starred/cypht

Fork 0

mirror of https://github.com/cypht-org/cypht.git synced 2026-04-25 04:56:03 +03:00

[GH-ISSUE #160] API login #129

New issue

Closed

opened 2026-02-25 21:34:14 +03:00 by kerem · 5 comments

kerem commented

2026-02-25 21:34:14 +03:00

Owner

Originally created by @jasonmunro on GitHub (Dec 12, 2016).
Original GitHub issue: https://github.com/cypht-org/cypht/issues/160

Originally assigned to: @jasonmunro on GitHub.

The API login module set provides a way to programatically log a user into cypht, but it is incomplete and only usable for certain situations. Some ideas to improve this:

session fingerprints will likely break the attempted login after using this. The module set needs to disable this feature and then re-enable it after the original negotiation is complete.
add another endpoint so a user can post the required values and cypht will turn them into cookies and redirect the user to the page in an authenticated state. This is needed to support cases where the API login happens from a different domain than cypht.
more?

Originally created by @jasonmunro on GitHub (Dec 12, 2016). Original GitHub issue: https://github.com/cypht-org/cypht/issues/160 Originally assigned to: @jasonmunro on GitHub. The API login module set provides a way to programatically log a user into cypht, but it is incomplete and only usable for certain situations. Some ideas to improve this: - session fingerprints will likely break the attempted login after using this. The module set needs to disable this feature and then re-enable it after the original negotiation is complete. - add another endpoint so a user can post the required values and cypht will turn them into cookies and redirect the user to the page in an authenticated state. This is needed to support cases where the API login happens from a different domain than cypht. - more?

kerem

2026-02-25 21:34:14 +03:00

closed this issue
added the
api_login
label

kerem commented

2026-02-25 21:34:14 +03:00

Author

Owner

@jasonmunro commented on GitHub (Dec 20, 2016):

This is updated and working (for me). Here is how it works:

Assume the site cypht is running on is https://localhost/

STEP 1
To start the api login process, make an HTTP POST request to the base cypht url, with the following fields:

username: the user to login
password: the user password
api_key: the shared secret you put in your hm3.ini file

Here is an example using curl:
curl --data 'username=jason&password=123456&api_login_key=asdf' https://localhost/

If successful, you will receive a json response with 2 keys:

hm_session: the session id for the current user
hm_id: the encryption key for session data for the current user

STEP 2
To log the user in, use another HTTP POST request to https://localhost/?page=process_api_login. It should have 3 fields:

hm_id: the hm_id value from step 1
hm_session: the hm_session value from step 1
api_key: the shared secret you put in your hm3.ini file

Here is an example HTML form:

 <html><body>
        <form method="POST" action="http://localhost/?page=process_api_login">
            <input type="text" name="hm_id" placeholder="hm_id" />
            <input type="text" name="hm_session" placeholder="hm_session" />
            <input type="text" name="api_login_key" placeholder="api_login_key" />
            <input type="submit" value="Login" />
        </form>
</body></html>

@jasonmunro commented on GitHub (Dec 20, 2016): This is updated and working (for me). Here is how it works: Assume the site cypht is running on is https://localhost/ **STEP 1** To start the api login process, make an HTTP POST request to the base cypht url, with the following fields: - username: the user to login - password: the user password - api_key: the shared secret you put in your hm3.ini file Here is an example using curl: `curl --data 'username=jason&password=123456&api_login_key=asdf' https://localhost/` If successful, you will receive a json response with 2 keys: - hm_session: the session id for the current user - hm_id: the encryption key for session data for the current user **STEP 2** To log the user in, use another HTTP POST request to https://localhost/?page=process_api_login. It should have 3 fields: - hm_id: the hm_id value from step 1 - hm_session: the hm_session value from step 1 - api_key: the shared secret you put in your hm3.ini file Here is an example HTML form: ``` <html><body> <form method="POST" action="http://localhost/?page=process_api_login"> <input type="text" name="hm_id" placeholder="hm_id" /> <input type="text" name="hm_session" placeholder="hm_session" /> <input type="text" name="api_login_key" placeholder="api_login_key" /> <input type="submit" value="Login" /> </form> </body></html> ```

kerem commented

2026-02-25 21:34:14 +03:00

Author

Owner

@Yamakasi commented on GitHub (Jul 20, 2017):

Hi Jason,

I have tested and retested this all and it seems like it's not possible to integrate it in an app under the same domain that is fully secured and needs a login to be able to CURL to it.

Th best way would be to use a 7pauth cookie and go from there, then you have a real underwater login where Cepht cannot be reached from outside your app.

Any idea would nice to have to get this accomplished.

@Yamakasi commented on GitHub (Jul 20, 2017): Hi Jason, I have tested and retested this all and it seems like it's not possible to integrate it in an app under the same domain that is fully secured and needs a login to be able to CURL to it. Th best way would be to use a 7pauth cookie and go from there, then you have a real underwater login where Cepht cannot be reached from outside your app. Any idea would nice to have to get this accomplished.

kerem commented

2026-02-25 21:34:14 +03:00

Author

Owner

@jasonmunro commented on GitHub (Jul 23, 2017):

I don't understand what you mean. I know the api login module set works. I assume "7pauth" cookie is a typo? Cypht uses encrypted sessions and has a lot of security built around authentication, the best way to integrate with it is to mimic the actual login process, which the api module set does.

@jasonmunro commented on GitHub (Jul 23, 2017): I don't understand what you mean. I know the api login module set works. I assume "7pauth" cookie is a typo? Cypht uses encrypted sessions and has a lot of security built around authentication, the best way to integrate with it is to mimic the actual login process, which the api module set does.

kerem commented

2026-02-25 21:34:14 +03:00

Author

Owner

@szilardx commented on GitHub (Aug 30, 2017):

I am trying to use Cypht with a headless browser, for example horseman or node-osmosis. I am a beginner at this, so for example horseman gives me an evaulation error @ native code.
For this reason, I turned on API login. I did not succeeded with using it due to my time limit, but I realized, that if I turn on API login, I cannot log in in the normal way. It just reloads the login page.

Is this normal?
Thank you very much!

@szilardx commented on GitHub (Aug 30, 2017): I am trying to use Cypht with a headless browser, for example horseman or node-osmosis. I am a beginner at this, so for example horseman gives me an evaulation error @ native code. For this reason, I turned on API login. I did not succeeded with using it due to my time limit, but I realized, that if I turn on API login, I cannot log in in the normal way. It just reloads the login page. Is this normal? Thank you very much!

kerem commented

2026-02-25 21:34:14 +03:00

Author

Owner

@jasonmunro commented on GitHub (Aug 30, 2017):

@szilardx thanks for the feedback. Should be fixed in 5aa16a42d

@jasonmunro commented on GitHub (Aug 30, 2017): @szilardx thanks for the feedback. Should be fixed in 5aa16a42d

kerem referenced this issue

2026-02-25 21:36:09 +03:00

[PR #129] [MERGED] Update es.php #763