[NFR]: Phalcon Authentication about phalcon HOT 9 OPEN

@naiden Thank you for marking this as "New Feature Request". Is it me or is Phalcon development team are easier to talk to and request features then before? I think before, this type of request would of been shraged off under the carpet and me told to code it myself based on volt or something ^_^ This is one of the most important features that should be done properly by Phalcon and not reimplemeneted insecurely by everyone else. Especially beginners, can make huge mistakes doing this alone. Laravel has very nice example, how this security issues can be avoided.

from phalcon.

One thing can be done - Phalcon can provide OAuth2 backend validation on token/session in beforeExecuteRoute() [default dispatcher event bind]

Otherwise, I think it is not impossible regarding UI/controllers, because actual/needed implementation depends on requirements and choosen layout of application, and of cause auth-provider.

Phalcon app can be - multi-module, single-module, only-rest-api, only-ui, single-with-shared-partials, custom-router, custom-rules, custom-dispatcher, abstract/base ControllerBase per-module/per-app, only-ODM-app & etc...

Next thing - microservicing and intercommunication mesh, H-scaling in cloud, template engine, CDN & etc stuff

from phalcon.

Here is an example HTTP Basic authentication [1] [2] usage. Something as basic like this would eliminate the need to reimplement HTTP Basic logins, especially if you don't have access to web server like Nginx.

[1] https://en.wikipedia.org/wiki/Basic_access_authentication
[2] http://php.net/manual/en/features.http-auth.php

<?php // HTTP Basic Example in Base Controller

use Phalcon\Mvc\Controller;

use Phalcon\Auth\Basic;

class Base extends Controller {

  function initialize() {

    $users = [
      'admin' => '15C9Q6J8czx02', // htpassd => admin
      'user' => '15sIPp1W4GX42' // htpasswd => user
    ];

    Basic::login($users); // Handle Basic Login and Create Session if Successful

  }

}

from phalcon.

Closing in favor of phalcon/cphalcon#13855. Will revisit if the community votes for it, or in later versions.

from phalcon.

Nice to see this NFR in progress Thank you everyone involved.

EDITED: It might be a good idea to also allow loading login details from file (not just array) like .htpasswd from Nginx web server [1] (see auth_basic_user_file) especially if there is hundreds of users. It will be easier to mange and script. Also maybe ``

[1] http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html

To generate password hash, you can use any of the folloing;

// OPENSSL
openssl passwd -crypt -salt "salt" "password"

// PHP
php -r "print crypt("password", "salt");"

// PERL
// You can use current time for salt;
perl -e "print crypt("password", "salt")"

// PYTHON
python -c 'import crypt; print(crypt.crypt("password", "salt"))'

// RUBY
pass.crypt("password");

Basic HTTP Auth file would looks something like this; (This is just an example, in production environment for stronger passwords, you need to use passwords with alpha-numeric and symbols.

# 
# Nginx Users File
# 

# Username: test1
# Password: login1
test1:15G4zLLzuI9VE

# Username: test2
# Password: login2
test2:15IBU8DnYv002

#EOF: /etc/nginx/passwd

Then we can simply do a code similar to above;

<?php // HTTP Basic Example in Base Controller

use Phalcon\Mvc\Controller;

use Phalcon\Auth\Basic;

class Base extends Controller {

  function initialize() {

    $path = '/etc/nginx/htpassd';

    $users = Basic::file($path);

    Basic::login($users); // Handle Basic Login and Create Session if Successful

  }

}

After this HTTP Basic login is successful we can utilize phalcon ACL to do the rest :-)

from phalcon.

If we're gonna start this I would like to investigate a full OAuth2 implementation as well. Like for example. https://github.com/thephpleague/oauth2-server

from phalcon.

I'm not asking for JWT or OAuth2 please stop hijacking my request everyone! I'm talking about HTTP Basic Auth like I showed examples above. Please open your own [NFR] O_o For other features requests. Thank you!

from phalcon.

Any pros of implementing nginx/apache feature inside of framework code?

webserver Basic Auth feature pros is

• just a few users having access to domain itself
• no need on plugins for database storage integration

And its cons is:

• just can't use properly when amount of users exceeds 5-10
• has no rules for subpath and request params (query, post..)
• mostly passwords stored raw and can be exploited

As is see. thread started with "just add BA" and continues with "there can be tons of users". Next will be request of rules, request params parser. Ain't it looks like reinventing ACL, but without forms and database?

So far this feature looks like crutches, because most of apps ships with database and forms, so just using default acl and databse is better solution. If you don't want to implement your personal solution, just use Invo

from phalcon.

I would like to show my solution, it works with both sessions and tokens.

https://github.com/sinbadxiii/phalcon-auth

out of the box there is already support for the same HTTP Basic Auth.
Can also be extended to work with jwt token https://github.com/sinbadxiii/phalcon-auth-jwt

a variant for the zephir language has recently been rewritten. Once compiled, it works as a phalcon_auth.so extension.
https://github.com/sinbadxiii/cphalcon-auth

from phalcon.