Login to roundcube from custom panel

[beerzone]

Hello!
I have a goal to login rouncube from mailservers panel like iRedMail.
I have a link on the main page "https://mail.test/". It opens login page. I can modify this link.
My goal is to create links for every mailbox on the server to open mailboxes in roundcube automaticaly.
I've tried to use autologon plugin with success, but I use get request like this "https://mail.test/?_autologin=1&_user=test&_pass=123". This works, but not securely.
I've tried to use post method like here https://stackoverflow.com/questions/37674740/roundcube-autologon
But have 405 error.
Can you tell me the right way to solve the problem?

[SKaero]

There are multiple ways to handling auto login without passing the password in the URL. Here are some of ways I have built integrations in the past:
1. Encrypt a json object with the username, password, and current timestamp and pass that as a url parameter. On the Roundcube side have the private key to decrypt the json object and if the timestamp is grater then the last login time and within 60 seconds of the current time log the user in.
2. On the Roundcube side read the session cookie for the user and then do a database lookup to the main application and verify that the session is still active and get the user details and login.
3. Store a random uuid in a database along with the username and password, pass the uuid to Roundcube where Roundcube can lookup the uuid in the database to get the username and password and then delete the record in the database so it can only be used once.

[beerzone]

SKaero, thank you for reply!
Now I understand that the problem goes much deeper, because the server does not store passwords. It only stores password hashes. I think I won't be able to solve the problem with the standard roundcube login function because it needs passwords, but not hashes. Am I right?

[SKaero]

Roundcube requires the password since it needs it to login to IMAP server. There are several ways to handle this:
1. See if your IMAP server supports oAuth, Roundcube supports it and would wouldn't require the user to enter there password in Roundcube every time.
2. You can capture the password that the user uses to login to the main application and then encrypt that and pass it to Roundcube. This requires the password for the main application to match the email account password.
3. If you only want to allow users to access there email thorough Roundcube and they don't need to access it with third party clients you can change the email account password to something random and store that encrypted in a database that Roundcube can then reference.

[beerzone]

The problem is solved.
SKaero, sorry for my terrible explanation of the problem.

My goal is to allow a supervisor to view employee mailboxes without knowing their passwords. The supervisors password is a master password that allows him to open all mailboxes. Like Zimbra mail server allows. This is a requirement of the IT security service. And not to store users passwords on the server in any form is their requirement to. I can store users password hashes only and administrator passwords due to the huge fines for user data leaking.
We have a mail server based on postfix, dovecot, mysql, roundcube and custom panel like postfixadmin.
I've solved the problem by dovecot master users configuration and roundcube works perfect with it.