[SOLVED] Joomla authentication plugins get triggered twice when logging in through CB

I am building an integration into a system that produces one time passwords for login. I have built an authentication plugin based on this code:

github.com/softforge/JoomlaPluginsBook/blob/master/chapter07/plg_authentication_ch07test01/plugins/authentication/ch07test01/ch07test01.php

When this plugin is zipped up, installed and enabled, it gets called twice when logging in through CB which is shown by the username appearing twice in the messages. Interestingly, it get called twice regardless of the "Login Method" setting in the CB configuration. It only gets called once when logging in through Joomla.

I guess for most sites, getting called twice doesn't really matter but for the service I'm using, it matters a lot as once the password has been used, it cannot to be used again so being called twice prevents the users from logging on using this service as it is the result of the second call that checked.

Any idea how to stop the plugin getting called twice?

Many thanks.

Writing the plugin to act on CBs login triggers instead of being a Joomla authentication plugin will go a long way to get it working properly with CB. It shouldn't be called twice. The below is how authentication plugin support works.

1. Check if the user exists by username
2. If not check if the user exists by email
3. If not check if the user exists by authentication plugin

What step 3 does is call the Joomla login function on the credentials supplied by the user. This returns basically a true/false if login is successful. If it is we generate a CB user object for them and store it then mark $loggedIn as true and don't bother attempting to login again. The only way for login to fire twice is if the authentication plugin login attempt failed and $loggedIn was never set true.

Maybe you're using CB Auto Actions or something to login a user or could be an issue with the authentication plugin it self. I recommend checking Joomlas GMail authentication plugin as it's the only one we've tested.

Thanks for your response. I've tried may things but with no success so far. I tried disabling auto actions but that didn't make any difference. I tried disabling and reordering the authentication plugins but that also makes no difference.

It only gets called twice if the first call returns true so something else is happening after a successful login which is causing login to get called again. I set-up a breakpoint within the doAuthenticate function and here is a screenshot of the stack-trace each time it is called:




As you can see, login() is being called more then once. Does this provide any clues? I currently have CB set to only login using username (not using authentication plugins).

This authentication plugin works great with the Joomla login so it would be really nice if it were compatible with the CB login as well.

Thanks for your help on this!

Ah, I see what's going on. On line 65 it's testing that the user is loaded by Username OR if the password they supplied is valid. When it's testing the password via verifyPassword it does a call to Joomlas authentication API. If that fails it repeats by Email on line 70 then finally handles the authentication plugin on line 78. That call to Joomla authentication is what is triggering your authentication plugin.

I think you'll just need to alter your authentication plugin to handle this scenario. We can't remove that without breaking functionality as it's needed to validate the password. Your alternative is to develop a CB authentication plugin, which is a CB field that acts on onLoginAuthentication.

Thanks Kyle.

Any idea what is different between each call that I can check so I don't make the API call twice?

Many thnaks

Cache the authentication in a static variable should work fine. Example as follows.


This will mean the username and password is only checked once and its response is cached when called multiple times in the same process. As it's a static variable the next page load (e.g. next login attempt) will do a new authentication as you're wanting.