Provides a unified interface to local and remote authentication systems.

Overview

Aura.Auth

Provides authentication functionality and session tracking using various adapters; currently supported adapters are:

  • Apache htpasswd files
  • SQL tables via the PDO extension
  • IMAP/POP/NNTP via the imap extension
  • LDAP and Active Directory via the ldap extension
  • OAuth via customized adapters

Note that the purpose of this package is only to authenticate user credentials. It does not currently, and probably will not in the future, handle user account creation and management. That is more properly the domain of application-level functionality, or at least a separate Aura bundle.

Foreword

Installation

This library requires PHP 7.2 or later, and has no userland dependencies.

It is installable and autoloadable via Composer as aura/auth.

Alternatively, download a release or clone this repository, then require or include its autoload.php file.

Quality

Scrutinizer Code Quality Code Coverage Build Status

To run the unit tests at the command line, issue composer install and then vendor/bin/phpunit at the package root. This requires Composer to be available as composer.

This library attempts to comply with PSR-1, PSR-2, and PSR-4. If you notice compliance oversights, please send a patch via pull request.

Community

To ask questions, provide feedback, or otherwise communicate with the Aura community, please join our Google Group, follow @auraphp on Twitter, or chat with us on #auraphp on Freenode.

Getting Started

Instantiation

To track authentication state and related information, create an Auth object using the AuthFactory.

<?php
$auth_factory = new \Aura\Auth\AuthFactory($_COOKIE);
$auth = $auth_factory->newInstance();
?>

You can retrieve authentication information using the following methods on the Auth instance:

  • getUserName(): returns the authenticated username string

  • getUserData(): returns the array of optional arbitrary user data

  • getFirstActive(): returns the Unix time of first activity (login)

  • getLastActive(): return the Unix time of most-recent activity (generally that of the current request)

  • getStatus(): returns the current authentication status constant. These constants are:

    • Status::ANON -- anonymous/unauthenticated

    • Status::IDLE -- the authenticated session has been idle for too long

    • Status::EXPIRED -- the authenticated session has lasted for too long in total

    • Status::VALID -- authenticated and valid

  • isAnon(), isIdle(), isExpired(), isValid(): these return true or false, based on the current authentication status.

You can also use the set*() variations of the get*() methods above to force the Auth object to whatever values you like. However, because the values are stored in a $_SESSION segment, the values will not be retained if a session is not running.

To retain values in a session, you can start a session by force with session_start() on your own. Alternatively, it would be better to use one of the Aura.Auth package services to handle authentication and session-state management for you.

Services

This package comes with three services for dealing with authentication phases:

  • LoginService to log in and start (or resume) a session,

  • LogoutService to log out and remove the username and user data in the session (note that this does not destroy the session), and

  • ResumeService to resume a previously-started session.

You can create each by using the AuthFactory. For now, we will look at how to force login and logout; later, we will show how to have the service use a credential adapter.

Forcing Login

You can force the Auth object to a logged-in state by calling the LoginService forceLogin() method with a user name and optional arbitrary user data.

<?php
// the authentication status is currently anonymous
echo $auth->getStatus(); // ANON

// create the login service
$login_service = $auth_factory->newLoginService();

// use the service to force $auth to a logged-in state
$username = 'boshag';
$userdata = array(
    'first_name' => 'Bolivar',
    'last_name' => 'Shagnasty',
    'email' => '[email protected]',
);
$login_service->forceLogin($auth, $username, $userdata);

// now the authentication status is valid
echo $auth->getStatus(); // VALID
?>

Using forceLogin() has these side effects:

  • it starts a new session if one has not already been started, or resumes a previous session if one exists

  • it regenerates the session ID

The specified user name and user data will be stored in a $_SESSION segment, along with an authentication status of Status::VALID.

Note that forceLogin() does not check any credential sources. You as the application owner are forcing the Auth object to a logged-in state.

Forcing Logout

You can force the Auth object to a logged-out state by calling the LogoutService forceLogout() method.

<?php
// the authentication status is currently valid
echo $auth->getStatus(); // VALID

// create the logout service
$logout_service = $auth_factory->newLogoutService();

// use the service to force $auth to a logged-out state
$logout_service->forceLogout($auth);

// now the authentication status is anonymous/invalid
echo $auth->getStatus(); // ANON
?>

Using forceLogout() has these side effects:

  • it clears any existing username and user data from the $_SESSION segment

  • it regenerates the session ID

Note that forceLogout() does not check any credential sources. You as the application owner are forcing the Auth object to a logged-out state.

Note also that this does not destroy the session. This is because you may have other things you need in the session memory, such as flash messages.

