Can I use phpBB as a "fake" identification provider?

Question

I have a lot of users that have accounts on a phpBB forum.

I would like them to be able to re-use their username and password on a new website.

So the plan is that if I look up a username/password in my app, and its missing, I would like to call a page on phpBB that will tell me:

1. If the username/password is valid
2. The email address of the user.

I would also like the page on the phpBB side to protect against brute-force attacks.

Ideally I would like my solution to work out-of-the-box without having to deploy additional files on the phpbb forum, that way my solution will be able to re-use any phpbb passwords.

For an added bonus I allow my users to authenticate with either email or password, ideally this should be allowed as well.

Is there any way to achieve this without changing phpBB?

If not, any sample implementations?

Answer 1

Do you have direct access to the phpBB database? If so, your standalone authentication script could simply validate passwords against that database in the same manner you'd validate them against your own internal database.

That way, the phpBB code is completely irrelevant, unless they radically change their authentication scheme in a future release (which doesn't seem particularly likely), and to reuse your own code with a different phpBB installation (which it sounds like you want) you need only configure the appropriate database connection information.

Answer 2

If you have access to the DB that the specific phpBB rides on, you could bypass the phpBB files altogether and access the user tables of phpBB (scary from a security stand point, but if this is a trusted thing and all is cohere, then do-able).

Other than that, you can try to make a plugin or extend the authentication somehow to make your own user API to access from your site.