Developer needed for Xenforo2 customisation.

Dear friends,
We are looking for a developer to customize Xenforo2 for our needs as described below.

Currently we use version 1. To that version third-party developers made an API for Xenforo integration with our site so that authorization occurs on our site but not on the forum’s. This is due to the fact that we have a lot of important user information and the forum acts as a secondary tool.

Now we want to switch to Xenforo2, but despite the extensive API available, we do not have the authorization in the way we need it.

----------------------------------------------------------
This is ho we wish the solution to be:

We need a class implementation having a method for authorization. It should be accessed via somesite.com/api.php.
On opening the link, a user should be authorized on the forum and if he was successfully passed authorization then a session should begin. On further attempts to enter the forum, the user should be authorized.

GET
/api.php?action=logintoken&login_hash=HASHED_AND_SALTED_USERNAME

Where request parameters are:
action - a method to be called in api.php file
login_hash - a unique hashcode generated based on user login and the “salt”

Hashing algorithm:
1. An array with usernames is encoded in son format, then as a string in base64 format.
2. Then we get a length of initial encryption code using AES-256-CBC algorithm and then we generate pseudo random sequence of bytes.
3. Encrypt the string from step 1 with AES-256-CBC adding a “salt”.
4. Generate hash from the result of step 3 with sha256 adding a “salt” and get it as a raw binary data.
5. Encode output of steps 2, 4, 3 in base64 format.

Hashing methods
How we do hash

$data = [‘username’ => user login]
$string = json_encode($data);
$login_hash = urlencode($this->encryptString(base64_encode($string)));

public function encryptString($string)
{
$ivlen = openssl_cipher_iv_length(‘AES-256-CBC’);
$iv = openssl_random_pseudo_bytes($ivlen);
$ciphertextRaw = openssl_encrypt($string, ‘AES-256-CBC’, $this->getSalt(),
$options = OPENSSL_RAW_DATA, $iv);
$hmac = hash_hmac('sha256', $ciphertextRaw, $this->getSalt(), $asBinary = true);
$cipherText = base64_encode($iv . $hmac . $ciphertextRaw);


How do we parse this at Xenforo site
Where $string - is a hash from request
json_decode(base64_decode($this->decryptString(urldecode($string))), true)

public function decryptString($string)
{
$c = base64_decode($string);
$ivlen = openssl_cipher_iv_length(‘AES-256-CBC’);
$iv = substr($c, 0, $ivlen);

$hmac = substr($c, $ivlen, $sha2len = 32);

$ciphertextRaw = substr($c, $ivlen + $sha2len);

$originalPlaintext = openssl_decrypt($ciphertextRaw, ‘AES-256-CBC’,
$this->getSalt(), $options = OPENSSL_RAW_DATA, $iv);
$calcmac = hash_hmac('sha256', $ciphertextRaw, $this->getSalt(), $asBinary = true);

if(hash_equals($hmac, $calcmac)){//PHP 5.6+ timing attack safe comparison
return trim($originalPlaintext);
} else{
return false;
}
}

As a result of decoding we get user login. Then we obtain object of thus user by login.
$user = $this->xenAPI->getUser($user_information['username']).

$this->getXenAPI()->login(
$user->getID(),
$user->getUsername()
);

Then in login() method we authorize user an create a session.

---------------------------------------

Please let us know if you think you are the man for the job so that we can discuss the development job in more detail.

Hope to hear from you soon!
Kind regards,
Fasterbluster team.
 
You have forum A and website B and you want to when user login A will automatically login to website B. Is that correctly?
 
Back
Top Bottom