We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Answered How to modify a POST form field in a Login pre-hook snippet

    • 33614
    • 5 Posts
    Zoot Reply #1, 10 years, 10 months ago
    Greetings Folks!
    I've been scouring the forums/Bob's book/etc looking for something I'm missing but I'm still not getting there. Here's the gist of what I'm trying to do.

    I have a site that will get some of its visitors funneled to it from another company's site where they will do a pass-through signon to my site such that all their users will come into mine using the same hidden username/password as opposed to my normal users who come in the front door with unique credentials each. To keep these folks honest, we have developed a system whereby their site will call a page on mine to retrieve a randomly generated nonce/token pair that they will use to encrypt the password on their side for every login attempt. When they submit the form to logon to my site, they pass me the token used so I can then have my pre-hook snippet lookup the generated pair (which I stored in a custom db after generation earlier), retrieve the accompanying token's nonce, generate the key and decrypt the password to verify they are kosher. I then need to substitute the decrypted password into the password field passed in with the login form so the hook can then return true, let the login continue as normal. If they possessed a proper token, the password will decrypt properly, I swap their decrypted pw in for the old encrypted one and let the login proceed. It matches up, they're in! Otherwise, if they tried to forge a token, the pw will not match and the login process will dump them out no different than any incorrect pw submission. Further, I can have the prehook snippet email bark at me if the token they tried wasn't found in the db, and then fail the pre-hook so it doesn't go any further.

    I've tried both the
    $scriptProperties['fields']['password'] = $decryptedPW;
    and
    $hook->setValue('password',$decryptedPW);
    routes but neither seems to be getting me close as the final password submitted to the login process is still the encrypted one originally passed in - aka, I'm not altering the real deal apparently.

    I'm running on MODxCloud server on the latest 2.2.8 rev and current Login. I'm open to other suggestions for better ways to accomplish this as well if easier. Thanks in advance!

    This question has been answered by Zoot. See the first response.

      -What is this Wonka? Some kind of funhouse?
      -Why... having fun?
    • Everett Reply #2, 10 years, 10 months ago
      That's a bit tricky... see http://rtfm.modx.com/display/ADDON/FormIt.Examples.Custom+Hook

      Inside your hooks, I don't think you get the $scriptProperties array handed to you. I think you need to read the values using $hook->getValue().

      Hope that helps.
        Hosting stuff: http://fireproofsocks.com/
        Coding stuff: http://craftsmancoding.com/
        Blog stuff: http://tipsfor.us/
      • discuss.answer
        • 33614
        • 5 Posts
        Zoot Reply #3, 10 years, 10 months ago
        Thanks for the idea Everett!

        Alas, as I mentioned, unfortunately using $hook, $scriptProperties (it is available to Login), $_POST, etc doesn't get me there. While I can indeed modify the password in these various fields, ultimately it doesn't matter because the login processor doesn't use them at that point in time when the pre-hooks finish up.

        It took a LOT of digging and some major help from Bob Ray's book (thanks Bob!) to get me pointed in the right direction. After printing out the code for the various classes in the Login package and scouring splittingred's excellent work for the problem location, I discovered that when it gets down to finally logging in after the pre-hooks complete (see runLoginProcessor() function in Login.php), the username and password are grabbed from the dictionary object that was created back at the outset of the Login object when it used the gather() function (see logindictionary.class.php) to initially populate a dictionary object tied to the login object.

        Any password fields I tweaked outside of this dictionary was meaningless, as the runLoginProcessor() only cared what was currently in the dictionary object at the time the function finally invokes.

        Thankfully, I noticed that while the $scriptProperties wouldn't get me the dictionary directly, I could get a reference to the Login object itself. Once I had that, I figured out I could walk it down through the controller to the dictionary, and bang, I'm in! W00t!
          $login =& $scriptProperties['login'];
  $loginContoller =& $login->controller;
  $loginDictionary =& $loginContoller->dictionary;
  $loginDictionary->set('password',$decryptedPassword);

        The pre-hook(s) can then finish, the runLoginProcessor() kicks in a pulls the credentials from the dictionary object, and ta-da! Finito!

        Seems to be working fine now. If anyone spots a gotcha in this method I missed (or a better way to get there), please let me know. Thanks again all for the help! MODx rocks!
          -What is this Wonka? Some kind of funhouse?
          -Why... having fun?