Resuming A Session

When a PHP request ends, PHP saves the $_SESSION data for you. However, on the next request, PHP does not automatically start a new session for you, so $_SESSION is not automatically available.

You could start a new session yourself to repopulate $_SESSION, but that will incur a performance overhead if you don't actually need the session data. Similarly, there may be no need to start a session when there was no session previously (and thus no data to repopulate into $_SESSION). What we need is a way to start a session if one was started previously, but avoid starting a session if none was started previously.

The ResumeService exists to address this problem. When you call the resume() method on the ResumeService, it examines $_COOKIE to see if a session cookie is present:

  • If the cookie is not present, it will not start a session, and return to the calling code. This avoids starting a session when there is no $_SESSION data to be populated.

  • If the cookie is present, the ResumeService will start a session, thereby repopulating $_SESSION. Then it will update the authentication status depending on how long the session has been in place:

    • If the session has been idle for too long (i.e., too much time has passed since the last request), the ResumeService will log the user out automatically and return to the calling code.

    • If the session has expired (i.e., the total logged-in time has been too long), the ResumeService will likewise log the user out automatically and return to the calling code.

    • Otherwise, the ResumeService will update the last-active time on the Auth object and return to the calling code.

Generally, you will want to invoke the ResumeService at the beginning of your application cycle, so that the session data becomes available at the earliest opportunity.

<?php
// create the resume service
$resume_service = $auth_factory->newResumeService();

// use the service to resume any previously-existing session
$resume_service->resume($auth);

// $_SESSION has now been repopulated, if a session was started previously,
// meaning the $auth object is now populated with its previous values, if any
?>

Adapters

Forcing the Auth object to a particular state is fine for when you want to exercise manual control over the authentication status, user name, user data, and other information. However, it is more often the case that you will want to check user credential input (username and password) against a credential store. This is where the Adapter classes come in.

To use an Adapter with a Service, you first need to create the Adapter, then pass it to the AuthFactory new*Service() method.

Htpasswd Adapter

Instantiation

To create an adapter for Apache htpasswd files, call the AuthFactory newHtpasswdAdapter() method and pass the file path of the Apache htpasswd file.

<?php
$htpasswd_adapter = $auth_factory->newHtpasswdAdapter(
    '/path/to/accounts.htpasswd'
);
?>

This will automatically use the HtpasswdVerifier to check DES, MD5, and SHA passwords from the htpasswd file on a per-user basis.

Service Integration

You can then pass the Adapter to each Service factory method like so:

<?php
$login_service = $auth_factory->newLoginService($htpasswd_adapter);
$logout_service = $auth_factory->newLogoutService($htpasswd_adapter);
$resume_service = $auth_factory->newResumeService($htpasswd_adapter);
?>

To attempt a user login, pass an array with username and password elements to the LoginService login() method along with the Auth object:

<?php
$login_service->login($auth, array(
    'username' => 'boshag',
    'password' => '12345'
));
?>

For more on LoginService idioms, please see the Service Idioms section. (The LogoutService and ResumeService do not need credential information.)

IMAP/POP/NNTP Adapter

Instantiation

To create an adapter for IMAP/POP/NNTP servers, call the AuthFactory newImapAdapter() method and pass the mailbox specification string, along with any appropriate option constants:

<?php
$imap_adapter = $auth_factory->newImapAdapter(
    '{mail.example.com:143/imap/secure}',
    OP_HALFOPEN
);
?>

N.b.: See the imap_open() documentation for more variations on mailbox specification strings.

Service Integration

You can then pass the Adapter to each Service factory method like so:

<?php
$login_service = $auth_factory->newLoginService($imap_adapter);
$logout_service = $auth_factory->newLogoutService($imap_adapter);
$resume_service = $auth_factory->newResumeService($imap_adapter);
?>

To attempt a user login, pass an array with username and password elements to the LoginService login() method along with the Auth object:

<?php
$login_service->login($auth, array(
    'username' => 'boshag',
    'password' => '12345'
));
?>

For more on LoginService idioms, please see the Service Idioms section. (The LogoutService and ResumeService do not need credential information.)

LDAP Adapter

Instantiation

To create an adapter for LDAP and Active Directory servers, call the AuthFactory newLdapAdapter() method and pass the server name with a distinguished name (DN) format string:

<?php
$ldap_adapter = $auth_factory->newLdapAdapter(
    'ldaps://ldap.example.com:636',
    'ou=Company Name,dc=Department Name,cn=users,uid=%s'
);
?>

N.b.: The username will be escaped and then passed to the DN format string via sprintf(). The completed DN will be used for binding to the server after connection.

