How to login and get the API token with username and password?

Cockpit v2
1

Hey there :wave:

I’m currently working on a frontend project which will feature user logins which will be required to use the application. So far so easy.

I want to use Cockpit’s (v2) user authentication and role management in order to avoid having to code my own login API.
So I’ve just opened my Dev Tools, logged into my Cockpit Backend, and saw that there’s a request going to /auth/check which has a request body like this:

{
    "auth": {
        "user": "USERNAME",
        "password": "PASSWORD"
    },
    "csrf": "TOKEN"
}

Now I’m wondering where I’m supposed to get the value for the CSRF token from.
As far as I can see, there’s no endpoint which I could use to get a token from Cockpit.

CSRF tokens are meant to identify client sessions and are therefore unique for every session, don’t they?

My question might be stupid - I know. I’m sorry if that’s the case. But I’m not really deep into CSRF and PHP, so this is new to me.

Thanks for everyone who’s helping me here :pray:

Have a great day :slightly_smiling_face:

2

Just wanted to bring this back up hoping that anyone has an idea :slight_smile:

3

I can see that the Token gets generated within the Csrf Helper at /modules/App/Helper/Csrf.php and used in the Vue login() method in /modules/App/views/auth/login.php

4

Did you found a solution to your problem?

5

I wrote a small plugin which allows registering and logging in via API. If you are interested, contact me.

2 Likes
6

Hey , i would like to hear more

7

Two simple methods, for Register and Login via API. These are only the basics, how to authenticate. I used the Cockpit internal Methods, only added the Endpoints.
Note: returning the whole user-object is not the best solution, you need to think about a cleanup of this data.

Register

    $restApi->addEndPoint('/auth/register', [
        /**
         * @OA\POST(
         *     path="/auth/register",
         *     tags={"auth"},
         *     @OA\Response(response="200", description="Register via API")
         * )
         */
        'POST' => function($params, $app) {
            $userController = new \System\Controller\Users($app, ['action' => 'user', 'params' => $params]);

            error_reporting(0); // there is a, not avoidable, warning in create. to get clean output, disable error reporting
            $user = $userController->save();
            return $user
        },
    ]);

Login


    $restApi->addEndPoint('/auth/check', [
        /**
         * @OA\POST(
         *     path="/auth/check",
         *     tags={"auth"},
         *     @OA\Response(response="200", description="Login via API")
         * )
         */
        'POST' => function($params, $app) {
            $user = $app->helper('auth')->authenticate($app->request->param('auth'));

            return $user
        }
    ]);
1 Like
8

I make a small update hoping that it will be useful for those who are in v2, the same endpoint returning a JWT

 //AUTH
    $restApi->addEndPoint('/auth/check', [
        
        
        'POST' => function($params, $app) {
            $data = [
                'user'     => $app->param('username'),
                'email'    => $app->param('email'),
                'password' => $app->param('password')
            ];
            
            $user = $this->helper('auth')->authenticate($data);
            $newJWT = $this->helper('jwt')->create($user);
            return array( "jwt" => $newJWT  );

           
        }
    ]);

I have put this in the path: /modules/Content/api.php

1 Like
9

Ahoi, this is not yet published in the Cockpit-HQ, right? Is it planned to be? @artur

I put this for local testing in the api.php but the /auth/check is not known (404). Any tipps how to make this work?

Thanks a lot.