Authorization through VKontakte, Mail.ru and others for the most beginners - 1
On Habré and other resources there are tutorials, but in each of them there’s some insignificant moment missed, questions on which can be seen in various forums. Since I recently faced the task of making friends with one site with Kontaktik and Mail.ru, I decided, while the memory is fresh, to make my own small blackjack manual, so to speak, using the native widgets of these social networks.
So let's start with VKontakte. We go to the site connection page , in the future the settings of the connected site will be available to you on the application management page, there we will know the application ID and the secret key, which naturally cannot be disclosed to anyone.
On the page where the “Login with VKontakte” button is supposed to be added to the head of the page
And initialize the application:
Now you need to show the user a button through a call to the widget. As parameters, Auth takes the id of the element to which the widget needs to be displayed, the width and the address of the page to which we will be redirected after the access attempt.
What the user will see:
After clicking on “Sign in via VKontakte”, the user throws it on a page like vkontakte.ru/widget_auth.php?act=a_auth_user&app=__APP_ID__&hash=d2d47b3c85d1a091a8 , then on the url you specified in the AuthUrl parameter when calling the widget. Throws with the following GET parameters:
first_name (name), hash (used to check whether the request actually came from the contact, and not the hacker Vasya is trying to log in under someone else's data), last_name (last name), photo (large avatar, 119 pixels wide), photo_rec (small avatar, 50x50 ), uid (user id). After filtering, I saved the parameters to us with the same names in the global scope .
Now we need to make a vklogin.php script in which we will check the correctness of the incoming data and either authorize the user if he already exists in our database, or create a new account for the user who has come to us for the first time.
On the site where I needed to make authorization in cookies, the user id and the hash of the salt and password hash are stored. The solution, of course, is not perfect, but to completely change the entire engine was not in my plans. If we already have a user, we will authorize it by creating a cookie, if it is the first time, we add it to the database. Also, at each entry, we update the data about the names, because the user could change it, and we want relevance.
In addition, before using such an authorization, you need to make sure that there are no users in the database with logins like vk- (or with those that you want to use). It is also necessary to prohibit registration through the usual registration of the engine used with logins of the type vk- and prohibit users from the social network to change their password and, optionally, an avatar with the displayed name. For sites where the use of registered users' email is critical, you will also need to familiarize your engine with the fact that these users do not have email.
Optionally, it is possible to separate out near each output of the username on the site that he has logged in through a social network:
If the level and subject of the article is interesting to users, then I will continue with mail.ru, facebook and twitter.
The second part of. Mail.ru
So let's start with VKontakte. We go to the site connection page , in the future the settings of the connected site will be available to you on the application management page, there we will know the application ID and the secret key, which naturally cannot be disclosed to anyone.
On the page where the “Login with VKontakte” button is supposed to be added to the head of the page
< script type ="text/javascript" src ="http://userapi.com/js/api/openapi.js?34" ></ script >
And initialize the application:
VK.init({apiId: __APP_ID___});
Now you need to show the user a button through a call to the widget. As parameters, Auth takes the id of the element to which the widget needs to be displayed, the width and the address of the page to which we will be redirected after the access attempt.
< div id ="vk_auth" ></ div >
< script type ="text/javascript" >
VK.Widgets.Auth( "vk_auth" , {width: "300px" , authUrl: '/vklogin.php?' });
</ script >
What the user will see:
After clicking on “Sign in via VKontakte”, the user throws it on a page like vkontakte.ru/widget_auth.php?act=a_auth_user&app=__APP_ID__&hash=d2d47b3c85d1a091a8 , then on the url you specified in the AuthUrl parameter when calling the widget. Throws with the following GET parameters:
first_name (name), hash (used to check whether the request actually came from the contact, and not the hacker Vasya is trying to log in under someone else's data), last_name (last name), photo (large avatar, 119 pixels wide), photo_rec (small avatar, 50x50 ), uid (user id). After filtering, I saved the parameters to us with the same names in the global scope .
Now we need to make a vklogin.php script in which we will check the correctness of the incoming data and either authorize the user if he already exists in our database, or create a new account for the user who has come to us for the first time.
if ($_REQUEST[ 'hash' ]==md5( '2445355' .$uid. '__SECRET_KEY__' )) {
// , ,
// vk-********
$result = mysql_query( "SELECT id, random, password FROM tracker_users WHERE username = 'vk-$uid'" );
setcookie( 'uid' , '' );
setcookie( 'pass' , '' );
if (mysql_num_rows($result)) {
// ,
$user = mysql_fetch_assoc($result);
mysql_query( "UPDATE tracker_users SET name = '$name' WHERE username = 'vk-$uid' LIMIT 1" );
setcookie( 'pass' ,md5($user[ 'random' ].$user[ 'password' ].$user[ 'random' ]));
setcookie( 'uid' ,$user[ 'id' ]);
} else {
//
$random = mt_rand(100000,999999);
$pwd = $uid . 'verysecretlonglongword-' ;
$pid=md5(uniqid(rand(), true ));
mysql_query( "INSERT INTO tracker_users
(username, name, password, random, id_level, email, style, language, flag, joined, lastconnect, pid, time_offset) VALUES
('vk-$uid', '$name', '" . md5($pwd) . "', $random, 3, '', 5, 7, 0, NOW(), NOW(),'$pid', '0')" );
// ,
setcookie( 'pass' ,md5($random.md5($pwd).$random));
setcookie( 'uid' ,mysql_insert_id());
}
header( "Location: /index.php" );
}
* This source code was highlighted with Source Code Highlighter .On the site where I needed to make authorization in cookies, the user id and the hash of the salt and password hash are stored. The solution, of course, is not perfect, but to completely change the entire engine was not in my plans. If we already have a user, we will authorize it by creating a cookie, if it is the first time, we add it to the database. Also, at each entry, we update the data about the names, because the user could change it, and we want relevance.
In addition, before using such an authorization, you need to make sure that there are no users in the database with logins like vk- (or with those that you want to use). It is also necessary to prohibit registration through the usual registration of the engine used with logins of the type vk- and prohibit users from the social network to change their password and, optionally, an avatar with the displayed name. For sites where the use of registered users' email is critical, you will also need to familiarize your engine with the fact that these users do not have email.
Optionally, it is possible to separate out near each output of the username on the site that he has logged in through a social network:
If the level and subject of the article is interesting to users, then I will continue with mail.ru, facebook and twitter.
The second part of. Mail.ru
')
Source: https://habr.com/ru/post/126717/
All Articles