Service Integration

You can then pass the Adapter to each Service factory method like so:

<?php
$login_service = $auth_factory->newLoginService($ldap_adapter);
$logout_service = $auth_factory->newLogoutService($ldap_adapter);
$resume_service = $auth_factory->newResumeService($ldap_adapter);
?>

To attempt a user login, pass an array with username and password elements to the LoginService login() method along with the Auth object:

<?php
$login_service->login($auth, array(
    'username' => 'boshag',
    'password' => '12345'
));
?>

For more on LoginService idioms, please see the Service Idioms section. (The LogoutService and ResumeService do not need credential information.)

PDO Adapter

Instantiation

To create an adapter for PDO connections to SQL tables, call the AuthFactory newPdoAdapter() method and pass these parameters in order:

  • a PDO connection instance

  • a indication of how passwords are hashed in the database:

    • if a PASSWORD_* constant from PHP 5.5 and up, it is treated as password_hash() algorithm for a PasswordVerifier instance (this is the preferred method)

    • if a string, it is treated as a hash() algorithm for a HashVerifier instance

    • otherwise, it is expected to be an implementation of VerifierInterface

  • an array of column names: the first element is the username column, the second element is the hashed-password column, and additional columns are used as extra user information to be selected and returned from the database

  • a FROM specification string to indicate one or more table names, with any other JOIN clauses you wish to add

  • an optional WHERE condition string; use this to add extra conditions to the SELECT statement built by the adapter

Here is a legacy example where passwords are MD5 hashed in an accounts table:

<?php
$pdo = new \PDO(...);
$hash = new PasswordVerifier('md5');
$cols = array('username', 'md5password');
$from = 'accounts';
$pdo_adapter = $auth_factory->newPdoAdapter($pdo, $hash, $cols, $from);
?>

Here is a modern, more complex example that uses bcrypt instead of md5, retrieves extra user information columns from joined tables, and filters for active accounts:

<?php
$pdo = new \PDO(...);
$hash = new PasswordVerifier(PASSWORD_BCRYPT);
$cols = array(
    'accounts.username', // "AS username" is added by the adapter
    'accounts.bcryptpass', // "AS password" is added by the adapter
    'accounts.uid AS uid',
    'userinfo.email AS email',
    'userinfo.uri AS website',
    'userinfo.fullname AS display_name',
);
$from = 'accounts JOIN profiles ON accounts.uid = profiles.uid';
$where = 'accounts.active = 1';
$pdo_adapter = $auth_factory->newPdoAdapter($pdo, $hash, $cols, $from, $where);
?>

(The additional information columns will be retained in the session data after successful authentication.)

Service Integration

You can then pass the Adapter to each Service factory method like so:

<?php
$login_service = $auth_factory->newLoginService($pdo_adapter);
$logout_service = $auth_factory->newLogoutService($pdo_adapter);
$resume_service = $auth_factory->newResumeService($pdo_adapter);
?>

To attempt a user login, pass an array with username and password elements to the LoginService login() method along with the Auth object:

<?php
$login_service->login($auth, array(
    'username' => 'boshag',
    'password' => '12345'
));
?>

For more on LoginService idioms, please see the Service Idioms section. (The LogoutService and ResumeService do not need credential information.)

Custom Adapters

Although this package comes with multiple Adapter classes, it may be that none of them fit your needs.

You may wish to extend one of the existing adapters to add login/logout/resume behaviors. Alternatively, you can create an Adapter of your own by implementing the AdapterInterface on a class of your choosing:

<?php
use Aura\Auth\Adapter\AdapterInterface;
use Aura\Auth\Auth;
use Aura\Auth\Status;

class CustomAdapter implements AdapterInterface
{
    // AdapterInterface::login()
    public function login(array $input)
    {
        if ($this->isLegit($input)) {
            $username = ...;
            $userdata = array(...);
            $this->updateLoginTime(time());
            return array($username, $userdata);
        } else {
            throw CustomException('Something went wrong.');
        }
    }

    // AdapterInterface::logout()
    public function logout(Auth $auth, $status = Status::ANON)
    {
        $this->updateLogoutTime($auth->getUsername(), time());
    }

    // AdapterInterface::resume()
    public function resume(Auth $auth)
    {
        $this->updateActiveTime($auth->getUsername(), time());
    }

    // custom support methods not in the interface
    protected function isLegit($input) { ... }

    protected function updateLoginTime($time) { ... }

    protected function updateActiveTime($time) { ... }

    protected function updateLogoutTime($time) { ... }
}
?>

You can then pass an instance of the custom adapter when creating services through the AuthFactory methods:

<?php
$custom_adapter = new CustomAdapter;
$login_service = $auth_factory->newLoginService($custom_adapter);
$logout_service = $auth_factory->newLogoutService($custom_adapter);
$resume_service = $auth_factory->newResumeService($custom_adapter);
?>
OAuth Adapters

Should you desire to handle your authentication through a 3rd party service that uses OAuth 2.0, you'll need to write an adapter that implements Aura\Auth\Adapter\AdapterInterface and provide your own implementation for fetching the access token and user information. Your implementation can be something you've written yourself or it can be an existing OAuth2 client.

