我最近有一个想法,使用存储在数据库中的登录凭据创建的令牌创建 PhpMyAdmin 的登录系统。 网址看起来像这样:
pma.example.com/index.php?token=WCxuFWj1QtGGapZhfSPS9Eo1Q9q666sR
令牌包含 32 个随机生成的字母数字字符。
所以我有一个用 Python 和 Flask 制作的 API,它与 PhpMyadmin 进行本地通信,并且不同的应用程序有两个路由:
127.0.0.1:4040/api/v1/create_tokendatabase_host_iddatabase_usernamedatabase_hosttokenJSON received by the API :
{
"database_host_id": 1,
"database_username": "pma",
"database_password: "4wAyS8",
}
JSON sent to the client:
{
"token": "WCxuFWj1QtGGapZhfSPS9Eo1Q9q666sR"
}
127.0.0.1:4040/api/v1/get_databasetokendatabase_host_iddatabase_usernamedatabase_passwordJSON received by the API :
{
"token": "WCxuFWj1QtGGapZhfSPS9Eo1Q9q666sR"
}
JSON sent to the client :
{
"database_host_id": 1,
"database_username": "pma",
"database_password: "4wAyS8",
}
有API固然好,但如果你不使用它,它就没用,所以我在PhpMyAdmin的源代码中搜索了身份验证系统是如何工作的。
我能理解:
/libraries/common.inc.phpAuthPlugin$auth_plugin = Plugins::getAuthPlugin();
$auth_plugin->authenticate();
AuthPluginlibraries/classes/Plugins/Auth$cfg['Servers'][$i]['auth_type']librairies/classes/Plugins/Auth/AuthenticationCookie.php所以现在我必须修改
AuthenticationCookie.phptoken这就是我陷入困境的地方,因为尽管我有 PHP 基础知识,但我无法让我正在做的事情发挥作用。尽管我尝试过,但我可以注意到,当我从 URL 检索令牌时,它根本不是定义的内容,就好像它是加密的一样。
这是我的问题:
信息:
如果我能在推理过程中得到任何帮助或对我的问题有任何答案,我将不胜感激
我最终制作了一个与我的服务器关联的登录脚本,该脚本从 URL 获取令牌,向 API 请求令牌信息,然后与其连接。它运行完美。
<?php
/**
* Single signon for phpMyAdmin
*
* This is just example how to use session based single signon with
* phpMyAdmin, it is not intended to be perfect code and look, only
* shows how you can integrate this functionality in your application.
*/
declare(strict_types=1);
/* Use cookies for session */
ini_set('session.use_cookies', 'true');
/* Change this to true if using phpMyAdmin over https */
$secure_cookie = false;
/* Need to have cookie visible from parent directory */
session_set_cookie_params(0, '/', '', $secure_cookie, true);
/* Create signon session */
$session_name = 'SignonSession';
session_name($session_name);
// Uncomment and change the following line to match your $cfg['SessionSavePath']
//session_save_path('/foobar');
@session_start();
/* Was data posted? */
if (isset($_REQUEST['token'])) {
$data = array(
'token'=> $_REQUEST['token']
);
$payload = json_encode($data);
$curl = curl_init('http://127.0.0.1:4040/api/v1/get_database');
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type:application/json'));
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($curl);
curl_close($curl);
$response = json_decode($response, true);
/* Store there credentials */
$_SESSION['PMA_single_signon_user'] = $response->database_username;
$_SESSION['PMA_single_signon_password'] = $response->database_password;
$_SESSION['PMA_single_signon_host'] = $_POST['host'];
$_SESSION['PMA_single_signon_port'] = $_POST['port'];
/* Update another field of server configuration */
$_SESSION['PMA_single_signon_cfgupdate'] = ['verbose' => 'Signon test'];
$_SESSION['PMA_single_signon_HMAC_secret'] = hash('sha1', uniqid(strval(rand()), true));
$id = session_id();
/* Close that session */
@session_write_close();
/* Redirect to phpMyAdmin (should use absolute URL here!) */
header('Location: ../index.php');
} else {
/* Show simple form */
header('Content-Type: text/html; charset=utf-8');
echo '<?xml version="1.0" encoding="utf-8"?>' . "\n";
echo '<!DOCTYPE HTML>
<html lang="en" dir="ltr">
<head>
<link rel="icon" href="../favicon.ico" type="image/x-icon">
<link rel="shortcut icon" href="../favicon.ico" type="image/x-icon">
<meta charset="utf-8">
<title>Loading...</title>
</head>
<body>';
if (isset($_SESSION['PMA_single_signon_error_message'])) {
echo '<p class="error">';
echo $_SESSION['PMA_single_signon_error_message'];
echo '</p>';
}
echo '
<h1>Loading...</h1>
</body>
</html>';
}
我知道它还没有完成,但我计划改进它。这就是我找到的解决方案。