Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Experimental project
This is a sandbox project, which contains experimental code for developer use only.
Limit your users to only being able to login to your drupal site through a Services Resource. This option is needed by many mobile application developers creating applications on Android, and iOS. Drupal is an excellent option for a mobile application server in conjuction with the Services Module but frequently the application developer wants to limit local logins and only a login via their mobile/remote application. Enter Services Login Limiter Module. This module creates a new service resource called 'remote_user' with two actions, 'login' and 'register'. Login through these resource actions is limited to your mobile application. This is accomplished with the use of an application key passed from the remote client, to the Drupal installation. Roles can be granted to users to allow for local log in for administrative purpose. Users who attempt to login via browser or register via browser are logged out immediately.
NOTE It is up to the mobile application developer to obfuscate this key within their application to prevent it's use in spoofing a remote login, locally. There are a good deal of discussions on the internet regarding how to do this depending on the OS.
In Addition One should also employ session limits using custom code, or module Session Limit to prevent local access after Services login.
DEPENDENCIES: Services Module
USAGE: In order for this module to function properly, you should enable the two actions included with the remote_user resource; 'login' and 'register' (if you want to enable users to create an account).
To login via your new service, go to admin/config/system/services_login_limiter and enter your chosen key. This key is required to complete the login or registration.
To register user, POST to your register endpoint and include the data as below, this is in JSON but you can useany other Services format.
{
"account":
{
"name":"joe",
"pass":"mypassword",
"mail":"joe@home.com"
},
"key":"Key entered in configuration"
}
RESPONSE :
{
"uid":"734",
"uri":"http://www.myserver.com/rest/user/734"
}
Note, just as in Services, the user at this point will be logged in.
To login an already created user; POST to your login endpoint,
{
"username":"joe",
"password":"mypassword",
"key":"Key entered in configuration"
}
The response is the same as Service's user.resource, 'login' action.
Local user creation through administration is unaffected.
Users who create accounts locally will not be able to login subsequently. The account will be earmarked and deleted on the next cron run as well. It's a highly effective antispam tool !!
Project information
- Created by tpainton on , updated
