Skip to main content

Arc Publishing Configuration - La Tercera

Overview

La Tercera uses Arc Publishing as an external authentication provider, replacing Farfalla's standard authentication system. This integration allows users to authenticate using Arc Publishing credentials instead of local credentials.

Tenant ID: 1558
Production Domain: https://kiosco.latercera.com
API Subdomain: api-copesa-la-tercera-prod

Provider Configuration

arc_publishing_password

The password provider enables email/password authentication through Arc Publishing API.

Status: Enabled
Type: Email/password authentication

Configuration:

{
  "enabled": true,
  "api_subdomain_fragment": "api-copesa-la-tercera-prod",
  "client_id": "api-copesa-la-tercera-prod",
  "client_secret": "[REDACTED]",
  "external_session_name": "ltsess",
  "redirect": null
}

Details:

  • API Base URL: https://api-copesa-la-tercera-prod.cdn.arcpublishing.com
  • External Session Cookie: ltsess (used for automatic SSO)
  • Login Endpoint: /identity/public/v1/auth/login
  • Registration Endpoint: /identity/public/v1/signup
  • Profile Endpoint: /identity/public/v1/profile
  • Email Verification Endpoint: /identity/public/v1/email/verify

Authentication Flow:

  1. User enters email and password in the form
  2. Credentials are sent to Arc Publishing API
  3. Arc validates and returns tokens (access_token, refresh_token, uuid)
  4. Profile is retrieved using the access_token
  5. User is created/updated in Farfalla

Password Requirements:

  • Minimum 8 characters, maximum 30
  • At least one lowercase letter
  • At least one uppercase letter
  • At least one digit
  • At least one special character: @$!%*#?&-_.

arc_publishing_google

The Google provider enables OAuth authentication with Google accounts.

Status: Enabled
Type: OAuth authentication with Google

Configuration:

{
  "enabled": true,
  "api_subdomain_fragment": "api-copesa-la-tercera-prod",
  "client_id": "5397844116-r1vl5s95uupim2qu21q7tdhpp30v5uhr.apps.googleusercontent.com",
  "client_secret": null,
  "external_session_name": null,
  "redirect": "https://kiosco.latercera.com/auth/social/arc_publishing_google/callback"
}

Details:

  • API Base URL: https://api-copesa-la-tercera-prod.cdn.arcpublishing.com
  • OAuth Client ID: 5397844116-r1vl5s95uupim2qu21q7tdhpp30v5uhr.apps.googleusercontent.com
  • Callback URL: https://kiosco.latercera.com/auth/social/arc_publishing_google/callback

arc_publishing_facebook

The Facebook provider enables OAuth authentication with Facebook accounts.

Status: Disabled
Type: OAuth authentication with Facebook

Configuration:

{
  "enabled": false,
  "api_subdomain_fragment": "api-copesa-la-tercera-prod",
  "client_id": "1267582820019526",
  "client_secret": null,
  "external_session_name": null,
  "redirect": "https://kiosco.latercera.com/auth/social/arc_publishing_facebook/callback"
}

Details:

  • API Base URL: https://api-copesa-la-tercera-prod.cdn.arcpublishing.com
  • Facebook App ID: 1267582820019526
  • Callback URL: https://kiosco.latercera.com/auth/social/arc_publishing_facebook/callback
  • Note: Although configured, the provider is disabled (enabled: false)

Additional Configuration

Email Domain Whitelist

{
  "email_domains_whitelist": {
    "allowed": ["grupocopesa.cl"],
    "enabled": false
  }
}

The whitelist is configured but disabled. If enabled, it would only allow registrations with emails from the @grupocopesa.cl domain.

Session Limit

{
  "sessions_limit": {
    "default": 5,
    "enabled": false
  }
}

The session limit is configured to 5 but disabled.

Social Authentication

{
  "social_auth": {
    "enabled": true
  }
}

Admin Password Login

{
  "disable_admin_password_login": false
}

Administrators can use password login through Arc Publishing.

