Hello!
I'm using Roundcube as frontend for my company's mail service, but we have run into a problem. We want to prevent mail users that are not logged in to log in from the standard log in form. First the backstory.
We have two different pages,
https://mycompany.net which is the "homepage" of my company and
https://mail.mycompany.net which runs the Roundcube instance. We also have and API at
https://api.mycompany.net which runs our backend with our customer database. We want all customers to log in to the mail via our homepage, because the login will set some additional cookies needed for our services to work.
This is what we have so far:
Our homepage has a login form, where the user posts username and password which is then sent to the API. The API then logs in to Roundcube using POST to
https://mail.mycompany.net?_task=login with the appropriate data. On confirmation the API then responds to the user with a redirectUrl and several cookies, both the default Roundcube cookies and some additional cookies that we have. The homepage the opens up a new tab in the browser with Roundcube.
This all works flawlessly so that is not the problem. Our problem is that if the user were to log in using Roundcube's built in login form, our own cookies would not be set and our homepage will not work correctly (for logged in users) and some custom functionalities we build into roundcube using a custom built plugin, would also break.
So, my idea is that when a user who is not logged in goes to
https://mail.mycompany.net, he/she should be redirected to
https://mycompany.net/?error=401. I have tried adding this to our plugin like this:
class my_company_plugin extends rcube_plugin
{
function init()
{
$this->load_config();
$this->rcmail = rcmail::get_instance();
$this->add_hook('startup', array($this, 'check_startup'));
}
function check_startup() {
// Redirect if not logged in
if (!empty($this->rcmail->config->get('homepage_url')) &&
!empty($this->rcmail->config->get('app_domain')) &&
(empty($_COOKIE['our_custom_cookie_one']) ||
empty($_COOKIE['our_custom_cookie_two']) ||
empty($_COOKIE['roundcube_sessid']) ||
empty($_COOKIE['roundcube_sessauth']))
) {
header('Location: '.$this->rcmail->config->get('homepage_url').'?error=401');
}
}
}
The redirect works in these two cases:
But the redirect does not work in the following case:
- When the user tries to log in from the homepage via the API, Roundcube throws a 401 Unauthorized back at the user
I hope that I have managed to explain the situation well enough. Does anyone have any idea how to solve this?