friendsofcake / authenticate Goto Github PK

Hi, i'm trying to authenticate with a token, but doesn't work, when i use the Authentication.MultiColumn, works. How can i use this mode(token).
In the read me there is not an example using this mode.
Thanks a lot

Thank you dev for this plugin. It's really nice and easy to use.

But, since, this plugin has been abandoned and according to your doc, this can be achieved by custom finders in CakePHP, I'm having an issue with custom finders.

I used this plugin to allow login using either email or mobile number field along with password and there is no username field in the table.
But this is getting it hard to work. Can you please write a doc to use custom finders in CakePHP to allow login using multiple fields (even without username field)

stackoverflow reference : http://stackoverflow.com/questions/41928534/custom-finder-not-working-in-cakephp-3

my mistake tried to install master instead of cake3 branch into cake3 project

Hello, I was frustrated because this plugin does not work properly
My mistake because look at the Read Me Authenticate.MultiColumn configuration documentation in state

'fields' => array(
     'username' => 'login',
     'password' => 'password'
),

Is different in MultiColumnAuthenticate class comment configuration.
turns out after I change the login to the username,

'fields' => array(
     'username' => 'username',
     'password' => 'password'
),

all goes well, thanks for great plugin =D

How hard would it be to actually support having multiple users with same mail but different passwords?

We're using it to actually decide what part of the system they log in to, based on what password they enter to their email.

variable $contain undefined. http://prntscr.com/4sawb9
/plugins/FOC/Authenticate/src/Auth/MultiColumnAuthenticate.php
row 81.
Fix like image: http://prntscr.com/4sawe1
if ($this->_config['contain']) {
$table = $table->contain($this->_config['contain']);
}

Got: Authentication adapter "FOC/Authenticate.Cookie" was not found when loading my app.

In my config/bootstrap.php:

Plugin::load('FOC/Authenticate');

Hi,

I'm trying and failing to get TokenAuthenticate to behave as I expect. I am assuming that $this->Auth->user() should return the logged in user when logged in via TokenAuthenticate. Is this incorrect?

If this is correct behaviour, should I manually log the user in based on $this->request->header('Authorization-Token') in AppController::beforeFind() or similar?

Setup:

• CakePHP 2.4.7
• Latest Crud plugin
• Latest Authenticate plugin

Relevant AppController.php's $component setup:

'Authenticate.Token' => [
    'parameter' => '_token', 
    'header' => 'Authorization-Token', 
    'fields' => [
        'username' => 'email',
        'password' => 'password',
        'token' => 'token',
    ],
    'continue' => true,
]

Sample query:

curl -X GET "http://localhost/myapp/whatever.json" \
     -H "Authorization-Token: MyTokenHere" \
     -m 30 \
     -v \

queryLog excerpt, shows that TokenAuthenticate::_findUser does indeed find the user as it should:

SELECT `User`.`etc` FROM `mydb`.`users` AS `User` WHERE `User`.`token` = 'MyTokenHere'    LIMIT 1",

Since cake 3.1 it is suggested to use a custom find method to modify the query to find a user (as opposed to Scope)

http://book.cakephp.org/3.0/en/controllers/components/authentication.html#customizing-find-query

It would be great if this plugin could utilise this functionality.

Thanks

Please can a release be pushed for the Cake 3 version and updated to Packagist

Thanks!

I followed the configuration steps and when using both Cookie then Multicolumn, the Cookie itself never works. It always falls back to the Multicolumn. Is there any other steps?

The cookie itself is being created and hashed. However, it is not used to log the user in.

Incorrect:

    public function logout(array $user)

Correct:

    public function logout(Event $Event, array $user)

I have this fixed in a branch, but was waiting on the phpcs PR to go through. Just wanted to make a paper trail of the issue here.

For some reason I keep revisiting my Authentication stuff and I have a some questions.

First, @ADmad thanks for taking care of breaking apart _findUser() in cakephp's BaseAuthenticate 👍

In a private cakephp project I'm working on, even though the cookie itself is encrypted, I'm not comfortable storing a username and password in it. So I use a uuid field and a remember_me_token field for username and password, respectively. This is only superficially more secure in that it's essentially the same things with different values. But it does help that I can null out/invalidate the remember_me_token field because I also have a remember_me_token_created field. (which also guards against cookie tampering of the cookie expiration time) Also in the off-chance that a cookie is either not encrypted, and/or is compromised/hijacked, all the hacker has is two random strings, instead of having a username/password combo, which is slightly better. (they have to resort to brute-force)

So I was thinking about modifying CookieAuthenticate to allow an optional token_created field that represents the "remember me token creation time", making the "remember me token" ephemeral. (better)

When working through this in my head, I keep thinking it would be better if the fields were changed:

username becomes identifier
password becomes token

And an additional, optional fields key:

token_created (datetime)

It could probably be done in a way that does not break backwards compatibility. Does anyone have any thoughts on this? I don't want to introduce "config bloat" or "BC spaghetti" for a security issue, if there's a better approach to this basically.

Also, I am starting to wonder why some of these classes aren't core cakephp. "Remember Me / Cookie" auth seems to be popular enough to warrant inclusion. Probably the same goes for Token Auth? It would avoid the additional dependency on FOC for projects. Then FOC/Authenticate could focus on non-standard/special authentication classes.

Anyway, I was inspired when reading up on the issue of "cookie/remember-me" authentication techniques, specifically the highest voted answer here:

http://stackoverflow.com/questions/244882/what-is-the-best-way-to-implement-remember-me-for-a-website

And this referenced link:

https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2

I'm not worried about the edge-case timing attacks and such. That can and should be a developer's job to defend against if they are worried about that.

Anyway , sorry for the wall of text.

The following suggested code has no effect on overriding the cookie expiry length.

$this->Cookie->write('RememberMe', $data, true, '+1 year');

If I access the construct config and change it there it works however this is not practically in production. I have tried setting it on the $this->loadComponent('Cookie', ['expires' => '+1 year']) however this doesn't work either.

Given the plugin naming and usage changes do we want to keep using FOC\Authenticate namespace and use FOC\Authenticate.Foo or change the namespace to FOCAuthenticate and use FOCAuthenticate.Foo. Since Authenticate would be too generic we would need a prefix. So the question is whether we want to save typing one character :)

I notice the code in the cake3 branch does not conform to the cakephp 3 phpcs standards. (docblocks and tab/spacing mostly) Shouldn't it?

Is there any reason it doesn't? If I want to make a PR for something, should I conform to the current style? Or use the cakephp 3 standards?

If this is just something on the to-do list, let me know. I don't mind helping to make the 'cake3' branch conform to the cakephp 3 phpcs template.

Hi,

I added Authenticate to my Cake 2.4.7 project where I was already using Auth's contain option.

I've attemped to pass it to Authenticate.MultiColumn, without luck. According to https://twitter.com/FriendsOfCake/status/481491421602398209, this is likely a bug.

Any help would be greatly appreciated.

Thanks for another awesome plugin, btw :)