Show DevBest PHP/OAuth 2.0 Discord Login Script

Maatt

Active Member
Aug 29, 2012
162
158
Hi everyone,

Was looking for this for ages and have been trying to work it out from Discord's documentation. In the end, I just adapted another OAuth 2 script to use with Discord because the principles are basically the same for all websites using OAuth 2.0.

The script is very barebones, it just pulls some basic information but you can use it and build it into your applications or existing PHP cms. There are much better approaches available if you're starting everything from scratch. I'd encourage you to look at PassportJS for NodeJS applications or the existing OAuth libraries .

The reason I made this is because I want to add it to my users class for RevCMS so I'll probably release that too once I have it ready.

I try but I'm a bit of a noob coder so if I'm doing something silly pls let me know :p

Enjoy..!

PHP:
<?php
// Client ID and Secret from Discord.com
define('OAUTH2_CLIENT_ID', '#MAKE AN APP ON DISCORD AND COPY THIS IN#');
define('OAUTH2_CLIENT_SECRET', '#MAKE AN APP ON DISCORD AND COPY THIS IN#');

// API settings
define('AUTH_URL', 'https://discord.com/api/oauth2/authorize');
define('CALLBACK_URL', '########THIS IS URL OF THE FILE THAT YOU SAVE THIS TO####');
define('SCOPE', 'identify email');
define('TOKEN_URL', 'https://discord.com/api/oauth2/token');
define('URL_BASE', 'https://discord.com/api/users/@me');

session_start();

if (get('action') == 'login') {
    // Random Hash stored in session for security.
    $_SESSION['state'] = hash('sha256', microtime(TRUE).rand().$_SERVER['REMOTE_ADDR']);
    unset($_SESSION['access_token']);
    
    $params = array(
        'client_id' => OAUTH2_CLIENT_ID,
        'redirect_uri' => CALLBACK_URL,
        'response_type' => 'code',
        'scope' => SCOPE,
        'state' => $_SESSION['state']
    );
    
    //Redirect to Discord Auth Page
    header('Location: ' . AUTH_URL . '?' . http_build_query($params));
    die();
}

if (get('action') == 'logout') {
    session_destroy();
    header('Location: ' . $_SERVER['PHP_SELF']);
    die();
}

if (get('code')) {
    if(!get('state') || $_SESSION['state'] != get('state')) {
        header('Location: ' . $_SERVER['PHP_SELF']);
        die();
    }
    
    //Exchange auth_code for token
    $token = apiRequest(TOKEN_URL, true, array (
        'client_id' => OAUTH2_CLIENT_ID,
        'client_secret' => OAUTH2_CLIENT_SECRET,
        'grant_type' => 'authorization_code',
        'code' => get('code'),
        'redirect_uri' => CALLBACK_URL,
        'scope' => SCOPE
    ));
    $_SESSION['access_token'] = $token->access_token;
    
    header('Location: ' . $_SERVER['PHP_SELF']);
}

if(session('access_token')) {
  $user = apiRequest(URL_BASE, false, '');

  echo '<h3>Logged In</h3>';
  echo '<h4>' . $user->username . '</h4>';
  echo '<pre>';
  print_r($user);
  echo '</pre>';
  echo '<p><a href="?action=logout">Log Out</a></p>';

} else {
  echo '<h3>Not logged in</h3>';
  echo '<p><a href="?action=login">Log In</a></p>';
}

// Functions
function apiRequest($url, $post, $params) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    
    if ($post) {
        curl_setopt($ch, CURLOPT_POST, TRUE);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
    }
    
    if (session('access_token')) {
        curl_setopt($ch, CURLOPT_HTTPHEADER, array(
            'authorization: Bearer ' . session('access_token'),
            'cache-control: no-cache',
            'Accept: application/json'
        ));
    }
    
    $data = curl_exec($ch);
    return json_decode($data);
}

function get($key, $default=NULL) {
  return array_key_exists($key, $_GET) ? $_GET[$key] : $default;
}

function session($key, $default=NULL) {
  return array_key_exists($key, $_SESSION) ? $_SESSION[$key] : $default;
}
?>
 

kailani

Member
Sep 26, 2020
30
12
It looks pretty good! I don't understand the abstraction with your helper methods though, or your inconsistency with constants. I would also look towards making this compliant with PSR, and implement a bit more type safety if you did want to improve it even more. Also if you are validating exact value+type, you should use the triple operator.
 

Users who are viewing this thread

Top