Posting LDAP credentials from another app #265

New Issue

OVERLORD · 2026-02-04T18:09:23+03:00

OVERLORD commented

2026-02-04 18:09:23 +03:00

Originally created by @s0n- on GitHub (Feb 10, 2017).

We currently have a home grown application that would post credentials and would like to send them to bookstack. We currently do this with Moodle using the format

login?username=${username}&password=${password}

Is there a way to pass login and password directly to Bookstack app at the /login page?

Originally created by @s0n- on GitHub (Feb 10, 2017). We currently have a home grown application that would post credentials and would like to send them to bookstack. We currently do this with Moodle using the format login?username=${username}&password=${password} Is there a way to pass login and password directly to Bookstack app at the /login page?

OVERLORD closed this issue

2026-02-04 18:09:23 +03:00

OVERLORD commented

2026-02-04 18:09:29 +03:00

@lommes commented on GitHub (Feb 10, 2017):

One way would be, to disable CSRF verification for the login route in VerifyCsrfToken which, of course, is not recommended. With that change the above would work if username is the email of the user.

@lommes commented on GitHub (Feb 10, 2017): One way would be, to disable CSRF verification for the login route in [VerifyCsrfToken](https://github.com/BookStackApp/BookStack/blob/master/app/Http/Middleware/VerifyCsrfToken.php#L15) which, of course, is **not recommended**. With that change the above would work if username is the email of the user.

OVERLORD commented

2026-02-04 18:09:34 +03:00

@s0n- commented on GitHub (Feb 10, 2017):

Would it be possible to use this JUST for the site sending credentials?

protected $except = [ https://FQDN
//
];

@s0n- commented on GitHub (Feb 10, 2017): Would it be possible to use this JUST for the site sending credentials? protected $except = [ https://FQDN // ];

OVERLORD commented

2026-02-04 18:09:47 +03:00

@lommes commented on GitHub (Feb 10, 2017):

Absolutely not sure, but something like

class VerifyCsrfToken extends BaseVerifier
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        //
    ];

    function __construct() {
    	if($_SERVER['HTTP_REFERER'] == 'WhateverYourSystemSendsAsReferrer') {
    		$this->except = [
    			'/login'
    		];
    	}        
    }
}

might work. Since referer is a value sent by the client, this can easily be faked.

@lommes commented on GitHub (Feb 10, 2017): Absolutely not sure, but something like ``` class VerifyCsrfToken extends BaseVerifier { /** * The URIs that should be excluded from CSRF verification. * * @var array */ protected $except = [ // ]; function __construct() { if($_SERVER['HTTP_REFERER'] == 'WhateverYourSystemSendsAsReferrer') { $this->except = [ '/login' ]; } } } ``` might work. Since referer is a value sent by the client, this can easily be faked.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#265