The following example will demonstrate how you'd go about creating this adapter using the PHP League's OAuth2 Client. We'll also be using Github as the service provider for this example.

<?php
namespace OAuth2\Adapter;

use Aura\Auth\Adapter\AdapterInterface;
use Aura\Auth\Exception;
use Aura\Auth\Auth;
use Aura\Auth\Status;
use League\OAuth2\Client\Provider\AbstractProvider;

class LeagueOAuth2Adapter implements AdapterInterface
{

    /**
     * @var \League\OAuth2\Client\Provider\IdentityProvider
     * The identity provider that the adapter will use
     */
    protected $provider;

    public function __construct(AbstractProvider $provider)
    {
        $this->provider = $provider;
    }

    /**
     * @param $input an input containing the OAuth 2 code
     * @return array the username and details for the user
     * @throws \Aura\Auth\Exception
     * This method must be implemented to fulfill the contract
     * with AdapterInterface
     */
    public function login(array $input)
    {
        if (!isset($input['code'])) {
            throw new Exception('Authorization code missing.');
        }

        $token = $this->provider->getAccessToken(
            'authorization_code',
            array('code' => $input['code'])
        );

        $details = $this->provider->getResourceOwner($token);
        $data = [
            'name' => $details->getName(),
            'email' => $details->getEmail(),
        ];
        $data['token'] = $token;
        $username = $data['email'];
        return [$username, $data];
    }

    /**
     * @param Auth $auth
     * Logout method is required to fulfill the contract with AdapterInterface
     */
    public function logout(Auth $auth, $status = Status::ANON)
    {
        //nothing to do here
    }

    /**
     * @param Auth $auth
     * Resume method required to fulfill the contract with AdapterInterface
     */
    public function resume(Auth $auth)
    {
        // nothing to do here
    }
}
?>

As you can see in the code, your adapter will be accepting a client as a parameter and using that client to fulfill the \Aura\Auth\Adapter\AdapterInterface contract. This adapter would be commonly used in an OAuth2 Callback process. Essentially, once you provide your credentials and authenticate with the 3rd Party service (in this case Github), you will be redirected back to a script on your server where you'll have to verify that you sent the request by sending an verification code back to the service. This is why it's a good idea to use a good OAuth2 client in lieu of writing your own. Below is an example of what this OAuth2 callback code might look like.

<?php
namespace OAuth2;

use Aura\Auth\AuthFactory;
use League\OAuth2\Client\Provider\Github;
use OAuth2\Adapter\LeagueOAuth2Adapter;
use Aura\Auth\Exception;

require_once 'vendor/autoload.php';

$auth_factory = new AuthFactory($_COOKIE);
$auth = $auth_factory->newInstance();

$github_provider = new Github(array(
    'clientId' => 'xxxxxxxxxxxxxxxx',
    'clientSecret' => 'xxxxxxxxxxxxxxxxxxxx',
    'redirectUri' => 'http://aura.auth.dev/'
));

if (!isset($_GET['code'])) {
    header('Location: ' . $github_provider->getAuthorizationUrl());
    exit;
} else {
    $oauth_adapter = new LeagueOAuth2Adapter($github_provider);
    $login_service = $auth_factory->newLoginService($oauth_adapter);
    try {
        // array is the username and an array of info and indicates successful
        // login
        $data = $login_service->login($auth, $_GET);
    } catch (Exception $e) {
        // handle the exception
    }
}
?>

The fact that not every 3rd Party Service returns data the same way means it's not reasonable for Aura to try to handle every different data set out of the box. By writing this little bit of code, you can easily implement Aura Auth for your 3rd Party OAuth2 services.

Service Idioms

Resuming A Session

This is an example of the code needed to resume a pre-existing session. Note that the echo statements are intended to explain the different resulting states of the resume() call, and may be replaced by whatever logic you feel is appropriate. For example, you may wish to redirect to a login page when a session has idled or expired.

