How to fully integrate XMPP on a web site with registered users

We have a social networking site where people have contacts and we want it to be integrated with XMPP. We currently use ejabberd XMPP server.

Here are my questions:

1) How to properly create account? Right now, what I'm thinking is on user registration on our web app, we'd call a script that would execute an ejabberd command to create a user.

2) User authentication. Upon user login on our website, the user would be automatically logged in on the chat system. How do you do this on the client side with strophe.js? As I understand, you need to provide JID and password for authentication, so I'm thinking that on login, there would be an ajax call to get user's password, then use the response text on strophe.js' login call. Is this secure? Are there other ways to do this?

3) Presence registration. Our web app has a contacts system, but XMPP has its own way of adding contacts through presence subscription, right? Example: When user1 tries to add user2, an authorization would be asked to user2 before user1 can be a contact of user2. But since we already have a contacts system on our web app, we want to bypass this authorization of XMPP or suppress it and just authorize with a script/command when user2 confirms user1 as a contact on our web site. It's not clear to me yet but a colleague said this is possible on ejabberd's module mod_admin_extra (a command that will create a subscription without having to client-side authorization). Is it possible or do I have to manipulate the ejabberd database manually with a script (provided I transferred from the default Mnesia db to another db, say MySQL).

Thanks in advance.

We (superfeedr) have a similar web app where XMPP is part of the application.

The choice we made is to not replicate the user data accross both the web app storage and the XMPP server. You can build your own authentication mechanism using the web app's data store with ejabberd, it's pretty easy. This way, you only have 1 single place where user data is stored and don't have to create ejabberd users.

By doing this, you can also login your users on the web app without knowing their password or even storing it in clear :) . The easy way is to do the session authentication (via Bosh) on the server and pass on the session id to the HTML response, as described here, by @metajack.

The 3rd part might be the trickiest, but i'm actually quite sure you can bypass this and not use the built-in "rosters"... however it may involve creating your very own component (internal or external).

Hi Julien, I've already read using external authentication, but I guess I haven't read deeper. I was confused at first with your answer since on this sample PHP script (http://www.ejabberd.im/files/efiles/check_mysql.php.txt) there is nothing that will catch the user creation mentioned here (https://git.process-one.net/ejabberd/mainline/blobs/raw/2.1.x/doc/dev.html#htoc8). On item 3 I'm still searching on the admin_extra module, I'll update once I find something.

mives 2010-09-27 13:36:55

Oops. Before going to sleep last night I finally understood why I don't need to create jabber users with external authentication. D'oh. Now the only remaining blocker is the rosters feature..

mives 2010-09-28 01:58:27

Good! You may have to create your own component. It's not that difficult, so I would give it a chance. Yon can create an "internal" one, or an external one (recommanded), in any language!

Julien Genestoux 2010-09-28 08:17:42

Actually, the team decided to go internal auth, since we don't have a lot of time, and not a lot of resources to get info from doing our own roster implementation with external auth. What we have decided is to go internal and use mod_admin_extra module to create rosters.

mives 2010-09-29 03:24:32

ansaurus

tags:

views:

answers:

How to fully integrate XMPP on a web site with registered users

related questions