SimpleAuth is an automatic authentication method to allow you to log users in from third party code/software. Useful in integrations with other client management software, it will generate a session for the user without them having to do anything or requiring the user's password.
It works by constructing a special link to the login page that includes the user's email address, a timestamp and a hash that is generated from a defined key and the timestamp, and you can also add a redirection URL on successful authentication.
SimpleAuth relies on a defined secret key in the configuration file. This is used to generate the hash and validate any requests.
SimpleAuth can be used by setting a key like below in the config.php file found in the includes folder. A key may currently be set, but you are welcome to change it to any random string of characters and numbers.
$SIMPLEAUTH_KEY = "RhqFi31PpIe0eIyP08fNqA";
To use SimpleAuth, we need to generate a hash for each request. This hash is generated by combining the user's email address, the secret key and the current timestamp like below. The timestamp must be within 10 minutes of the server time or else the request will be invalid.
md5($email . $SIMPLEAUTH_KEY . $time)
You can now use the resulting hash to build the request. To declare a redirect URL, use the 'back' parameter. An example request is below.
If the hash is invalid, the timestamp is outdated or no key has been set, the script will return a json string that contains details of the error.
// Set the login URL and SimpleAuth key
$loginUrl = 'https://www.domain.com/support/login.php';
$simpleAuthKey = 'RhqFi31PpIe0eIyP08fNqA';
// Set variables for hash
$email = 'firstname.lastname@example.org';
$time = time();
$back = 'http://domain.com/clientarea.php';
// Generate hash
$hash = md5($email . $simpleAuthKey . $time);
// Generate request and access it
$request = $loginUrl . '?email=' . $email . '&time=' . $time . '&hash=' . $hash . '&back=' . urlencode($back);