<?php
$auth = $auth_factory->newInstance();

$resume_service = $auth_factory->newResumeService(...);
$resume_service->resume($auth);

switch (true) {
    case $auth->isAnon():
        echo "You are not logged in.";
        break;
    case $auth->isIdle():
        echo "Your session was idle for too long. Please log in again.";
        break;
    case $auth->isExpired():
        echo "Your session has expired. Please log in again.";
        break;
    case $auth->isValid():
        echo "You are still logged in.";
        break;
    default:
        echo "You have an unknown status.";
        break;
}
?>

N.b.: Instead of creating the Auth and ResumeService objects by hand, you may wish to use a dependency injection container such as Aura.Di to retain them for shared use throughout your application.

Logging In

This is an example of the code needed to effect a login. Note that the echo and $log statements are intended to explain the different resulting states of the login() call, and may be replaced by whatever logic you feel is appropriate; in particular, you should probably not expose the exact nature of the failure, to help mitigate brute-force attempts.

<?php

class InvalidLoginException extends Exception {}

$auth = $auth_factory->newInstance();

$login_service = $auth_factory->newLoginService(...);

try {

    $login_service->login($auth, array(
        'username' => $_POST['username'],
        'password' => $_POST['password'],
    );
    echo "You are now logged into a new session.";

} catch (\Aura\Auth\Exception\UsernameMissing $e) {

    $log->notice("The 'username' field is missing or empty.");
    throw new InvalidLoginException();

} catch (\Aura\Auth\Exception\PasswordMissing $e) {

    $log->notice("The 'password' field is missing or empty.");
    throw new InvalidLoginException();

} catch (\Aura\Auth\Exception\UsernameNotFound $e) {

    $log->warning("The username you entered was not found.");
    throw new InvalidLoginException();

} catch (\Aura\Auth\Exception\MultipleMatches $e) {

    $log->warning("There is more than one account with that username.");
    throw new InvalidLoginException();

} catch (\Aura\Auth\Exception\PasswordIncorrect $e) {

    $log->notice("The password you entered was incorrect.");
    throw new InvalidLoginException();

} catch (\Aura\Auth\Exception\ConnectionFailed $e) {

    $log->notice("Cound not connect to IMAP or LDAP server.");
    $log->info("This could be because the username or password was wrong,");
    $log->info("or because the the connect operation itself failed in some way. ");
    $log->info($e->getMessage());
    throw new InvalidLoginException();

} catch (\Aura\Auth\Exception\BindFailed $e) {

    $log->notice("Cound not bind to LDAP server.");
    $log->info("This could be because the username or password was wrong,");
    $log->info("or because the the bind operation itself failed in some way. ");
    $log->info($e->getMessage());
    throw new InvalidLoginException();

} catch (InvalidLoginException $e) {

    echo "Invalid login details. Please try again.";

}
?>

N.b.: Instead of creating the Auth and LoginService objects by hand, you may wish to use a dependency injection container such as Aura.Di to retain them for shared use throughout your application.

Alternatively, you may wish to use credentials from the HTTP Authorization: Basic headers instead of using $_POST or other form-related inputs. On Apache mod_php you might use the auto-populated $_SERVER['PHP_AUTH_*'] values:

<?php
$authorization_basic = function () {
    return array(
        isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null,
        isset($_SERVER['PHP_AUTH_PW'])   ? $_SERVER['PHP_AUTH_PW']   : null,
    );
}

list($username, $password) = $authorization_basic();
$login_service->login($auth, array(
    'username' => $username,
    'password' => $password,
));
?>

On other servers you may need to extract the credentials from the Authorization: Basic header itself:

<?php
$authorization_basic = function () {

    $header = isset($_SERVER['HTTP_AUTHORIZATION'])
            ? $_SERVER['HTTP_AUTHORIZATION']
            : '';

    if (strtolower(substr($header, 0, 6)) !== 'basic ') {
        return array(null, null);
    }

    $encoded = substr($header, 6);
    $decoded = base64_decode($encoded);
    return explode(':', $decoded);

}

list($username, $password) = $authorization_basic();
$login_service->login($auth, array(
    'username' => $username,
    'password' => $password,
));
?>

Logging Out

This is an example of the code needed to effect a logout. Note that the echo statements are intended to explain the different resulting states of the logout() call, and may be replaced by whatever logic you feel is appropriate.

<?php
$auth = $auth_factory->newInstance();

$logout_service = $auth_factory->newLogoutService(...);

$logout_service->logout($auth);

if ($auth->isAnon()) {
    echo "You are now logged out.";
} else {
    echo "Something went wrong; you are still logged in.";
}
?>

N.b.: Instead of creating the Auth and LogoutService objects by hand, you may wish to use a dependency injection container such as Aura.Di to retain them for shared use throughout your application.

Custom Services

You are not restricted to the login, logout, and resume services provided by this package. However, if you build a service of your own, or if you extend one of the provided services, you will have to instantiate that customized service object manually, instead of using the AuthFactory. This can be tedious but is not difficult, especially when using a dependency injection container system such as Aura.Di.

