1 403");
    exit;
  }
}

and the "auth" hook for custom login processing:

Code: [Select]
public function auth($args)
{
  (..)
  $auth_token=$_REQUEST[custom_authtoken'];
  (..)
  return array(
    "user" => "xxxx",
    "pass" => "yyyy",
}

Everything is working fine, except that i can't figure out how to disable the login page after logging out. I tried to use the "logout_after" hook but with no luck, even if I use it in the simplest way, it does nothing (i.e. I end up on login page with URL https://example.com/?_task=logout&_token=xxx)

Code: [Select]
public function init()
{
    (..)
    $this->add_hook('logout_after', array($this, 'logout_after'));
}

public function logout_after($args)
{
    exit;
}


or like this (inspired by https://github.com/marneu/logout_redirect/blob/master/logout_redirect.php):

Code: [Select]
public function logout_after($args)
{
    header("Location https://example.com", true, 307);
    exit;
}

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,518
    • http://SKaero.com/
Re: Custom login page
« Reply #3 on: February 28, 2017, 08:13:31 PM »
Are you setting the task at the top of the plugin?

Offline mrakopes

  • Newbie
  • *
  • Posts: 3
Re: Custom login page
« Reply #4 on: March 01, 2017, 07:57:53 AM »
That's it. The plugin was restricted to "login" task only. I've changed the $task to "login|logout" regex and the "logout_after" hook now works as expected:

Code: [Select]
class xxx extends rcube_plugin
{
  public $task = "login|logout";
(..)


Thanks
« Last Edit: March 01, 2017, 08:02:06 AM by mrakopes »