Arc Publishing API Endpoints

All endpoints use the subdomain: api-copesa-la-tercera-prod

Base URL

https://api-copesa-la-tercera-prod.cdn.arcpublishing.com

Login

Endpoint: POST /identity/public/v1/auth/login

Request:

curl -X POST 'https://api-copesa-la-tercera-prod.cdn.arcpublishing.com/identity/public/v1/auth/login' \
  -H 'Content-Type: application/json' \
  -d '{
    "userName": "usuario@ejemplo.com",
    "credentials": "[PASSWORD]",
    "grantType": "password"
  }'

Success Response (200):

{
  "uuid": "98647565-a9d0-4977-9ab9-93f9bf767ab1",
  "accessToken": "[TOKEN]",
  "refreshToken": "[TOKEN]"
}

Error Response (401):

{
  "httpStatus": 401,
  "code": "300040",
  "message": "Invalid username or password"
}

Registration

Endpoint: POST /identity/public/v1/signup

Request:

curl -X POST 'https://api-copesa-la-tercera-prod.cdn.arcpublishing.com/identity/public/v1/signup' \
  -H 'Content-Type: application/json' \
  -d '{
    "identity": {
      "userName": "usuario@ejemplo.com",
      "credentials": "[PASSWORD]",
      "grantType": "password"
    },
    "profile": {
      "email": "usuario@ejemplo.com",
      "picture": "https://www.gravatar.com/avatar/00000000000000000000000000000000?d=mp"
    }
  }'

Note: The picture field is required and must be between 1 and 255 characters.

User Profile

Endpoint: GET /identity/public/v1/profile

Request:

curl -X GET 'https://api-copesa-la-tercera-prod.cdn.arcpublishing.com/identity/public/v1/profile' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer [ACCESS_TOKEN]'

Email Verification

Endpoint: POST /identity/public/v1/email/verify

Request:

curl -X POST 'https://api-copesa-la-tercera-prod.cdn.arcpublishing.com/identity/public/v1/email/verify' \
  -H 'Content-Type: application/json' \
  -d '{"email":"usuario@ejemplo.com"}'

Single Sign-On (SSO)

The integration supports automatic SSO through external session cookies.

Configuration

  • Session Cookie: ltsess
  • Middleware: CheckExternalSessionFromArcPublishing

SSO Flow

  1. User is authenticated on La Tercera's main site
  2. Main site sets the ltsess cookie with session token
  3. User visits kiosco.latercera.com
  4. The CheckExternalSessionFromArcPublishing middleware detects the cookie
  5. If the cookie exists and is valid, the user is automatically authenticated
  6. The automatic_login_by_arc_publishing session is established in Farfalla

The middleware verifies:

  • If arc_publishing_password is enabled
  • If the ltsess cookie exists (configured in external_session_name)
  • If the user is not authenticated or has the automatic login flag

Code Reference

Key Files

  1. Password Provider:

    • app/Providers/LaravelSocialite/ArcPublishingPasswordProvider.php

  2. Google Provider:

    • app/Providers/LaravelSocialite/ArcPublishingGoogleProvider.php

  3. Facebook Provider:

    • app/Providers/LaravelSocialite/ArcPublishingFacebookProvider.php

  4. Common Trait:

    • app/Providers/LaravelSocialite/InteractsWithArcPublishingIdentity.php

  5. Arc Service:

    • app/Domains/Identity/Services/ArcService.php

  6. SSO Middleware:

    • app/Http/Middleware/CheckExternalSessionFromArcPublishing.php

  7. Service Provider:

    • app/Providers/LaravelSocialiteExtensionsProvider.php

Controllers

  • app/Http/Controllers/Auth/LoginController.php
  • app/Http/Controllers/Auth/RegisterController.php
  • app/Http/Controllers/Auth/SocialAuth.php

Technical Notes

Standard Login Replacement

When arc_publishing_password is enabled, it completely replaces Laravel's standard authentication flow. Login and registration forms point to Arc Publishing callbacks.

User Validation

Before registering a user, the system verifies if the user exists in Arc Publishing using /identity/public/v1/email/verify. If the user does not exist, it is automatically created in Arc Publishing.

Synchronization

Users are synchronized between Arc Publishing and Farfalla. The Arc Publishing UUID is used as the unique identifier.

