XF 2.1 PHP auth

[AcidCat]

$fileDir = $_SERVER['DOCUMENT_ROOT'];
require($fileDir . '/src/XF.php');
XF::start($fileDir);
$app = \XF::setupApp('XF\App');
$username = $_POST['username'];
$password = $_POST['password'];
$ip = $_POST['ipaddress'];
$i = $_POST['interface'];
$loginService = $app->service('XF:User\Login', $username, $ip);

$userValidate = $loginService->validate($password, $error);

After this how do I then get the user that just logged in so I can get their info?

 

[Mike]

If your validate() method call succeeds, the result will be a User entity, so you can get whatever info you need from that. (If it fails, it will return null.)

Note that technically this doesn't log a user in; this just validates their username and password. If you want to actually do a login, you'd need to be in a situation where you can set a session cookie, though this is pretty low level. Note as well that doing this approach is likely to bypass 2FA options for an account. If this is really what you want to do, 2.2's REST API does also have some tools to allow you to get users logged into accounts (or to verify their session/user cookies if they're available in that context to know whether they're already logged in).

 

[AcidCat]

If your validate() method call succeeds, the result will be a User entity, so you can get whatever info you need from that. (If it fails, it will return null.)

Note that technically this doesn't log a user in; this just validates their username and password. If you want to actually do a login, you'd need to be in a situation where you can set a session cookie, though this is pretty low level. Note as well that doing this approach is likely to bypass 2FA options for an account. If this is really what you want to do, 2.2's REST API does also have some tools to allow you to get users logged into accounts (or to verify their session/user cookies if they're available in that context to know whether they're already logged in).

Yeh I figured this out after some trial + error and its not really a full login its just to create an account on another system and use XF as an auth bridge. I'm aware it bypasses 2FA but I have IP checks in place to force a user to login to XF before they login to any external service thus forcing 2FA unless they have logged in b4.