Magento SOAP Customer Authentication?

2
votes

I'm currently looking at creating a mobile application which integrates with a Magento store and have managed to get many aspects of it working using the SOAP API such as retrieving products and categories.

I am now looking to solve an issue where I need the user of the mobile app to login in with their Magento customer login details, however looking through the SOAP API there is no method for an actual customer to login?

Does anyone have any idea of how I can perform this task.

Thanks

2
phpmagentosoap
SOAP API is not good for this. Imagine security hole if customer who logged in through your mobile app was able to administer products and orders and payments using the credentials. Much safer to build a mobile friendly responsive magento store rather than an app using the slow API.Ashley Swatton
Hi Ashley I would have to disagree with that especially if the iPhone Native application only had certain API's calls programmed into it i can't see how that would be an issue. For this app though we are building a relay type server so there will be an added layer of security and so far the app performs really fast with the caching we have enabled.MonkeyBlue
Run your SOAP requests through a proxy server such as charles, oops there's your API credentials for anyone to make SOAP requests to your server and administer your inventory and orders. Your example below is not SOAP either, it's returning a JSON object. Magento does not support this for a reason, the API is designed for backend administration not frontend. Your app has an API user not a customer as the user. Are you going to create a new API user for every customer, I think not. Send me your phone app, I'll update some product prices!Ashley Swatton
I think we are getting crossed wires the mobile API will not contain the actual SOAP Magento keys but will have a key so it can talk my proxy server. Now the proxy server itself will contain the SOAP Web service keys and only work with particular requests like get products, categories etc none of the update features will be exposed so it should not be possible to update stock prices etc from the mobile app or proxy service, the soap user will also be restricted from Magento Admin.MonkeyBlue
I appreciate your feedback, I'm quite new to Magento so its good to hear your input but I have been developing native apps for time which connect with web services, perhaps I could reach out to you on email to explain what I am doing and it would be good to get your feedback?MonkeyBlue

2 Answers

9
votes

Actually its quite easy to authenticate a customer in your case. The customer info SOAP response gives us the password_hash of the user registered in Magento. This hash is an md5 hash which can authenticated using the password which the user will enter along with his email in your system. I have a sample code below hope this helps anyone looking for this answer.

$complexFilter = array(
    'complex_filter' => array(
        array(
            'key' => 'email',
            'value' => array('key' => 'eq', 'value' => '[email protected]')
        )
    )
);
$result = $proxy->customerCustomerList($sessionId, $complexFilter);

var_dump($result);

/**
 * Validate hash against hashing method (with or without salt)
 *
 * @param string $password
 * @param string $hash
 * @return bool
 */
function validateHash($password, $hash)
{
    $hashArr = explode(':', $hash);

    switch (count($hashArr)) {
        case 1:
            return md5($password) === $hash;
        case 2:
            return md5($hashArr[1] . $password) === $hashArr[0];
    }
}

var_dump(validateHash('asdfgh',$result[0]->password_hash));
0
votes

After some trial and error and more research I managed to come up with this solution which now allows me to authenticate a username and password against Magento.

It involves creating a PHP Script which I have uploaded to the Magento website currently its a proof of concept but I will add some more security such as a unique hash key which the mobile phone sends with the request over SSL of course and this along with the username and password will validate and get a Magento Session. 

<?php
header('Content-Type: application/json');

// Get Post Vars
$username = addslashes($_REQUEST['username']);
$password = addslashes($_REQUEST['password']);

if ($username == "") {
    echo json_encode(array('error','Access Denied'));
    die();
}

if ($password == "") {
    echo json_encode(array('error','Access Denied'));
    die();
}

// Mage Path
require_once( dirname(__FILE__).'/app/Mage.php' );

// Initialize Magento ...
Mage::app("default");

$id = 1;  // The Store ID.
$session = Mage::getSingleton('customer/session');

$status = true;
try {
    $session->login($username, $password);
    $session->setCustomerAsLoggedIn($session->getCustomer());
}catch ( Exception $e) {
    $status = false;
}

if ($status == true) {
    $userID = Mage::getSingleton('customer/session')->getId();
    echo json_encode(array('status' => 1, 'userID' => $userID));
} else {
    echo json_encode(array('status' => 0, 'message' => 'Access Denied'));
}

?>