Session Management

The Service objects use a Session object to start sessions and regenerate session IDs. (Note that they do not destroy sessions.) The Session object uses the native PHP session_*() functions to manage sessions.

Custom Sessions

If you wish to use an alternative means of managing sessions, implement the SessionInterface on an object of your choice. One way to do this is by by wrapping a framework-specific session object and proxying the SessionInterface methods to the wrapped object:

<?php
use Aura\Auth\Session\SessionInterface;

class CustomSession implements SessionInterface
{
    protected $fwsession;

    public function __construct(FrameworkSession $fwsession)
    {
        $this->fwsession = $fwsession;
    }

    public function start()
    {
        return $this->fwsession->startSession();
    }

    public function resume()
    {
        if ($this->fwsession->isAlreadyStarted()) {
            return true;
        }

        if ($this->fwsession->canBeRestarted()) {
            return $this->fwsession->restartSession();
        }

        return false;
    }

    public function regenerateId()
    {
        return $this->fwsession->regenerateSessionId();
    }
}
?>

Then pass that custom session object to the AuthFactory instantiation:

<?php
use Aura\Auth\AuthFactory;

$custom_session = new CustomSession(new FrameworkSession);
$auth_factory = new AuthFactory($_COOKIE, $custom_session);
?>

The factory will pass your custom session object wherever it is needed.

Working Without Sessions

In some situations, such as with APIs where credentials are provided with every request, it may be beneficial to avoid sessions altogether. In this case, pass a NullSession and NullSegment to the AuthFactory:

<?php
use Aura\Auth\AuthFactory;
use Aura\Auth\Session\NullSession;
use Aura\Auth\Session\NullSegment;

$null_session = new NullSession;
$null_segment = new NullSegment;
$auth_factory = new AuthFactory($_COOKIE, $null_session, $null_segment);
?>

With the NullSession, no session will ever be started, and no session ID will be created or regenerated. Likewise, no session will ever be resumed, because it will never have been saved at the end of the previous request. Finally, PHP will never create a session cookie to send in the response.

Similarly, the NullSegment retains authentication information in an object property instead of in a $_SESSION segment. Unlike the normal Segment, which only retains data when $_SESSION is present, the NullSegment will always retain data that is set into it. When the request is over, all information retained in the NullSegment will disappear.

When using the NullSession and NullSegment, you will have to check credentials via the LoginService login() or forceLogin() method on each request, which in turn will retain the authentication information in the Segment. In an API situation this is often preferable to managing an ongoing session.

N.b. In an API situation, the credentials may be an API token, or passed as HTTP basic or digest authentication headers. Pass these to the adapter of your choice.

DI Configuration

Here are some hints regarding configuration of Aura.Auth via Aura.Di.

Aura\Auth\Adapter\HtpasswdAdapter

<?php
$di->params['Aura\Auth\Adapter\HtpasswdAdapter'] = array(
    'file' => '/path/to/htpasswdfile',
);
?>

Aura\Auth\Adapter\ImapAdapter

<?php
$di->params['Aura\Auth\Adapter\ImapAdapter'] = array(
    'mailbox' => '{mail.example.com:143/imap/secure}',
);
?>

Aura\Auth\Adapter\LdapAdapter

<?php
$di->params['Aura\Auth\Adapter\LdapAdapter'] = array(
    'server' => 'ldaps://ldap.example.com:636',
    'dnformat' => 'ou=Company Name,dc=Department Name,cn=users,uid=%s',
);
?>

Aura\Auth\Adapter\PdoAdapter

<?php
$di->params['Aura\Auth\Adapter\PdoAdapter'] = array(
    'pdo' => $di->lazyGet('your_pdo_connection_service'),
    'cols' => array(
        'username_column',
        'password_column',
    ),
    'from' => 'users_table',
    'where' => '',
);
?>
Comments
  • Correctly skip PDO tests if required pdo_sqlite extension not enabled.

    Correctly skip PDO tests if required pdo_sqlite extension not enabled.

    Previously, if pdo_sqlite was disabled, tests failed.

    Changed behavior to skip these tests if required extension is not available:

    PHPUnit 5.1.4 by Sebastian Bergmann and contributors.
    
    ..............SSSSSSSSS..SS...................................... 65 / 81 ( 80%)
    ................                                                  81 / 81 (100%)
    
    Time: 623 ms, Memory: 10.00Mb
    
    OK, but incomplete, skipped, or risky tests!
    Tests: 81, Assertions: 132, Skipped: 11.
    

