Comments (9)
@naiden Thank you for marking this as "New Feature Request". Is it me or is Phalcon development team are easier to talk to and request features then before? I think before, this type of request would of been shraged off under the carpet and me told to code it myself based on volt or something ^_^ This is one of the most important features that should be done properly by Phalcon and not reimplemeneted insecurely by everyone else. Especially beginners, can make huge mistakes doing this alone. Laravel has very nice example, how this security issues can be avoided.
from phalcon.
One thing can be done - Phalcon can provide OAuth2 backend validation on token/session in beforeExecuteRoute() [default dispatcher event bind]
Otherwise, I think it is not impossible regarding UI/controllers, because actual/needed implementation depends on requirements and choosen layout of application, and of cause auth-provider.
Phalcon app can be - multi-module, single-module, only-rest-api, only-ui, single-with-shared-partials, custom-router, custom-rules, custom-dispatcher, abstract/base ControllerBase per-module/per-app, only-ODM-app & etc...
Next thing - microservicing and intercommunication mesh, H-scaling in cloud, template engine, CDN & etc stuff
from phalcon.
Here is an example HTTP Basic authentication [1] [2] usage. Something as basic like this would eliminate the need to reimplement HTTP Basic logins, especially if you don't have access to web server like Nginx.
[1] https://en.wikipedia.org/wiki/Basic_access_authentication
[2] http://php.net/manual/en/features.http-auth.php
<?php // HTTP Basic Example in Base Controller
use Phalcon\Mvc\Controller;
use Phalcon\Auth\Basic;
class Base extends Controller {
function initialize() {
$users = [
'admin' => '15C9Q6J8czx02', // htpassd => admin
'user' => '15sIPp1W4GX42' // htpasswd => user
];
Basic::login($users); // Handle Basic Login and Create Session if Successful
}
}
from phalcon.
Closing in favor of phalcon/cphalcon#13855. Will revisit if the community votes for it, or in later versions.
from phalcon.
Nice to see this NFR in progress Thank you everyone involved.
EDITED: It might be a good idea to also allow loading login details from file (not just array) like .htpasswd
from Nginx web server [1] (see auth_basic_user_file
) especially if there is hundreds of users. It will be easier to mange and script. Also maybe ``
[1] http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html
To generate password hash, you can use any of the folloing;
// OPENSSL
openssl passwd -crypt -salt "salt" "password"
// PHP
php -r "print crypt("password", "salt");"
// PERL
// You can use current time for salt;
perl -e "print crypt("password", "salt")"
// PYTHON
python -c 'import crypt; print(crypt.crypt("password", "salt"))'
// RUBY
pass.crypt("password");
Basic HTTP Auth file would looks something like this; (This is just an example, in production environment for stronger passwords, you need to use passwords with alpha-numeric and symbols.
#
# Nginx Users File
#
# Username: test1
# Password: login1
test1:15G4zLLzuI9VE
# Username: test2
# Password: login2
test2:15IBU8DnYv002
#EOF: /etc/nginx/passwd
Then we can simply do a code similar to above;
<?php // HTTP Basic Example in Base Controller
use Phalcon\Mvc\Controller;
use Phalcon\Auth\Basic;
class Base extends Controller {
function initialize() {
$path = '/etc/nginx/htpassd';
$users = Basic::file($path);
Basic::login($users); // Handle Basic Login and Create Session if Successful
}
}
After this HTTP Basic login is successful we can utilize phalcon ACL to do the rest :-)
from phalcon.
If we're gonna start this I would like to investigate a full OAuth2 implementation as well. Like for example. https://github.com/thephpleague/oauth2-server
from phalcon.
I'm not asking for JWT or OAuth2 please stop hijacking my request everyone! I'm talking about HTTP Basic Auth like I showed examples above. Please open your own [NFR] O_o For other features requests. Thank you!
from phalcon.
Any pros of implementing nginx/apache feature inside of framework code?
webserver Basic Auth feature pros is
- just a few users having access to domain itself
- no need on plugins for database storage integration
And its cons is:
- just can't use properly when amount of users exceeds 5-10
- has no rules for subpath and request params (query, post..)
- mostly passwords stored raw and can be exploited
As is see. thread started with "just add BA" and continues with "there can be tons of users". Next will be request of rules, request params parser. Ain't it looks like reinventing ACL, but without forms and database?
So far this feature looks like crutches, because most of apps ships with database and forms, so just using default acl and databse is better solution. If you don't want to implement your personal solution, just use Invo
from phalcon.
I would like to show my solution, it works with both sessions and tokens.
https://github.com/sinbadxiii/phalcon-auth
out of the box there is already support for the same HTTP Basic Auth.
Can also be extended to work with jwt token https://github.com/sinbadxiii/phalcon-auth-jwt
a variant for the zephir language has recently been rewritten. Once compiled, it works as a phalcon_auth.so extension.
https://github.com/sinbadxiii/cphalcon-auth
from phalcon.
Related Issues (20)
- [NFR]: Replace regexp in the router with arrays for extra performance
- Can't access page, 404 FORBIDDEN HOT 1
- Can I use `$this->getRelated` on already cached data?
- [BUG]: Scrutinizer Fixes HOT 1
- [NFR]: ADD sticky for read write connection
- [NFR]: removeBehavior method in Model
- [NFR]:returnedValue not updated after dispatcher->forward
- [NFR]: No way to add html attributes to Select Tag. documentation inadequate HOT 1
- [BUG]: The "setDefault" method does not work for forms of type "text" with name "value" HOT 5
- update src folder links
- How to use cookie in phalcon 4.x ? HOT 1
- update tests folder links
- [NFR]: Complete rework of ORM HOT 3
- [BUG]: \Phalcon\Encryption\Crypt + named parameters/arguments throw fatal error. HOT 1
- [NFR]: Refactor Phalcon\Mvc\Router/Route HOT 1
- [NFR]: Refactor Phalcon\Mvc\Model\MetaData
- phalcon 3,4 webhook problem HOT 2
- [NFR]: What is the purpose of this library? HOT 3
- [NFR]: Add a getResult() or fetchAll() method to Resultset\Simple
- [BUG]: when i use JWT Builder , api returns blank HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from phalcon.