magic-admin-php icon indicating copy to clipboard operation
magic-admin-php copied to clipboard
verified publisher icon magiclabs

PHP LOGIN support

Open zackrspv opened this issue 2 years ago • 1 comments

✅ Prerequisites

  • [x] Did you perform a cursory search of open issues? Is this question already asked elsewhere?
  • [x] Are you reporting to the correct repository (magic-admin-php)?

❓ Question

So, is there a way to actually LOG the user into via a request from the frontend? If the user is only logging in via the CLIENT side, then any information generated by that login wouldn't be trusted on the BACKEND - even if you hooked into the 'ready' state - as if you have to send a request to the backend to CHECK if the user is logged in, then, that can be spoofed by even a 3rd grader.

Normally, I'd expect the process to work like:

  • user is on login page
  • user enters email
  • user clicks login
  • ajax request sends email to backend
  • backend generates a unique signing code/link to give to the user
  • system redirects user to that link
  • user logs in
  • webhook triggers proving user logged in by passing the needed information (email and did) back to the server side without any user or client side interactions
  • frontend waits for confirmation that the user has successfully logged in (simple polling can do this)
  • once confirmed in db that they are logged in, takes the user to the homepage of the app

However, it doesn't appear that magic supports any webhooks for PHP or true server side applications.

So, how can one actually IMPLEMENT this if their application is PHP based (and not laravel/symfony based), as nothing that is sent from the CLIENT side can be trusted?

🌎 Environment

Software Version(s)
magic-admin-php latest
php 8.1
Operating System ubuntu 20.04

zackrspv avatar May 15 '23 01:05 zackrspv

And i'm not talking about the examples that exist on the documentation either; those require an Authorization token for the laravel and PHP admin kits. Ergo, the user has to LOGIN, and a TOKEN has to be generated; and yet, the documentation doesn't show any way that the token is generated - or how the token is generated, or how the user GETS the token to begin with, so basically, not that useful.

And if it's just a simple token like:

'did:eth:ADDRESS' then that can be spoofed to no end.

If it's an actual base64 encoded and serialized token, for proofs and claims, how exactly is that token being generated? how exactly does that token get sent to the backend (other than a POST request, which allows the client side to spoof the info)?

The laravel and PHP examples DON'T show the CREATION of the didToken, only how to handle it once the TOKEN itself is created - seems to be a rather crucial step missing there.

zackrspv avatar May 15 '23 01:05 zackrspv