Quick Log in and how to integrate Zampto Accounts into your site

Last Updated on September 14, 2024

Zampto Accounts offers a Quick Login system for easy one-click authentication between services!

Accounts

How does it work?

Once the Log in button is clicked using the specified email, Zampto will generate a dedicated SESSION code (as enabled by default in the Privacy and Security settings) which it will send to the url specified in the ?redirict= parameter

here is an example:

https://wallet.zampto.net/login/?session_code=RANDOM_SESSION_CODE&user_id=1&email=myemail%40gmail.com&username=myzamptoaccountusername
https://wallet.zampto.net/login/?session_code=QwvqYaaGc3kvieSMu5ln&user_id=1&email=myemail%40mydomain.win&username=myaccountusername

This is the one by which you will be redirected to the URL specified in the ?redirict parameter, so for example it is the site to which certain information will be provided in order to continue logging in, the redirict can also be your own site, it does not have to be that of a Zampto service.

The session_code or session code must never be shared with anyone, but at most only as the system does automatically, with the site (url) specified in the ?redirict= parameter.

The session code is usually valid up to a maximum of 48 hours, so 2 days, after that the Zampto systems will automatically make it invalid, so any request with that code to the Zampto API will not provide any information, but you can still make the session code non-expiring by making it valid or invalid manually from the Zampto Accounts dashboard, once you make a Manual action on the session Zampto will not make it invalid or valid automatically.

If you share your session code, an attacker could use it to log in with your Account, bypassing the 2FA or any other protection. As enabled by default in your Zampto account settings, the system generates a dedicated session code for each Site/Subdomain/Domain, so if for example you logged in using your Zampto Account at https://randomwebsite.com and the redirict parameter had that URL, even if an attacker takes the session code and tries to use it to log into your Zampto Account at accounts.zampto.net and even if the session code is still valid, it won’t be possible because the session code is only valid for that other URL/Domain/Subdomain.

How do I add Zampto Accounts as a method of logging into my site?

To integrate Zampto Accounts we recommend PHP, at least we provide basic scripts in PHP, but you can also create your own.

This is a basic script which checks if all the necessary data (e.g. ?session_code, &email, &username and &user_id) are present, without saving anything in the database, and as soon as the session code is invalid, it will automatically log the user out and to see the page again you will need to log in again, if the user is not logged in you will be redirected to log in.

index.php:

<?php
session_start();
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);
$redirect_url = 'https://accounts.zampto.net/auth/?redirect=https://mywebsitedomain.com/&name=Mywebsitename';

function verifySession($session_code, $user_id, $email, $username) {
    $verify_url = "https://api.zampto.net/account/?code={$session_code}";
    $response = file_get_contents($verify_url);
    $data = json_decode($response, true);
    return $data && 
           $data["accounts-zampto-net"] === false &&
           $data["url"] === "auth.websitedomain.com";
}

if (isset($_SESSION["session_code"], $_SESSION["user_id"], $_SESSION["email"], $_SESSION["username"])) {
    if (!verifySession($_SESSION["session_code"], $_SESSION["user_id"], $_SESSION["email"], $_SESSION["username"])) {
        session_destroy();
        header("Location: https://accounts.zampto.net/auth/?redirect=https://mywebsitedomain.com/&name=Mywebsitename");
        exit;
    }
} elseif (isset($_GET['session_code'], $_GET['user_id'], $_GET['email'], $_GET['username'])) {
    $_SESSION["session_code"] = $_GET['session_code'];
    $_SESSION["user_id"] = $_GET['user_id'];
    $_SESSION["email"] = $_GET['email'];
    $_SESSION["username"] = $_GET['username'];
    if (verifySession($_SESSION["session_code"], $_SESSION["user_id"], $_SESSION["email"], $_SESSION["username"])) {
        $_SESSION["loggedin"] = true;
    } else {
        session_destroy();
        header("Location: $redirect_url");
        exit;
    }
} 

if (!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true) {
    header("Location: $redirect_url");
    exit;
}
?>

In this line we specify the API from which to verify the data and whether the session is valid, in this case it is that of Zampto

    $verify_url = "https://api.zampto.net/account/?code={$session_code}";

An example with a session code:

https://api.zampto.net/account/?code=SVCNqxkLJccDm4SwNbSE

Here is an example of a JSON/RAW response received from the API:

{
  "user_id": 1,
  "email": "[email protected]",
  "username": "privateaccountusername",
  "discord_id": "x",
  "accounts-zampto-net": false,
  "url": "auth.websitedomain.com"
}

In this response received from the API, we can confirm that the session code is valid, as we received a response with data from a user in this case, indicating:

This session code is valid for auth.websitedomain.com, and specifying, the user id, email and other data.

Example of a response from the API if the session code is invalid or not found:

{"error":"Session Code not found or is invalid."}

In the example code in PHP for logging in and session validation provided earlier, we can see that there is a line specifying that only valid sessions for the url auth.websitedomain.com will be allowed to log in

$data["url"] === "auth.websitedomain.com";

At the beginning there are 3 lines dedicated to the PHP error reporting for more detailed debugging in case of errors, but which can be removed if necessary

ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);

Now we move on to a PHP code that can check whether the session code and its data are valid, and save the data in the Mysql/MariaDB database if the data are missing, so if the user does not keep an account he will automatically be registered in e.g. your site and logged in, and when he tries to log in in the future, he will be connected to his previously created account without losing the data.

