I’ve previously blogged about how I extended the architecture of phpbb3 to my entire website. This got me great advantages in terms of security, session management etc. etc. and a consistent look and feel. However, something I always wanted to do was lower the barriers to people posting. I have enabled anonymous posting with a, visual captcha obviously, but some features like the use of the image gallery and certain forum sections are only available to registered members. The problem is: registering is a pain!

So here comes “Sign in with twitter”. Twitter has been moving to OAuth to provide an open platform for authentication, meaning that sites like www.dirtmind.com can use twitter as a way of logging in users, even brand new ones, in just two clicks! Sounds awesome doesn’t it?

This is just the button, it doesn't do a login here!

There were a few problems with getting this all to work… phpbb has an open architecture and a mechanism for you to create your own authentication plugins, so rather than use the default database authentication mechanism you can use LDAP or Apache or write you own. Unfortunately, despite my detailed searching it seems no one has written an auth_twitter plugin for phpbb3. On the other hand there are some good php twitter oauth examples out there so I thought it shouldn’t be too hard to write my own.

Some requirements:

1. New users must be able to use twitter oauth to create and login to new dirtmind accounts seamlessly.

2. Existing dirtmind members must be able to login using their normal username/password combination and twitter oauth interchangeably.

3. No twitter user should be able to hijack an existing dirtmind account

4. A twitter user needs to be able to claim a dirtmind account as theirs as part of the twitter oath flow

5. A dirtmind user needs to be able to specify a twitter account to log in with, that isn’t necessarily the same name

6. An account created by twitter oauth needs to be a standard normal phpbb user account, the user should be able to change their profile and even set a password that will then work as part of normal phpbb db login

7. All logins should honour phpbb security, inactive accounts and banned accounts settings

Easy right?

The big challenge

The main problem in achieving this was that there is some architectural impedence between twitter oauth and phpbb login. This is probably why I couldn’t find anything out there that I could just pick up and use.

Twitter oauth is a two stage process, you request an authorisation url, you go to it and enter account details on the twitter site (or use your current logged in status) and then it calls back to the original applicaiton.

Phpbb login is a single process, you call login with a username/password and the user is either logged in or not.

The solution

Yes, I got it to work, you can see the results on www.dirtmind.com (any part of the site, forum, games, image gallery, whatever – it’s side wide awesomeness). I’m not going to post all of the code for how login works on my website for obvious security reasons but here’s the solution and some snippets to help you put it all together.

So I did write an auth_twitter plugin for phpbb3 however this practically no twitter oauth flow in it at all. It’s basically the same as the standard auth_db plugin with some notable exceptions:

• If the source of the login attempt is twitter then allow null passwords
• If the source of the login is twitter then auto-create a phpbb account if one doesn’t exist
• During auto-creation of accounts if the target already exists than redirect to a mapping page that allows the user to claim the target dirtmind account or alternatively specify an arbitrary name for their new dirtmind account

How to create a new phpbb users (from auth_twitter)

 $row = array(
 'username' => $username,
 'user_twitter' => $db->sql_escape(utf8_clean_string($username)),
 'user_password' => phpbb_hash(''),
 'user_email' => 'none@dirtmind.com',
 'group_id' => (int) $grow['group_id'],
 'user_type' => USER_NORMAL,
 'user_ip' => getenv('REMOTE_ADDR'), 
 'user_timezone' => '1.00',
 'user_dst' => 0,
 'user_lang' => 'en',
 'user_actkey' => '',
 'user_dateformat' => 'd M Y H:i', 
 'user_style' => 1,
 'user_regdate' => time(),
 ); 

Normally you’d then call:

$phpbb_user_id = user_add($row); 

To add the user to the database, but since you’re inside the login mechanism you just pass the row back as part of the return data of the login_twitter function

I then simply call the login_twitter method with username and no password from the twitter oauth flow, which is built into my basic page template For simple php oauth I strongly recommend Abraham’s twitter oauth. Obviously there are some issues to deal with like not allowing arbitrary account linkage, preventing simple db account hacking based on the blank passwords and other anti-hacking things to consider, but those are all fairly standard solutions to fairly standard problems. The results are a really sweet login experience for people