We are using a custom php script to authenticate users and return a username, email, and id.
Our script is called from another backend web service and is rather simple. It calls a HTTPS POST on the page, passing in a username and password via a Form URL Encoded body. This script has worked well for several years, however it recently started to intermittently fail.
The php script we use is attached.
Sometimes it works, and sometimes it doesn't. When it fails, it's failing on the $loginService->validate() call. The error message is "Incorrect password. Please try again.". The password is correct as I can login immediately afterwards on the forum itself.
My best guess is that maybe something in XF is starting to rate limit attempts to login with the same IP address and/or username?
Again, this script was working fine for years, and only recently we've noticed this issue. Any help would be appreciated.
Our script is called from another backend web service and is rather simple. It calls a HTTPS POST on the page, passing in a username and password via a Form URL Encoded body. This script has worked well for several years, however it recently started to intermittently fail.
The php script we use is attached.
Sometimes it works, and sometimes it doesn't. When it fails, it's failing on the $loginService->validate() call. The error message is "Incorrect password. Please try again.". The password is correct as I can login immediately afterwards on the forum itself.
My best guess is that maybe something in XF is starting to rate limit attempts to login with the same IP address and/or username?
Again, this script was working fine for years, and only recently we've noticed this issue. Any help would be appreciated.
PHP:
<?php
// Get the username and password from the request
$reqUser = $_REQUEST['user'];
$reqPwd = $_REQUEST['pwd'];
if (!isset($reqUser, $reqPwd)) {
print_r ('{ "error" : "no user specified" }');
die();
}
// XF setup
$fileDir = '../';
require($fileDir . '/src/XF.php');
XF::start($fileDir);
// Get the IP address of the request to validate with login
$xfIp = \XF::app()->request()->getIp();
// Get a user finder
$finder = \XF::finder('XF:User');
// Find user by username
$user = $finder->where('username', $reqUser)->fetchOne();
if(!$user) {
// If not by username than maybe by email
$user = \XF::finder('XF:User')->where('email', $reqUser)->fetchOne();
}
if (!$user) {
// Maybe by user id?
$user = \XF::finder('XF:User')->where('user_id', $reqUser)->fetchOne();
}
// No user found, invalid login
if (!$user) {
print_r ('{ "error" : "no user" }');
die();
}
// Get info from the Xen user
$xfId = $user["user_id"];
$xfName = $user["username"];
$xfEmail = $user["email"];
//Get a login service instance
$loginService = \XF::app()->service('XF:User\Login', $xfName, $xfIp);
// Validate the password
$success = $loginService->validate($reqPwd, $error);
if(!$success) {
// Invalid auth
print_r ('{ "error" : "'. $error . '", "ip" : "' . $xfIp . '", "user" : "' . $reqUser . '" }');
die();
}
// Spit out some JSON with the user info
$json = '{ "id" : "' . $xfId . '", "name" : "' . $xfName . '", "email" : "' . $xfEmail . '" }';
print_r($json);
?>
