This plugin aims at passing credentials directly through a POST to Pydio.
User ID and PWD are expected to be passed in an encrypted token using the standard Open SSL functions (openssl extension must be enabled).
A simple incremental "nonce" is used to make sure the token can never be replayed.
Here is the sample PHP code to use to cypher the password:
/** * crypt AES 256 * * @param string $password * @param string $data * @return string Base64 encoded encrypted data. */ function PYDIO_crypt($password, $data) { // Set a random salt $salt = openssl_random_pseudo_bytes(8); $salted = ''; $dx = ''; // Salt the key(32) and iv(16) = 48 while (strlen($salted) < 48) { $dx = md5($dx.$password.$salt, true); $salted .= $dx; } $key = substr($salted, 0, 32); $iv = substr($salted, 32,16); $encrypted_data = openssl_encrypt($data, 'aes-256-cbc', $key, true, $iv); return base64_encode('Salted__' . $salt . $encrypted_data); } $testUser = "USER_ID"; $testPwd = "USER_PASSWORD"; $privateKey = "YOUR_PRIVATE_KEY_AS_CONFIGURED_IN_PLUGIN"; // IF REPLAY CHECK OPTION IS ENABLED $tokenInc = 1; // IMPORTANT: INCREMENT THIS AT EACH CALL $serial = serialize(array("user_id" => $testUser, "user_pwd" => $testPwd)); $token = urlencode(PYDIO_crypt(isSet($tokenInc)?$privateKey.":".$tokenInc:$privateKey, $serial)); // BUILD AN URL WITH HIDDEN POSTS, OR GET: // SKIP cyphered_token_inc if REPLAY_CHECK is not enabled. $URL = "https://yourserver/path/?cyphered_token=$token&cyphered_token_inc=$tokenInc";