[ more ODP bits | back to the index ]

This is the post I wrote to the ODP forums about the PHP ODP::Passport script:

If there are any tool authors using PHP who want to use ODP::Passport with 
their tools, I wrote a script that lets you do this pretty easily. The source 
is here:

  http://pgl.yoyo.org/odp/passport/login.phps ("highlighted" source)
  http://pgl.yoyo.org/odp/passport/login.php.txt (plain text)

(PHP's source-highlighted version included just in case anyone is colour blind 
and / or la la.)

It acts as a central login handler for all your tools (although it doesn't have 
to), so should be set as the default tool when your account is set up on 
http://passport.rpfuller.org/ . When that's set up, all you have to do is 
change two values at the top of the file (for your tool collection name and 
shared secret for O::P), and include() it at the top of any PHP script that you 
want to protected with ODP::Passport.

eg:

 --> a tool-owner account is set up on http://passport.rpfuller.org/ with the
     default tool set to http://pgl.yoyo.org/odp/passport/login.php

 --> I copy the file, edit the two values that need changing, and make it
     available at http://pgl.yoyo.org/odp/passport/login.php

 --> I want to protect my new script (http://pgl.yoyo.org/odp/naked-editors.php)
     so add the following as the first line:

          include '/home/pgl/public_html/odp/passport/login.php';

 --> that's it - now only ODP::Passport authenticated users will be able to
     leer over ODP's finest.

It works by checking for cookies, not finding any, and redirecting to 
http://passport.rpfuller.org/ , which then (assuming the user logs in 
successfully) redirects them to the central login script, which finally 
redirects them back to the original tool again (but this time with valid
cookies). The URL of the original tool is passed to p.r.org as pp_tool and 
returned as just tool, so it would be pretty easy to use an alternative script
as the default tool - all it would have to do is redirect the user to whatever
tool is set to.

If you want pass a script variables via the query string and the user is 
redirected to log in first, the variables will be passed back after login with
"pp_p_" prefixed to their name. So, if someone tried to go to
http://pgl.yoyo.org/odp/naked-editors.php?gallery=frolics12 and wasn't logged
in, they would eventually end up back at
http://pgl.yoyo.org/odp/naked-editors.php?gallery=pp_p_frolics12 after the
being authenticated. I will add some code to check through for pp_p_ vars
and rename them, but I'm hoping a feature request will be implemented so that
variables will be stripped before being passed back to the login script.

Lastly, to log out just add "?odp_pp_logout=1" to the tool's URL (or 
"&odp_pp_logout=1" if a query string is set). This unsets O::P cookies on
your server, then redirects to http://passport.rpfuller.org/logout.cgi for
(I assume) further purging.

One other feature request that would be useful would be: the ability to tell 
the login script on http://passport.rpfuller.org/ what URL the user is coming
from, and have it redirect straight back there instead of bouncing off the
default tool. It would make things really simple - to protect a PHP script
with O::P, the only thing needed would be to include this script at the top
of the tool's source. It would also mean one less redirect for the user, and 
remove the need for a default tool.

----

Moments later, I realised a mistake and replied to myself...

----

Oops, one mistake (that I noticed): the user won't actually end up at
http://pgl.yoyo.org/odp/naked-editors.php?gallery=pp_p_frolics12 after
logging in - the O::P server uses POST to send the information back. But,
pretty much the same thing with PHP usually. 

----

And only a short time after that I finally got it...

----
Wait! No! I'm getting confused! Gah. The POST request is sent to login.php,
which should then redirect to the tool. But it didn't, because I'd left that
bit for now, which meant that *no* variables got passed back to the script at
all, which sucked. So I added a bit where all pp_p_ variables (as returned by
passport.rpfuller.org) are renamed and added to the query string, then passed
to the tool via GET. So data (well, GET data anyway) *is* returned correctly
after logging in. Bonus. :)

I'm going to bed.