Rob's technical notes

An embedded application on a Synology NAS is not automatically protected from accessing it without being logged in to DSM. Luckily Synology has an authentication mechanism, Web Authentication, described in their Developers guide. This enables you application to detect whether a user is logged in to DSM. Getting this to work for PHP is not that difficult, but you will encounter a few bumps on the road.

SynoToken

To get the current username from Synology’s authenticate.cgi script you need a SynoToken. This token can be acquired by executing /usr/syno/synoman/webman/login.cgi, which returns an HTTP response containing a body of JSON. The function shell_exec() can be used to call this script. This script may generate some warnings, so it’s a good idea to prevent anything written to stderr in the output by using 2>/dev/null:

$response = shell_exec('/usr/syno/synoman/webman/login.cgi 2>/dev/null');
echo $response;

Content-type: text/html; charset="UTF-8"
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"

{
   "SynoToken" : "yFMVWrVDZXwz5",
   "result" : "success",
   "success" : true
}

To get the token the most elegant way is to parse the HTTP response and then parse the JSON in the body.

Update Dec 20, 2014: Fetching the SynoToken seems only necessary in early versions of DSM 5.0.

Authenticate

The script /usr/syno/synoman/webman/modules/authenticate.cgi returns the username of the user logged in to DSM and expects the SynoToken in the GET parameters of the current request. An alternative for doing one request for the token and another one for the username is to alter the environment variable QUERY_STRING before calling authenticate.cgi:

// Update Update Dec 20, 2014: the next two lines are only necessary in early versions of DSM 5.0.
$token = 'yFMVWrVDZXwz5';
putenv('QUERY_STRING=SynoToken=' . $token);

$username = shell_exec('/usr/syno/synoman/webman/modules/authenticate.cgi');
echo $username;

Rob

Administrator?

To enable or disable certain functionality in your application, you might want to know whether a user is an administrator. A list of group ids a user is member of can be retrieved with the command id -G *username*. If 101 is in it, the user is administrator. Make sure to escape the username.

$username = "admin";
$groups = shell_exec('id -G ' . escapeshellarg($username) . ' 2>/dev/null');
print_r(explode(' ', $groups));

Array
(
    [0] => 100
    [1] => 25
    [2] => 101

)

Logging in

Update Dec 20, 2014: I’ve written this paragraph after a question about logging in.
To log in, the user simply uses the homepage of DSM. But it’s also possible to build your own log in form by executing /usr/syno/synoman/webman/login.cgi. The username and password must be set in the environment variable QUERY_STRING for this to work:

putenv('QUERY_STRING=username=admin&passwd=secret');
$result = shell_exec('/usr/syno/synoman/webman/login.cgi');

Content-Type: text/html; charset="UTF-8"
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Set-Cookie: id=8b9EKhZnb3w1YC4KNN00020;path=/

{
   "result" : "success",
   "success" : true
}

If the Set-Cookie header is forwarded to the client, then the user is authenticated starting the next request. It’s possible for the user to be authenticated immediately, by adding cookie value id in the Set-Cookie header to the cookie values in the environment variable HTTP_COOKIE:

$httpCookie = getenv('HTTP_COOKIE') . '; id=8b9EKhZnb3w1YC4KNN00020');
putenv('HTTP_COOKIE=' . $httpCookie);

Composer package

I’ve created a Composer package on GitHub you can use to authenticate. This is tested on DSM 4 and 5.1.

$core = new \ultimo\sdk\synology\ds\Core();

// get details of the user currently logged in to DSM
$username = $core->authenticate();
$userId = $core->getUserId($username);
$groups = $core->getUserGroupIds($username);

// log in as admin
if ($core->login("AdMiN", "secret")) {
  echo "Now logged in as " . $core->authenticate();
}