<?php
$servername = "localhost";
$username = "database_username";
$password = "database_password";
$dbname = "database_name";

session_start();
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);
$redirect_url = 'https://accounts.zampto.net/auth/?redirect=https://service.websitedomain.com/auth/&name=Website SERVICE';
$success_url = 'https://service.websitedomain.com.net/';
function verifySession($session_code, $user_id, $email) {
    $verify_url = "https://api.zampto.net/account/?code={$session_code}";
    $response = file_get_contents($verify_url);
    $data = json_decode($response, true);
    return $data && $data["user_id"] == $user_id && $data["email"] == $email && $data["url"] === 'service.websitedomain.com';
}
function checkAndAddUser($conn, $user_id, $email) {
    $stmt = $conn->prepare("SELECT id FROM users WHERE id = ?");
    $stmt->bind_param("i", $user_id);
    $stmt->execute();
    $stmt->store_result();
    if ($stmt->num_rows == 0) {
        $stmt->close();
        $stmt = $conn->prepare("INSERT INTO users (id, email) VALUES (?, ?)");
        $stmt->bind_param("is", $user_id, $email);
        $stmt->execute();
    }
    $stmt->close();
}
if (isset($_SESSION["session_code"], $_SESSION["user_id"], $_SESSION["email"])) {
    if (!verifySession($_SESSION["session_code"], $_SESSION["user_id"], $_SESSION["email"])) {
        session_destroy();
        header("Location: $redirect_url");
        exit;
    }
} elseif (isset($_GET['session_code'], $_GET['user_id'], $_GET['email'])) {
    $_SESSION["session_code"] = $_GET['session_code'];
    $_SESSION["user_id"] = $_GET['user_id'];
    $_SESSION["email"] = $_GET['email'];
    if (verifySession($_SESSION["session_code"], $_SESSION["user_id"], $_SESSION["email"])) {
        $_SESSION["loggedin"] = true;
        $_SESSION["id"] = $_GET['user_id'];
    } else {
        session_destroy();
        header("Location: $redirect_url");
        exit;
    }
}
if (!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true) {
    header("Location: $redirect_url");
    exit;
} else {
    $conn = new mysqli($servername, $username, $password, $dbname);
    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    }

    checkAndAddUser($conn, $_SESSION["user_id"], $_SESSION["email"]);

    $conn->close();

    header("Location: $success_url");
    exit;
}
?>

SQL Querry to create a table called users with collum id, email, username inside.

CREATE TABLE users (
    id INT AUTO_INCREMENT PRIMARY KEY,
    email VARCHAR(255) NOT NULL UNIQUE,
    username VARCHAR(255) NOT NULL UNIQUE
);

Validation code for successful and other pages (default, php)

<?php
session_start();
$redirect_url = 'https://accounts.zampto.net/auth/?redirect=https://service.websitedomain.com/&name=Mywebsitename';

function verifySession($session_code, $user_id, $email, $username) {
    $verify_url = "https://api.zampto.net/account/?code={$session_code}";
    $response = file_get_contents($verify_url);
    $data = json_decode($response, true);
    return $data && 
           $data["accounts-zampto-net"] === false &&
           $data["url"] === "service.websitedomain.com";
}

if (isset($_SESSION["session_code"], $_SESSION["user_id"], $_SESSION["email"], $_SESSION["username"])) {
    if (!verifySession($_SESSION["session_code"], $_SESSION["user_id"], $_SESSION["email"], $_SESSION["username"])) {
        session_destroy();
        header("Location: https://accounts.zampto.net/auth/?redirect=https://service.websitedomain.com/&name=Mywebsitename");
        exit;
    }
} elseif (isset($_GET['session_code'], $_GET['user_id'], $_GET['email'], $_GET['username'])) {
    $_SESSION["session_code"] = $_GET['session_code'];
    $_SESSION["user_id"] = $_GET['user_id'];
    $_SESSION["email"] = $_GET['email'];
    $_SESSION["username"] = $_GET['username'];
    if (verifySession($_SESSION["session_code"], $_SESSION["user_id"], $_SESSION["email"], $_SESSION["username"])) {
        $_SESSION["loggedin"] = true;
    } else {
        session_destroy();
        header("Location: $redirect_url");
        exit;
    }
} 

if (!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true) {
    header("Location: $redirect_url");
    exit;
}
?>

Or one that is simpler but possibly more vulnerable to hacker or bypass attacks:

if (!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true) {
    header("location: https://service.websitedomain.com/your_login_url_that_will_redirect_to_zampto_for_authentication");
    exit;
}

You can create your own combination of scripts or take inspiration and arrange these scripts to work with your site, remember that you need the script provided above to register new users in the database and log them in, along with a database and a users table, which you can create with the SQL querry provided above.

These scripts, or at least almost all of them, are or must be integrated into your code in order to function correctly, those for checking whether the user is logged in and/or the session possibly within the first 15 lines.

If you have found vulnerabilities, problems or anything else you can contact us by opening a ticket on discord or email [email protected]

We do not take responsibility for the risks and what you can do with the codes etc. provided, use at your own risk.

The short URL of the present DBA post is: https://zampto.net/url/quick-login