    Tests still run correctly when pdo_sqlite is enabled:

    PHPUnit 5.1.4 by Sebastian Bergmann and contributors.
    
    ................................................................. 65 / 81 ( 80%)
    ................                                                  81 / 81 (100%)
    
    Time: 628 ms, Memory: 10.00Mb
    
    OK (81 tests, 147 assertions)
    
    opened by mprelude 16
  • Adding my first draft of the OAuth2 Adapter code  to the readme

    Adding my first draft of the OAuth2 Adapter code to the readme

    First go at this, this is using League OAuth 2.0 client 0.3.0 and dev-master of Aura.Auth - I've written the code and tested it and it works. Just let me know if anything reads weird or any other changes you have, also if I need to make this PR against master (which I just now considered, I can do that too).

    opened by mfrost503 15
  • A facade to hide the complexity of auth, resume

    A facade to hide the complexity of auth, resume

    ~~@pmjones the test fails.~~

    But this is the idea I would like to share.

    $auth_factory = new AuthFactory($_COOKIE);
    $adapter = $auth_factory->newPdoAdapter(
        $pdo,
        new PasswordVerifier('md5'),
        array('username', 'password', 'active'),
        'accounts',
        null
    );
    $auth_facade = new AuthFacade($auth_factory, $adapter);
    

    I don't know whether the naming of facade is also nice approach here. But the reason is to make it simple to call.

    $auth_facade->login($input);
    $auth_facade->logout();
    $auth_facade->getStatus();
    

    Thank you.

    opened by harikt 11
  • Fix meaningful timeout values patch.

    Fix meaningful timeout values patch.

    My PR #84 was an incomplete fix for issue #81. Two other source changes need to get the same better timeout values. And the 2 unit tests which test that code also need to be updated. This commit fixes those problems. My apologies.

    opened by cxj 6
  • PDO: Thrown exception error messages

    PDO: Thrown exception error messages

    Is there a reason no error messages are include with thrown exceptions (ie: "Exception\PasswordIncorrect" or "Exception\UsernameNotFound"? Is it an i18n concern?

    opened by quasipickle 6
  • Increase query flexibility

    Increase query flexibility

    PdoAdapter.php has the username column name hardcoded into the where clause. Since the documentation states that the first element in $cols must be the username column, I've updated buildSelectWhere() to use that name instead.

    opened by quasipickle 6
  • Columns first and second params feels it is username / password

    Columns first and second params feels it is username / password

    The cols

    $cols = array(
        'username',
        'password',
        'id',
        'email',
        'fullname',
        'website',
        'twitter'
    );
    
    $from = 'users';
    $where = 'active = 1';
    
    $pdoadapter = $auth_factory->newPdoAdapter(
        $dbh,
        PASSWORD_BCRYPT,
        $cols,
        $from,
        $where
    );
    

    assumes the array first and second value is username / password. That is a wrong assumption . May be we pass an associative array and don't use $cols[0] and $cols[1] in https://github.com/auraphp/Aura.Auth/blob/421bc6e91ca12881d4d5ccac0905a7805c5b3d5b/src/Adapter/PdoAdapter.php#L96-L105

    bug enhancement 
    opened by harikt 5
  • If password changes, session is still valid.

    If password changes, session is still valid.

    Consider the scenario: 1- User logs in into the system successfully: auth->isValid() is true. 2- An entity changes the password in the database 3- Check auth->isValid() is also still true. But since the password is invalid, the session should be invalidated.

    opened by azaiter 4
  • Missing return values, or changed API and docblock out of date?

    Missing return values, or changed API and docblock out of date?

    The code here at ResumeService::resume() says the method returns a boolean indicating whether the session still exists. But the method does not return a value at all.

    Should the docblock be updated to not mention a return value, or should the code be corrected to actually return the documented value?

    opened by cxj 4
  • PdoAdapter ignores custom

    PdoAdapter ignores custom "username" column

    The SQL statement built to fetch user data is hard-coded to use "username" as a column name - even though the PdoAdapter constructor allows the user to specify some other column name where the "username" value is stored.

    enhancement 
    opened by alc 4
  • PHP 7.4 compatibility

    PHP 7.4 compatibility

    There is problem with AuraAuth in PHP 7.4.

    The algorithm is no longer integer. Now it's a string.

