New forum!
Posted: Sun Aug 06, 2023 12:59 am
Some of you may have noticed changes here in the last month… You may even have noticed that logging in wasn't possible for a while So here's what happened.
The forum software we were using was something called FluxBB that didn't get many updates in the last decade and was finally abandoned about two years ago. With the latest update to the server operating system, we lost support for this outdated code and decided to go for something better maintained. Enter phpBB, an app you may know from the Freeciv forum. PhpBB is a very mature and quite widespread forum app, even though it did lose traction in the last decade with the advent of social networks. I found an old migration code that could convert from PunBB to phpBB and adapted it to our Fluxbb setup. (PunBB is the ancestor of FluxBB − I hope you're following.) After a few evenings understanding phpBB and tweaking permissions, we had a working forum again.
Except… one couldn't log in. In the old forum, the passwords were copied from the website database to the forum database when you clicked the "update" button on your profile page. The website, the old forum and the new forum all used slightly different and incompatible ways of storing the passwords. A complete mess that we could have dealt with by coding a phpBB plugin to read things from the website database or similar. Except it's not good practice in 2023 (and hasn't been for a while). Surely we could do better.
The solution we ended up deploying relies on two new components, Django OAuth Toolkit and mod_auth_openidc. They implement a standard protocol called OpenID Connect to log users into applications. This is what you use when logging into GMail, Outlook, or Github. Serious industry stuff designed for our very problem. This works by letting you authenticate into the main website and then redirecting you to the forum. The forum checks that your credentials were issued by the website and lets you in. This means that it's always the website checking your password and the forum never even sees it.
So, long story short, after one month of research and trial and error, the forum is working again! Hopefully good for another decade
The forum software we were using was something called FluxBB that didn't get many updates in the last decade and was finally abandoned about two years ago. With the latest update to the server operating system, we lost support for this outdated code and decided to go for something better maintained. Enter phpBB, an app you may know from the Freeciv forum. PhpBB is a very mature and quite widespread forum app, even though it did lose traction in the last decade with the advent of social networks. I found an old migration code that could convert from PunBB to phpBB and adapted it to our Fluxbb setup. (PunBB is the ancestor of FluxBB − I hope you're following.) After a few evenings understanding phpBB and tweaking permissions, we had a working forum again.
Except… one couldn't log in. In the old forum, the passwords were copied from the website database to the forum database when you clicked the "update" button on your profile page. The website, the old forum and the new forum all used slightly different and incompatible ways of storing the passwords. A complete mess that we could have dealt with by coding a phpBB plugin to read things from the website database or similar. Except it's not good practice in 2023 (and hasn't been for a while). Surely we could do better.
The solution we ended up deploying relies on two new components, Django OAuth Toolkit and mod_auth_openidc. They implement a standard protocol called OpenID Connect to log users into applications. This is what you use when logging into GMail, Outlook, or Github. Serious industry stuff designed for our very problem. This works by letting you authenticate into the main website and then redirecting you to the forum. The forum checks that your credentials were issued by the website and lets you in. This means that it's always the website checking your password and the forum never even sees it.
So, long story short, after one month of research and trial and error, the forum is working again! Hopefully good for another decade