friendsofcake / authenticate Goto Github PK
View Code? Open in Web Editor NEWDeprecated CakePHP3: plugin with authentication classes for AuthComponent
License: MIT License
Deprecated CakePHP3: plugin with authentication classes for AuthComponent
License: MIT License
Hi, i'm trying to authenticate with a token, but doesn't work, when i use the Authentication.MultiColumn, works. How can i use this mode(token).
In the read me there is not an example using this mode.
Thanks a lot
Thank you dev for this plugin. It's really nice and easy to use.
But, since, this plugin has been abandoned and according to your doc, this can be achieved by custom finders in CakePHP, I'm having an issue with custom finders.
I used this plugin to allow login using either email
or mobile number
field along with password
and there is no username
field in the table.
But this is getting it hard to work. Can you please write a doc to use custom finders in CakePHP to allow login using multiple fields (even without username
field)
stackoverflow reference : http://stackoverflow.com/questions/41928534/custom-finder-not-working-in-cakephp-3
my mistake tried to install master instead of cake3 branch into cake3 project
Hello, I was frustrated because this plugin does not work properly
My mistake because look at the Read Me Authenticate.MultiColumn configuration documentation in state
'fields' => array( 'username' => 'login', 'password' => 'password' ),
Is different in MultiColumnAuthenticate class comment configuration.
turns out after I change the login to the username,
'fields' => array( 'username' => 'username', 'password' => 'password' ),
all goes well, thanks for great plugin =D
How hard would it be to actually support having multiple users with same mail but different passwords?
We're using it to actually decide what part of the system they log in to, based on what password they enter to their email.
variable $contain undefined. http://prntscr.com/4sawb9
/plugins/FOC/Authenticate/src/Auth/MultiColumnAuthenticate.php
row 81.
Fix like image: http://prntscr.com/4sawe1
if ($this->_config['contain']) {
$table = $table->contain($this->_config['contain']);
}
Got: Authentication adapter "FOC/Authenticate.Cookie" was not found
when loading my app.
In my config/bootstrap.php:
Plugin::load('FOC/Authenticate');
Hi,
I'm trying and failing to get TokenAuthenticate to behave as I expect. I am assuming that $this->Auth->user()
should return the logged in user when logged in via TokenAuthenticate. Is this incorrect?
If this is correct behaviour, should I manually log the user in based on $this->request->header('Authorization-Token')
in AppController::beforeFind()
or similar?
Relevant AppController.php
's $component
setup:
'Authenticate.Token' => [
'parameter' => '_token',
'header' => 'Authorization-Token',
'fields' => [
'username' => 'email',
'password' => 'password',
'token' => 'token',
],
'continue' => true,
]
Sample query:
curl -X GET "http://localhost/myapp/whatever.json" \
-H "Authorization-Token: MyTokenHere" \
-m 30 \
-v \
queryLog excerpt, shows that TokenAuthenticate::_findUser
does indeed find the user as it should:
SELECT `User`.`etc` FROM `mydb`.`users` AS `User` WHERE `User`.`token` = 'MyTokenHere' LIMIT 1",
Since cake 3.1 it is suggested to use a custom find method to modify the query to find a user (as opposed to Scope)
http://book.cakephp.org/3.0/en/controllers/components/authentication.html#customizing-find-query
It would be great if this plugin could utilise this functionality.
Thanks
Please can a release be pushed for the Cake 3 version and updated to Packagist
Thanks!
I followed the configuration steps and when using both Cookie then Multicolumn, the Cookie itself never works. It always falls back to the Multicolumn. Is there any other steps?
The cookie itself is being created and hashed. However, it is not used to log the user in.
Incorrect:
public function logout(array $user)
Correct:
public function logout(Event $Event, array $user)
I have this fixed in a branch, but was waiting on the phpcs PR to go through. Just wanted to make a paper trail of the issue here.
For some reason I keep revisiting my Authentication stuff and I have a some questions.
First, @ADmad thanks for taking care of breaking apart _findUser()
in cakephp's BaseAuthenticate ๐
In a private cakephp project I'm working on, even though the cookie itself is encrypted, I'm not comfortable storing a username and password in it. So I use a uuid
field and a remember_me_token
field for username
and password
, respectively. This is only superficially more secure in that it's essentially the same things with different values. But it does help that I can null out/invalidate the remember_me_token
field because I also have a remember_me_token_created
field. (which also guards against cookie tampering of the cookie expiration time) Also in the off-chance that a cookie is either not encrypted, and/or is compromised/hijacked, all the hacker has is two random strings, instead of having a username/password combo, which is slightly better. (they have to resort to brute-force)
So I was thinking about modifying CookieAuthenticate to allow an optional token_created field that represents the "remember me token creation time", making the "remember me token" ephemeral. (better)
When working through this in my head, I keep thinking it would be better if the fields were changed:
username
becomes identifier
password
becomes token
And an additional, optional fields key:
token_created
(datetime)
It could probably be done in a way that does not break backwards compatibility. Does anyone have any thoughts on this? I don't want to introduce "config bloat" or "BC spaghetti" for a security issue, if there's a better approach to this basically.
Also, I am starting to wonder why some of these classes aren't core cakephp. "Remember Me / Cookie" auth seems to be popular enough to warrant inclusion. Probably the same goes for Token Auth? It would avoid the additional dependency on FOC
for projects. Then FOC/Authenticate
could focus on non-standard/special authentication classes.
Anyway, I was inspired when reading up on the issue of "cookie/remember-me" authentication techniques, specifically the highest voted answer here:
And this referenced link:
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2
I'm not worried about the edge-case timing attacks and such. That can and should be a developer's job to defend against if they are worried about that.
Anyway , sorry for the wall of text.
The following suggested code has no effect on overriding the cookie expiry length.
$this->Cookie->write('RememberMe', $data, true, '+1 year');
If I access the construct config and change it there it works however this is not practically in production. I have tried setting it on the $this->loadComponent('Cookie', ['expires' => '+1 year']) however this doesn't work either.
Given the plugin naming and usage changes do we want to keep using FOC\Authenticate
namespace and use FOC\Authenticate.Foo
or change the namespace to FOCAuthenticate
and use FOCAuthenticate.Foo.
Since Authenticate
would be too generic we would need a prefix. So the question is whether we want to save typing one character :)
I notice the code in the cake3 branch does not conform to the cakephp 3 phpcs standards. (docblocks and tab/spacing mostly) Shouldn't it?
Is there any reason it doesn't? If I want to make a PR for something, should I conform to the current style? Or use the cakephp 3 standards?
If this is just something on the to-do list, let me know. I don't mind helping to make the 'cake3' branch conform to the cakephp 3 phpcs template.
Hi,
I added Authenticate to my Cake 2.4.7 project where I was already using Auth's contain
option.
I've attemped to pass it to Authenticate.MultiColumn
, without luck. According to https://twitter.com/FriendsOfCake/status/481491421602398209, this is likely a bug.
Any help would be greatly appreciated.
Thanks for another awesome plugin, btw :)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.