Handling wrapper authentication around legacy application

I have a legacy application that has lots of issues. My idea is to have Laravel as a login wrapper to authenticate users on Laravel, and then redirect to the legacy app. Both apps are located on a subdomain (old-app.example.com and new-app.example.com)

The flow goes like this

User tries to access old-app.example.com
User gets redirected to new-app.example.com/login (Laravel login screen, with referrer available to see where request came from)
User gets authenticated on Laravel and redirected back to old-app.example.com
This time user session is preserved and user can access the old-app.example.com

Now what kinda bothers me is that the old app has some weird way of authenticating users (plaintext passwords in the DB and htaccess 'login'). And it uses just plain old session_start(). From what I understand, PHP sessions should be preserved between the subdomains, so I could access it. Not only that, but by default, Laravel stores sessions in storage/sessions folder, so I should be able to use that to authenticate users.

Or should I skip trying to use these native sessions, and use JWT?

Is this doable, and am I on the right path?

skauk

6 years ago

Level 8

@dingo_d What would be the point of authenticating with Laravel, redirecting and replacing session data with Laravel's? What's your goal here? If it is securing your user's data, you are probably better off starting with encrypting passwords and making sure your legacy app can still work with that. That should be quite easy:

$hash = password_hash('password', PASSWORD_BCRYPT);
echo password_verify('password', $hash);

This also means you have to write a script that is going to replace your users' clear passwords in the database with hash values. Just be sure you back this up before you do it!

dingo_d

6 years ago

Level 1

After a day of thinking of my architecture, I'm not sure reading anything will be possible. Especially if each app will be containerized. So my idea won't work.

The point is that I'm trying to migrate parts of the old application to the new, and adding this wrapper will increase security because I'd replace the old htaccess + plaintext passwords with Laravel login (which has hashed passwords in the DB).

So my new idea is this. Since I already have implemented Laravel passport into my app, I can use personal user tokens (which is similar to JWT approach).

When going to the old app, I'd need to check for this token in the request. If there is no such token I can redirect to the new app. Then, when I log in to the new app (Laravel) I can check the referrer and after a successful login, I can redirect back to the old application with the generated token. The old application will now have this token which can be used to ping the Laravel API to get the user details. If the call to the Laravel passes and I get the response with needed data, I can then proceed to set user session on the old app as the specified user.

Old app has users and permissions set up so I'll have to make some changes there so that the functionality works.

I keep thinking of ways to simplify this process, but the old app is in really bad shape, and I need this to work so that the client sees that I'm not just going: switch to Laravel because it's awesome, but because it offers tons of other improvements that current app doesn't have...

Please or to participate in this conversation.