I'm setting up a server that's tied to a web forum, and have written both an external auth bridge and a strophe-based web client for it.
So far, I can use it to log in with the forum user/pass information. Ideally though, since the client is hosted in the same cookie namespace as the forum, it should be possible to automatically create a BOSH session from the forum session, and then attach to it (see
The existing interface already allows this in a roundabout way, if need be. I can make a Python script which takes an AJAX request, checks the forum session, stores a token in some database, then connects to ejabberd's http-bind port (localhost:5280) with that token as a password. ejabberd passes the user/token request to my ext_auth script, which checks the token and tells ejabberd the "password" is correct. ejabberd then authenticates the BOSH session ID, which my AJAX script passes back to the client, which then attaches to it.
But this seems like a hack. Does ejabberd have any way of allowing a trusted user (as whom the AJAX script would run, with set-uid) to create an authenticated session directly, without having to hi-jack user/password authentication this way? Or is this actually how you're supposed to do it?
(I'm putting this in the conf forum, because while it's a bit of a development issue, I'd rather not have to modify any actual Erlang code.)
(Edit: I just realized that the AJAX script could technically pass that token back to the client directly, instead of opening the session itself. The security implications are about the same, as long as the token expires quickly.)