Yes, you are right. I'll try to be more specific.
Actually the app is not a native app, but an Ionic hybrid app. Ionic is built on angular js, so I am using this javascript code in the angular login controller:
$http({
method: 'POST',
url: 'http://domain.dev/login.html',
headers: {'Content-Type': 'application/x-www-form-urlencoded'},
transformRequest: function(obj) {
var str = [];
for(var p in obj)
str.push(encodeURIComponent(p) + "=" + encodeURIComponent(obj[p]));
return str.join("&");
},
data: $scope.loginData
}).success(function () {
});
The code is doing nothing more then POSTing to "
http://domain.dev/login.html" the username and the password (stored in $scop.loginData variable).
The equivalent in JQuery would be something like this:
$.post( "http://domain.dev/login.html", { username: "John", password: "123" });
In the "login.html" resource (which uses blank template) I have this snippet:
<?php
if(isset($_POST) && count($_POST)){
$c = array(
'username' => $_POST['username'],
'password' => $_POST['password']
);
$response = $modx->runProcessor('security/login',$c);
if($response->response['success'] == 1){
$user['id'] = $modx->user->get('id');
$profile = $modx->user->getOne('Profile');
$user['fullname'] = $profile->get('fullname');
$user['email'] = $profile->get('email');
echo json_encode($user);
}else{
echo json_encode($response->response);
}
}
Cross-site HTTP requests are allowed through the .htaccess file (the app obviously is not on the same domain as the modx installation
):
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-s
RewriteRule ^(.*)$ index.php?_rest=$1 [QSA,NC,L]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.*)$ index.php [QSA,NC,L]
# with AJAX withCredentials=false (cookies NOT sent)
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, PUT, OPTIONS, PATCH, DELETE"
Header always set Access-Control-Allow-Headers "X-Accept-Charset,X-Accept,Content-Type"
# RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L,E=HTTP_ORIGIN:%{HTTP:ORIGIN}]]
# with AJAX withCredentials=true (cookies sent, SSL allowed...)
SetEnvIfNoCase ORIGIN (.*) ORIGIN=$1
Header always set Access-Control-Allow-Methods "POST, GET, PUT, OPTIONS, PATCH, DELETE"
Header always set Access-Control-Allow-Origin "%{ORIGIN}e"
Header always set Access-Control-Allow-Credentials "true"
Header always set Access-Control-Allow-Headers "X-Accept-Charset,X-Accept,Content-Type"
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L,E=HTTP_ORIGIN:%{HTTP:ORIGIN}]
When I post wrong username or password to the "login.html" page I receive just what is expected:
"{"success":false,"message":"The username or password you entered is incorrect. Please check the username, re-type the password, and try again.","total":0,"errors":[],"object":[]}".
When I post the right credentials, the response is an error:
"Fatal error: Call to a member function get() on null in...". The error is on this line:
$user['id'] = $modx->user->get('id');
Thies means, that the user authenticates right: "$response->response['success'] == 1", but I have no access to the "$modx->user" object. ( $modx->user->get('id') ).
So, may be the question should be: "How can I access the authenticated user object ($modx->user)" when my requests are cross domain?
There is a good tutorial about using processors in the frontend here:
http://ridcully.dunnock.modxcloud.com/records/2014/07/08/using-custom-processors-in-modx-revolution-over-ajax-request/, but the authentication is not cross-site.