Error Handling

Arc Publishing errors are mapped to user-friendly error messages. Translations are used from lang/*/arc-publishing.php and lang/*/validation.php.

Database Query

To query the configuration in production:

SELECT
  tenant_id,
  JSON_EXTRACT_JSON(users, '$.auth.custom_socialite_providers.arc_publishing_password') as arc_password,
  JSON_EXTRACT_JSON(users, '$.auth.custom_socialite_providers.arc_publishing_facebook') as arc_facebook,
  JSON_EXTRACT_JSON(users, '$.auth.custom_socialite_providers.arc_publishing_google') as arc_google
FROM tenants_meta
WHERE tenant_id = 1558;

Local Development Configuration

To test in your local environment, use this configuration in dashboard/settings#advanced in the Users section:

{
  "custom_socialite_providers": {
    "arc_publishing_google": {
      "enabled": true,
      "redirect": "https://stagingapp.publica.la/auth/social/arc_publishing_google/callback",
      "client_id": "5397844116-r1vl5s95uupim2qu21q7tdhpp30v5uhr.apps.googleusercontent.com",
      "client_secret": null,
      "api_subdomain_fragment": "api-copesa-la-ternera-sandbox"
    },
    "arc_publishing_facebook": {
      "enabled": true,
      "redirect": "https://stagingapp.publica.la/auth/social/arc_publishing_facebook/callback",
      "client_id": "681004598937061",
      "client_secret": null,
      "api_subdomain_fragment": "api-copesa-la-ternera-sandbox"
    },
    "arc_publishing_password": {
      "enabled": true,
      "redirect": null,
      "client_id": "api-copesa-la-ternera-sandbox",
      "client_secret": "SOBTNUVS1L1FRUDLP18NQSP9VE3C3NIIl8/ioEgpfgLNXkMFiKez1l5QVmpyjeATgCEf8PZB",
      "api_subdomain_fragment": "api-copesa-la-ternera-sandbox"
    }
  }
}

Important: Facebook and Google must keep the same client_id because this value is used by Arc to verify the callback origin. If these values are changed, Arc will return:

{
  "httpStatus": 401,
  "code": "300040",
  "message": "Invalid username or password"
}

Local Setup Steps

  1. Edit your hosts file to point stagingapp.publica.la to your local Farfalla IP:

    # Add this line to /etc/hosts
    127.0.0.1 stagingapp.publica.la

  2. Add stagingapp.publica.la as the final_domain of tenant 1 in the tenants table

  3. Run this command in the project root folder:

    valet link stagingapp.publica.la

  4. Configure the custom_socialite_providers JSON as shown above

Social Login Redirect URLs

Production

- https://kiosco.latercera.com/auth/social/arc_publishing_facebook/callback
- https://kiosco.latercera.com/auth/social/arc_publishing_google/callback
- https://testcopesa.publica.la/auth/social/arc_publishing_facebook/callback
- https://testcopesa.publica.la/auth/social/arc_publishing_google/callback

Staging

- https://stagingapp.publica.la/auth/social/arc_publishing_facebook/callback
- https://stagingapp.publica.la/auth/social/arc_publishing_google/callback

Note: The app.publica.la URLs are not used because everything goes directly to the corresponding tenant domain.

Test Accounts

Email/Password Accounts

  • jdoe12345678913456789@donotreply.com | ouyitg23h9oi1l2hbIohilujk.sj
  • testconcopesa20200619@donotreply.com | Me1.78ytagsj

Facebook Test Accounts

Jayden Aleaggehccida Bushakman  101646888237839 ehdbmibsha_1590163203@tfbnw.net
Tyler Aleagfjecdfha Occhinoescu 101969721538379 yyouyofcjj_1590163197@tfbnw.net
James Aleagbcfffccj Smithsky  102671171467005 jjxtlvlxkj_1590163199@tfbnw.net
Susan Aleadcfkigfi Yangsky  112623017128898 tygimwpksk_1590163201@tfbnw.net
Open Graph Test User  107642566895467 open_zhnmgnh_user@tfbnw.net

The password for all Facebook test accounts is: dfg567Ht4df89. (with the dot)

X

Graph View