Ecommercen Docs

Appearance

Social Auth Settings

Flow ID: AD-44 | Module(s): settings | Complexity: Low Last Updated: 2026-04-04

Business Context

Social auth settings allow Advisable-level administrators to configure OAuth login providers (Google and Facebook) for the storefront. When enabled, customers can sign in or register using their Google or Facebook accounts instead of creating a traditional email/password account.

The configuration stores OAuth client credentials (client IDs, secrets, project IDs) in the registry and provides enable/disable toggles for each provider independently.

API Reference

REST Endpoints

No REST API. Social auth settings are managed through the legacy admin settings panel.

Legacy Admin Routes

RouteControllerMethodHTTPDescription
settings/social_authAdvSocialAuthSettingsindexGETDisplay settings form
settings/social_authAdvSocialAuthSettingsindexPOSTSave settings and redirect

Code Flow

Viewing Settings

  1. Admin navigates to settings/social_auth.
  2. AdvSocialAuthSettings::index() calls view().
  3. view() loads current values from the registry:
    • Google: login enabled flag, project ID, client ID, client secret (encrypted).
    • Facebook: login enabled flag, app ID, app secret (encrypted).
  4. Renders settings/social_auth view with current values pre-filled.

Saving Settings

  1. Admin submits the form with updated values.
  2. index() detects POST submit and calls post().
  3. post() runs validation() which applies trim rules to all fields (no required fields).
  4. If validation passes, calls registry->setValue() for each field:
    • SOCIAL_AUTH / GOOGLE_LOGIN_ENABLED -- cast to int (0/1)
    • SOCIAL_AUTH / GOOGLE_PROJECT_ID
    • SOCIAL_AUTH / GOOGLE_CLIENT_ID
    • SOCIAL_AUTH / GOOGLE_CLIENT_SECRET -- stored encrypted (true flag on setValue)
    • SOCIAL_AUTH / FACEBOOK_LOGIN_ENABLED -- cast to int (0/1)
    • SOCIAL_AUTH / FACEBOOK_CLIENT_ID
    • SOCIAL_AUTH / FACEBOOK_CLIENT_SECRET -- stored encrypted (true flag on setValue)
  5. Redirects to settings/social_auth.

Domain Layer

No modern domain layer. Settings are stored in the registry pattern.

Architecture

ComponentPathPurpose
AdvSocialAuthSettingsecommercen/settings/controllers/AdvSocialAuthSettings.phpAdmin controller (93 lines)
Registryapplication/libraries/Registry.phpDB-backed key-value store
Auth libraryecommercen/auth/libraries/Consumes these settings for OAuth flows

Data Model

No dedicated tables. All data stored in the registry table via the Registry pattern.

Registry Keys

GroupKeyTypeDescription
SOCIAL_AUTHGOOGLE_LOGIN_ENABLEDint0=disabled, 1=enabled
SOCIAL_AUTHGOOGLE_PROJECT_IDstringGoogle Cloud project ID
SOCIAL_AUTHGOOGLE_CLIENT_IDstringGoogle OAuth client ID
SOCIAL_AUTHGOOGLE_CLIENT_SECRETstring (encrypted)Google OAuth client secret
SOCIAL_AUTHFACEBOOK_LOGIN_ENABLEDint0=disabled, 1=enabled
SOCIAL_AUTHFACEBOOK_CLIENT_IDstringFacebook App ID
SOCIAL_AUTHFACEBOOK_CLIENT_SECRETstring (encrypted)Facebook App secret

Configuration

SourceKeyDescription
RegistrySOCIAL_AUTH groupAll OAuth credentials and enable flags

Required roles: AUTH_ROLE_ADVISABLE only (highest privilege level -- not available to regular admins).

Encrypted storage: Client secrets are stored with encryption via the registry's $encrypted = true parameter on setValue() and value().

Client Extension Points

  • Override controller: Create Social_auth_settings in application/modules/settings/controllers/ to add additional providers or validation rules.
  • Custom providers: Add new OAuth providers by extending the controller and adding corresponding registry keys and auth library integration.

Business Rules

  1. Advisable-only access: Only users with AUTH_ROLE_ADVISABLE can access this settings page. Regular admins cannot modify OAuth credentials.
  2. Independent toggles: Google and Facebook can be enabled/disabled independently.
  3. Encrypted secrets: Client secrets are stored encrypted in the registry to prevent exposure in DB dumps.
  4. No required fields: All fields use only trim validation -- the form can be submitted with empty values (effectively disabling the provider).
  5. Immediate effect: Changes take effect immediately after save -- no cache invalidation needed since registry values are read on each request.

Wiki Guide: Social Auth Guide -- developer reference for social authentication setup