The attached patch creates a variable (tokenauth_force) that will always append the token to URLs if set, regardless of whether or not the token is in the session or URL.

CommentFileSizeAuthor
tokenauth_force.patch2.47 KBkarschsp

Comments

Grayside’s picture

Grayside commented
Status: Active » Needs review
Grayside’s picture

Grayside commented

What is the use case for this functionality?

karschsp’s picture

karschsp commented

I have a site that is all authenticated users and we use Views to generate RSS feeds of their content. If they plug the URL of the RSS feed into a feed reader, they won't get any content because they are not logged in. This setting adds the token to URL of all their RSS feeds, regardless of whether they are viewing a token-auth'd page or not. So, they go to http://example.com log in, and their RSS feed URLs are http://example.com/feed/mine?token=asfasfasf

Grayside’s picture

Grayside commented
Status: Needs review » Needs work

Okay, I have thought about this some, and while I'm not sure that a checkbox to activate this mode is the best solution, it makes sense to use. In fact, if you are using tokenauth just for RSS feeds on otherwise closed sites, it makes perfect sense.

I have a few issues with the patch.

Tokenauth Force Description

Spelling errors & use of an escaped quotation in a t() function. Go more like this: 'Append token to all tokenauth-accessible URLs, even if not explicitly set.'

tokenauth_force variable

Should always be TRUE or FALSE and checked as such.

tokenauth_url_outbound_alter

  1. Minimum performance impact. This is going to be run multiple times per page load. tokenauth_get_token() is at least one database query, and should only be run if there is a strong likelihood it will be used.
  2. tokenauth_allowed_pages() needs to be checked for either case that could trigger tokenauth, not just the tokenauth_force expression.

Missing Piece

You need to implement hook_url_inbound_alter() so incoming links are corrected.

gogowitsch’s picture

gogowitsch commented

Here's an alternative solution: instead of modifying all rendered links, you could give the user a cookie to establish a permanent session instead of a one-off page view. Here's how: Create a new page, set the Input format to PHP code and use code similar to the following:


global $user;
if ($user->uid) {
    // already fully logged in
    drupal_goto('node/4');
} else {
    $result = db_query("SELECT uid FROM tokenauth_tokens WHERE token='%s'", $_GET['token']);
    $data = db_fetch_object($result);

    // Load the account to see if it exists
    $data = array('uid' => $data->uid, 'status' => 1);
    $account = user_load($data);
    if ($account) {
        watchdog('user', 'Token login successful for %user', array('%user' => $account->name));
        $user = $account;
        $values = array();
        user_authenticate_finalize($values);
        drupal_goto('node/4');
    } else {
        echo "You need to append a valid token to the URL of this page.";
        watchdog('user', 'Token login: failed to load Drupal account for %user.', array('%user' => $account->name));
    }
}

Let's assume you saved the page and it turns out to be node/5. Then you can send your user to http://example.com/node/5?token=abcdef.

The code will check the token and send the user to /node/4 if he or she was logged in successfully. From that point on, the user is fully logged in and can go to all protected pages.

Grayside’s picture

Grayside commented

This module is about using a querystring element to drive authentication. It has use cases that preclude the use of user sessions or cookies. It would also be a wider security risk to lean on tokenauth as a legitimate persisting login mechanism.

The plan I've outlined seems fairly reasonable to me and is a direction I would commit if someone felt driven to pursue it. Do you see a problem?