I have an existing third-party PHP Web Application (ELGG) that I would like to extend with a Node.js Application. Users are authenticated in the PHP app by checking their provided credentials against a MySQL database.
How can I secure access to the Node.js app without having to rewrite authentication code in Node? Is there some way to allow users to access the Node.js app only if they're logged in to the PHP app?
You could use a DB or some other shared repository to store the users session id, which Node can check to ensure the user is logged in.
I think the best way to approach it would be to have the PHP and the Node applications operate as subdomains of the same root domain, then have the Node application check for the PHP app's auth cookie. This would avoid the extra database call in Irwin's answer.
Once the user logs in to the PHP app, a Cookie with an authentication token is created for phpapp.mydomain.com (*.mydomain.com). The Node application, hosted at nodeapp.mydomain.com, can access the cookie auth token created at phpapp.mydomain.com.
In general, you would make the Node.js app a web service, make it available locally and not publicly, then write PHP code which performs auth, then calls the API provided by Node.js, then constructs a response for the user using that data.
I wrote an Elgg plugin which provide functionnality to access node.js server for websocket. You can check the code here: elgg-nodejs
I just parse the cookie to get session user:
getElggSession = function(socket) {
return socket.handshake.headers.cookie.match(/Elgg=(\S*);?/)[1];
};
Maybe it's not the best method for security...
