mobile app development - how to create a server implementation

Question

EDIT Originally I thought Oauth2 is the way to go but maybe it is not. I'll leave that out of this question for now as it is confusing things.

I'm creating a mobile app (Android/iOS). I'd like the user to enter their credentials (user/pass) in the mobile device which would then get sent to my server (Joomla CMS) to verify the credentials and create/send a token. I don't want to store the user/pass on the device just the token.

In addition this token needs to have a timeout to be refreshed when needed. Such as credentials have changed.

At this point I'm trying to figure out what the architecture of this will look like.

Are there any tutorials on how you can achieve this (ideally with Joomla)? Anything that someone could point me to?

Answer 1

This isn't Joomla or a tutorial, (and I'm very rusty in php) that said...

First a few caveats: * memcache isn't secure & this implementation has you putting username / password in: Be sure that it is safely behind a firewall, or else encrypt it first. Happy to give some pointers on that if you need it. * memcache isn't guaranteed not to drop data if it runs out of memory. In practice it is reliable, but your app should handle that gracefully. If you don't want to lose data like that, just substitute something like couchbase for memcache. * just returning a token in response to a login probably isn't super useful. I'd json-ize the token along with stuff like the user name, and any other info to get the app up and running without needing to make a second API call. * the code below doesn't handle error cases, I can call them all out in more detail if that isn't obvious to you.

If it were me, I'd just use memcache to persist the tokens & map that token to the username & password that was originally passed. You can use the memcache time to live to get your expiration for free.

Send username / password to the server (ideally over https). Create a random string or guid (eg: http://php.net/manual/en/function.uniqid.php or http://www.lateralcode.com/creating-a-random-string-with-php/) , this is your token Store the username / password in memcache with that token as a key Set a timeout

$token = createToken("user1234", "pass2324");

print "Token: $token \n\n";

$credentials = credtialsFromToken($token);

print "Credentials from the token: ";

var_dump($credentials);

print "\n\n";


function setup() {
    $memcache = new Memcache;
    $memcache->connect('localhost', 11211) or die ("Could not connect");    
}

function createToken($user, $pass) {
$TOKEN_EXPIRE_TIME=60 * 60 * 24 * 30;

$credentials = array(
      "user" => $user,
      "pass" => $pass,
);

$token = uniqid(  );
memcache_set($token, credentials, 'some variable', 0, 30);

return $token;
}

function credtialsFromToken($token) {
$credentials = memcache_get($token);
return $credentials;
}

If the token is incorrect or expired, they get an null credentials back and have to login.

Edit: cleaned it up into functions that appear to work in php...

Answer 2

The end solution is to create my own Joomla component. Pretty much everything is in my controller. Not the final code but something like this will work.

defined('_JEXEC') or die;
jimport('joomla.application.component.controller');

class FooauthController extends JController
{
function __construct() {
    // params
    $jinput = JFactory::getApplication()->input;
    $this->username = $jinput->get('user', '', 'STRING');
    $this->password = $jinput->get('password', '', 'STRING');
    $this->checkParameters();
}

private function checkParameters() {
    // datatype checks

    if ($this->username == '' || $this->password == '') {
        header('HTTP/1.1 400 Bad Request', true, 400);
    }

}

private function createToken() {
    // token generation - what Joomla does (just an example)
    jimport('joomla.user.helper');
    $salt   = JUserHelper::genRandomPassword(32);
    $crypted  = JUserHelper::getCryptedPassword($password, $salt);
    $cpassword = $crypted.':'.$salt;
    return $cpassword;
}

function execute() {
    // Get the global JAuthentication object
    jimport( 'joomla.user.authentication');
    $auth = & JAuthentication::getInstance();
    $credentials = array( 'username' => $this->username, 'password' => $this->password );
    $options = array();
    $response = $auth->authenticate($credentials, $options);

    // success
    if ($response->status === JAUTHENTICATE_STATUS_SUCCESS) {
        $response->status = true;
        echo json_encode($this->createToken());
    } else {
        // failed
        $response->status = false;
        echo json_encode($response);
    }

}

}

This represents a component called com_fooauth. Now the native app will send a query like this:

http://www.myhost.com/index.php?option=com_fooauth&user=username&password=pass&format=raw

Kind of a short cut to put everything in the controller, but hopefully you get the idea.

Answer 3

You should post the username and password from the mobile app and from there on you should follow the solution provided in this question: https://stackoverflow.com/a/2188969/900617

Answer 4

I hope that I understand correctly your use case.

If you want to use oAuth, then your mobile apps are considered as the oAuth-client. Your "server" holds the "protected resources", and it can be used only with oAuth access-token, so it is called "resource server". Now you want something to supply this access-token, so this is the identity-provider, AKA authentication server, e.g. Facebook, Google, (or implement one by your own).

The flow is (generally): the user (mobile app) tries to reach a protected resource; since it has no token, he is being redirected to the auth-server. the latter is responsible for the user/password login page, and creating the token.

If it is true - you still can implement everything by your own, without using Facebook/Google APIs, because oAuth has SPECs. However, it can be easier for you to use the providers' packages.

EDIT: reconsider the usage of oAuth

You use oAuth only if you want your webapp to support oAuth SPEC. There are several benefits, one of them is that you can use 3rd party identity provider, e.g. Yahoo! and use their identities without managing them. So if I have a user in Yahoo!, I can use your app without additional registrations (your app will have to support access-tokens from Yahoo!). But in your case, you are about to implement all the logic of identity-provider (forgot password, change password, registration, etc) plus supporting oAuth - and all of this without enjoying the benefits of oAuth at all! So - you have to reconsider the usage of oAuth...

Answer 5

You need to use their APIs as a base. They aren't going to just let you build your own API that connects to their database, that to them would look more like a password cracker than an API.