{{
`${userDetail.user.displayName}${userDetail.user.cachedBungieGlobalDisplayNameCode ? `#${standardizeBungieGlobalCode(userDetail.user.cachedBungieGlobalDisplayNameCode)}` : ""}`}}
{{getUserClans()}}
originally posted in:BungieNetPlatform
9/8/2015 3:42:01 PM
5
Provider Authentication in WebViews and InAppBrowser
I'm working on a companion app using Ionic (AngularJS on top of Cordova, seemingly). I'm pretty new to the framework so there are probably things I don't fully grasp just yet. However, I am having a good deal of trouble authenticating.
I've seen a ton of server-side authentication examples, but I want to steer clear of them, as I don't want to request and handle ANY credentials on my end. As I look for a solution here, I may explore setting up a quick PSN auth to test with my own account because I'm pretty blocked by authentication at this point.
My current workflow consists of using Cordova InAppBrowser to open up an authentication dialog and try to grab the cookies stored in the browser after a successful authentication attempt. At this point, here's what I've got:
1) Open a visible window for the auth provider (PSN: https://www.bungie.net/en/User/SignIn/Psnid?bru=%252f)
2) Allow user to authenticate, let the redirects happen.
3) Open up the Bungie account page (I've tried with the signin link again as well), and run JS on loadstop (Cordova event) on that page to fetch cookies using "document.cookie"
For what should be pretty immediately apparent reasons, I'm not getting some of the more important cookies, since they're not returned as part of the response. I get the bungled, bungleloc, and some others but am missing bungleatk. I can't seem to catch the cookies set in one of the redirects (it looks like the missing bungle* cookies are set in a call to Bungie from a PSN redirect with code=XXXX.
Has anyone used a similar approach to authenticate, and how have you gotten around the limited ability to fetch cookies using a cross-platform app builder? Are there any thoughts on how to handle the authentication using just WebViews or Cordovas InAppBrowser?
-
On a related note, was anyone able to find a cookie named "bungles"? It appears neither in my webview's cookie session right after login nor on my desktop browser's bungie.net cookies.
-
To be specific, I am using Phonegap for my implementation, so I'm not totally sure the callback I am using is unique to the framework. [url]http://docs.phonegap.com/en/2.7.0/guide_plugin-development_index.md.html[/url] Basically you call a native function from Javascript and return a response using [b]cordova.exec(function, errorFunction, 'service', 'action', [args])[/b]. Here's the javascript side [url]http://pastebin.com/ZZAmCax8[/url] and here's the [url=http://pastebin.com/wrnzGBGS]iOS side[/url]. A few things to note: - postRequest is not yet implemented because I have been mostly working on my interface through MAMP and PHP, however it should just be a matter of changing the request to POST and adding the post data. - database queries are sent as SQL strings because I don't like Objective C that much (but really they should be implemented natively as well because being an interface, this means my PHP implementation is sending raw SQL queries over POST, which is fine for local testing, but not if I was ever going to make what I'm doing into a web browser app) - You would need to implement the interface if you want to support Android, since I don't own any devices, its not high on my list - You will probably want to implement a queuing system that will halt requests and try to re-authenticate before proceeding - Totally and utterly a work in progress so if something doesn't work, ehh :p
-
1 ReplyEdited by lowlines: 9/15/2015 6:58:27 AMI'm actually using Cordova to build my own app, (which may or may not ever see the light of day...) and what I've chosen to do is create a Javascript interface that implements a bunch of common functions (ie api requests, authentication, manifest caching, etc), which is then implemented by native code. I also override this interface with a PHP version that simulates the same functionality on a localhost web server for my development environment. I pretty much don't have to worry too much about cookies as the iOS implementation handles them automatically for me. It does however mean that from the user's point of view, they are logging into one screen and the third party authentication is handled through code, so if I ever did release what I'm working on I would emphasise this is happening. The idea at least, is that this would eventually be replaced once a more third party friendly option becomes available, but so the user interaction doesn't change.
-
The reason you can't get particular cookies is both a good and bad thing. When they're set, cookies can [url=https://www.owasp.org/index.php/HttpOnly]have a flag enabled[/url] which prevents them from being accessible from client-side script, even though they continue to be managed properly by the browser. If I remember correctly, you also can't try anything tricky to bypass it either, like grabbing the raw cookie header values because they're filtered before your script can touch them. So the good news is that the policies are working correctly. The bad news is that unless you can get privileged access to cookies, there's not really anything you can do.
-
Bump. Probably a bad idea to post this in the midst of 2.0 coming out, but I'm hoping someone has some thoughts on how to work through this.
