Pipit Members v1.0

28 June 2020

Pipit Members is a Perch app that makes handling logged in and logged out Perch Members easier. It is not a replacement for the Perch Members app. You can use the app’s runtime functions on your Perch PHP pages and you can use the PipitMembers class in your custom app’s control panel pages.

Adding/Removing Tags

The Perch Members app runtime functions only target logged in members. However, there are contexts in which you may want to add/remove a tag while the member is not logged in. The Pipit Members app’s pipit_members_add_tag() and pipit_members_remove_tag() functions allow you to do that.

// by email address
pipit_members_add_tag('subscriber', '[email protected]');

// by ID
pipit_members_add_tag('subscriber', 34);

Example contexts:

Perch events (fired by a Perch app)
Webhooks

If you are using Stripe webhooks, you may use something like this:

switch($event->type) {
    case 'invoice.payment_succeeded':
        $customer_email = $event->data->customer_email;
        pipit_members_add_tag('subscriber', $customer_email, '+1 year');
    break;

    // other event types
}

Live tag check

The Perch Members app’s perch_member_has_tag() checks the session data which may not always be up to date (e.g. admin added/removed a tag via control panel while the member is already logged in). So in some cases it makes sense to query the database, and this what the pipit_members_has_tag() does.

pipit_members_has_tag('email-verified');

You can also check for non logged in members:

pipit_members_has_tag('email-verified', $memberID);

CSRF token check

If you are building a custom app with a form handler that handles forms submitted by logged in members, you need to check the submitted token against the session’s. While this is not complex to implement yourself, for your convenience you can use pipit_members_is_authorized_submission():

function my_app_form_handler($SubmittedForm) {
    if( !pipit_members_is_authorized_submission($SubmittedForm) || !perch_member_logged_in() ) {
        $SubmittedForm->throw_error('unauthorized', 'token');
        return false;
    }
}

Protect logouts against CSRF

While logging out is perhaps a harmless action, if you want to protect this action against CSRF attacks, you can use the logout form:

<perch:form id="logout" app="pipit_members" method="post" r="/account">
    <perch:input type="submit" value="Log Out">
    <perch:input type="hidden" id="token" />
</perch:form>

Email verification

The Pipit Members app comes with a simple email verification feature. It is not foolproof and I am looking to improve this, but it is better than nothing.

And more..

Go to the documentation to find out more.