Setting your own cookie for authentication using JS

We’re trying to figure out a way to deal with Facebook’s Mobile Prison Browser (in app browser). Email link authentication is incompatible, it doesn’t even have an address bar and doesn’t open links from email. I need an easy solution and am asking here to simply see if the basics are possible. 80% of my existing following uses FB on mobile where they follow links from the mobile app.

I’m wondering simply if it is possible allow people to say enter a code into a form and then set the cookie.

I know there are many steps to doing so and this isn’t that specific of a request. Just looking to see if it is possible using just say API’s and JS with maybe some code running on an off-site server to assist. I’m worried about security possibly being a roadblock and we are Ghost Pro hosted so we can’t hack the source there and really would prefer to keep our changes within theme uploads.

Our plan is to create a custom login function for FB’s mobile browser that requests their email address, verify that address as a member, then email them a 4 digit code, have them go back and type that into a form, and then set a persistent cookie for authentication just like the email links do. We can reliably detect that browser and already are.

Generally speaking, it should be possible. But you’d need to modify the Ghost core – and given that you’re on Ghost(Pro) that will be the problem, in my opinion.

I found this blog post a few weeks ago, that explains how the Ghost authentication works:

In order to make this work with a code, you’d need to adjust the email that is sent out, create a new form where this is entered, then completely change the createSessionFromMagicLink middleware – and that’s just the tip of the iceberg.

What if a member is changing email addresses? Or signs up? For these, do you want to keep the magic link authentication, or change it to code-based as well?

We recently discussed something similar here – so, this might also give you a few ideas: https://forum.ghost.org/t/verify-ghost-membership-status-and-tier-via-api-for-3rd-party-app/

Thanks. We’re reviewing the XTA Blog carefully. We have a separate server that acts as our back end and can do API calls from there and link the login form for the FB Mobile Browser to that possibly. We don’t want to send magic links because people will just click on those, we want to send a FB-only email with just the code that they will type in.

It seems at first glance that this is possible without hacking the core so long as we can call these functions by API or script somehow:

[library/magic-link/JWTTokenProvider] → create
[server/services/members/config] → getSigninUrl

We can verify the code we create on our back end server and then redirect to:

{main-url}/members/{token}

So in narrowing this down, do you or anyone know if it is possible to call through the API functions that would create the token and then retrieve the token? We can then after people type in the correct code do a simple redirect to the URL using the token that then sets the cookie without modification to that process.

As far as I can see, these methods are not exposed in an API, so yes, you would need to access the Ghost core.

Here you can see the members routes that are available: https://github.com/TryGhost/Ghost/blob/a1d7aa6dba4a5d7e7f85aec63a7702d115798742/ghost/core/core/server/web/members/app.js

Cathy_Sarisky has SSO working without the need to modify the Ghost core and uses her server to do the SSO verification before handing back to Ghost a redirection URL that is the magic link. We may ask her for professional assistance if we can’t find how to do this more readily.

If you look in her FAQ for " How’d you build it?", her process seems to indicate that there is a way.

Note, we don’t want to introduce SSO right now because it is super busy now for signups and I don’t want to deal with the confusion of SSO emails not matching as we already have about 2,500 subscribers. I would prefer to integrate that in the off-season (summer, we are seasonal).

1 Like

That’s a good point! Just had a look at the explanation she put there and it’s basically a layer in front of the magic links, rather than trying to replace it.

Quite awesome, indeed!

1 Like

I did just send her an email. I’m positive this can be done based on what she is doing and I’ll pay her to show us how. My developer can definitely handle coding it all up if he knows what to do.

1 Like

Did you ever sort this?
I’ve only been able to figure it out by changing core.

We’re still working on this, but that work has been limited thus far unfortunately. I have no doubt that this is possible.

Oh, I should have updated this.
I figured it out. @Cathy_Sarisky gave me a tip related to a different topic (I wanted to put magic links in support emails) but that springboarded into Login with Discord Oauth2 into one of my Ghost instances.

You can see it in action here:

It’s still a little bit of a work in progress while I find the “sweet spot” flow to get users funneled into discord (or discord users funneled into the site)