How to: CakePHP logging in without password?

Question

I'm trying to find a way to log in user without password.

The reason is that I have phpBB3 forums in my site and the users already log in there. So I'm now building an expansion to the site to have more than just the forum (Using CakePHP). I thought that I could attach automatic account creation to CakePHP when user creates an account to forums (And ofcourse other link for the existing users). So the users would get CakePHP account that has the same username that they have registered in forums. That means that the only way to register to CakePHP part of the site would be to register to the forums first.

Now I'd like to handle the whole logging thing by phpBB3 login so users would still login to forums, and then I'd attach a piece of code that would also login them to CakePHP part of the site with the username they used to login to forums.

This way I could do also put users to their own ACL groups by their status in forums.

Thats what I'm after and I need to know the way to login users this way. I'm not looking for complete code I'm just looking for an answer that explains how I log in users in CakePHP without them having passwords at all.

I have also looked http://bakery.cakephp.org/articles/wilsonsheldon/2009/01/13/phpbb3-api-bridge but it just doesn't quite look what I'm looking for...

Answer 1

As far as I recall, Auth requires two pieces of info for a login. You can change which fields in the users table are checked by auth with.

$Auth->fields = array(
    'username' => 'username',
    'password' => 'password'
);

So if you you want to be able to log in users according to their nickname and shoesize:

$Auth->fields = array(
    'username' => 'nickname',
    'password' => 'shoesize'
);

IMPORTANT:
The AuthComponent expects the password value stored in the database to be hashed instead of being stored in plaintext. (I think it is a sha1 of the password and Security.salt)

In the above example, if any entries already existed in the database you'd have to overwrite the shoesize field for each of them with hashed versions of the shoesizes.

To generate a hashed password yourself you can use $Auth->password('A Password');

---

Quick and Dirty

If you fill the password fields in your users table with the return value of: $Auth->password(null);

Then you can use the following:

$Auth->login(
    array(
        'User'=>array(
            'username'=> USERNAME_FROM_PHPBB3,
            'password'=>null
        )
    )
);

---

Less Quick and Dirty

---

When creating a new user. Set the password field to the md5 hash of some random input.

$this->authUser[$this->User->alias][$Auth->fields['password']] = $Auth->password(md5(rand().rand()));

---

Use the Username from phpBB3 to retrieve the relevant record from the users table in the database.

$this->authUser = $this->User->findByUsername( USERNAME_FROM_PHPBB3 );

If the query was successful Log in the user

if($this->authUser){
    if($Auth->login($this->authUser)){
        // Login Successful
    }
}

---

Answer 2

This function will solve your problem:

public function forceLogin($userName = NULL) {
    $this->_setDefaults();

    $this->User = ClassRegistry::init('User');
    $this->User->recursive = 0;
    $user = $this->User->findByUsername($userName);

    if (!empty($user['User'])) {
        $this->Session->renew();
        $user['User']['id'] = null;
        $user['User']['password'] = null;
        $this->Session->write(self::$sessionKey, $user['User']);
    }

    return $this->loggedIn();
}

Answer 3

From your cakephp app you can check if a user exist in the phpbb forums table and you can use the phpbb session to check if a user is logged in.