How to redirect in JavaScript to another website after establishing an authenticated session using PHP (Codeigniter)

Question

SOLVED

The title wasn't enough for the question, I'll elaborate here.

The Problem

I have two systems lets call them system A and system B . System A is a Petite-vue/Codeigniter stack. System B could be a Codeigniter or Laravel back-end (front-end could vary). Here is a graph showing the setup ( R1 and R2 will be explained below).

NOTE: In the graph below R2 is sent from the back-end to system B .

In system A , I am making an asynchronous Fetch request, lets call this request R1 , from the JavaScript (petite-vue) code to the PHP (Codeigniter), which is in the same system (it being system A ). (Code below)

      function Connect_To_System(url){
        fetch("<?= base_url("connect") ?>",
                {
                  method: "POST",
                  body: JSON.stringify( {URL: url} )
                })
                .then(res => res.json())
                .then(data => {
                  // do something with response data like showing a message
                }) 
      }

R1 is handled in the PHP (Codeigniter) code, which establishes an authenticated session with system B by sending a cURL request, lets call this request R2 , to system B . After R2 response returns an HTTP 200 status, I want to redirect the user from system A to system B in a new tab. (Code below, note that I'm using REST_Controller)

    public function connect_post(){
        $data = json_decode($this->post()[0]);
        $url = $data->URL;
        $url_login = $url.'/auth/login';
        $token = $this->session->tempdata('token');
        $username = $this->current_user['emp_no'];
        $digest = md5($username.$token);

        $params= array(
            "username" => $username,
            "token" => $token
        );
        $result = $this->postCURL($url_login, $params);
        // Redirect in a new tab when status is 200 somehow
        // Return a response to the JavaScript
    }

The problem is that I can't redirect the user to another page from the PHP (Codeigniter), because it was called by R1 . Thus, I must redirect the user from the View that made R1 using JavaScript.

However, the solution to first problem doesn't work because the session that was established by R2 is tied to PHP (Codeigniter), or cURL I can't really tell, in other words it's the server that established the session not the user. And redirecting the user using JavaScript will tie the redirection to the user, or whatever the redirect method is.

Possible Solution (Not Preferred EDIT: It is preferred )

The only functional solution is to establish the session with system B from the JavaScript and then redirect the user, which is what I'm currently doing. But the problem is that I'm exposing the authentication data to whom ever simply decides to open the browser inspect. That's why I'm trying to keep all the important data in the back-end PHP code.

The Main Goal

All I want is a way to keep the authentication data hidden, whatever the method may be, if that's possible really.

Thank you in advance.

Answer 1

As it turns out, the proposed solution in the question actually is preferred. Since the token of the user is so personalized and it is even stored in the server session and stored in the database, it would so difficult to authenticate you're self using someone else's authentication data. Thus, there is no major security vulnerability. The idea of exposed data scared me that it blinded me from seeing that exposing the token isn't a huge security vulnerability.