    So to fix the warning hash(): Unknown hashing algorithm: 2y in (...)\aura\auth\src\Verifier\PasswordVerifier.php on line 57 I have changed this method:

        public function verify($plaintext, $hashvalue, array $extra = array())
        {
            if (is_string($this->algo)) {
                return hash($this->algo, $plaintext) === $hashvalue;
            } else {
                return password_verify($plaintext, $hashvalue);
            }
        }
    

    this way:

        public function verify($plaintext, $hashvalue, array $extra = array())
        {
            return password_verify($plaintext, $hashvalue);
        }
    

    Is any official update possible?

    bug 4.x 
    opened by Qrzysio 3
  • Aura.Session compatibility

    Aura.Session compatibility

    It would be nice if Aura.Auth was "plug compatible" with Aura.Session, so that the included session management could be easily replaced and enhanced by the more featured Aura.Session.

    enhancement 4.x 
    opened by cxj 12
  • Sessions, remember me functionality and other things.

    Sessions, remember me functionality and other things.

    Recently I had to think of a way to persist the authentication tokens(basically sessions), but I don't see why everyone is about using the $_SESSION. Now I know it's easy to use, but isn't it bad for performance?(While some may say we can use SQL, storing a blob object in there is ugly). So why do we need to use $_SESSION - we also have the problems of read/write sync as well, since sessions are like mutexes and we must explicitly close them to allow multiple concurrent requests.(No streaming data otherwise either).

    So, since we have a database anyway, isn't it better to just put our sessions in there? But if we put them there - there is the limitation, we have certain fields and we don't just serialize objects and mash them up. Bad for performance, unmanageable and ugly. Even worst - if our user has been changed, we must first get our $_SESSION and then ask the database about it. Bad.

    So my idea is - to add an authentication that is a mix of both Session and Remember me - a normal cookie whose value references a session in our database. So when logging in - if a user selects remember me, we can just set a field in there to true. So if he is inactive for a long time, the system may boot him out, but we can still get his data from the session and autofill his username/etc.

    But when using an Rest API, rather than depending on a cookie, we should make it so that a header can be used.(which will save us from XSRF and Cors attacks if Cors is enabled). For normal, non-rest api based applications, forms can contain a hidden XSRF field. But then again - perhaps for a Rest API - one should just use a stateless authentication sending the user and pass plus a nonce every time(kinda like WSSE).

    question 
    opened by mivanov93 1
  • Add ldap bind user

    Add ldap bind user

    It is considered good practice to have ldap authentication libraries first bind using a service account, then run a search for the user and finally try to bind (and thus authenticate) using the provided credentials.

    As an added bonus, that would enable supports for multi-level user trees, which the current implementation does not support.

    enhancement 
    opened by t0xicCode 13
  • Add

    Add "remember me" functionality

    Probably via a RememberInterface injected into Auth, or perhaps by moving the "resume" functionality into an extensible ResumeInterface.

    Will also need a new status to indicate the user is "remembered" and did not pass credentials, along with related methods.

    enhancement 
    opened by pmjones 12
Releases(4.0.2)
Owner
Aura for PHP
High-quality, well-tested, standards-compliant, decoupled libraries that can be used in any codebase.
Aura for PHP
Rinvex Authy is a simple wrapper for @Authy TOTP API, the best rated Two-Factor Authentication service for consumers, simplest 2fa Rest API for developers and a strong authentication platform for the enterprise.

Rinvex Authy Rinvex Authy is a simple wrapper for Authy TOTP API, the best rated Two-Factor Authentication service for consumers, simplest 2fa Rest AP

Rinvex 34 Feb 14, 2022
phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server.

phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server.

Apereo Foundation 780 Dec 24, 2022
Laravel Sanctum provides a featherweight authentication system for SPAs and simple APIs.

Introduction Laravel Sanctum provides a featherweight authentication system for SPAs and simple APIs. Official Documentation Documentation for Sanctum

The Laravel Framework 2.4k Dec 30, 2022
EvaOAuth provides a standard interface for OAuth1.0(a) / OAuth2.0 client authorization, it is easy to integrate with any PHP project by very few lines code.

EvaOAuth EvaOAuth provides a standard interface for OAuth1.0 / OAuth2.0 client authorization, it is easy to integrate with any PHP project by very few

AlloVince 256 Nov 16, 2022
EvaOAuth provides a standard interface for OAuth1.0(a) / OAuth2.0 client authorization, it is easy to integrate with any PHP project by very few lines code.

EvaOAuth EvaOAuth provides a standard interface for OAuth1.0 / OAuth2.0 client authorization, it is easy to integrate with any PHP project by very few

AlloVince 261 Jan 17, 2022
Auth is a module for the Yii PHP framework that provides a web user interface for Yii's built-in authorization manager

Auth is a module for the Yii PHP framework that provides a web user interface for Yii's built-in authorization manager (CAuthManager). You can read more about Yii's authorization manager in the framework documentation under Authentication and Authorization.

Christoffer Niska 134 Oct 22, 2022
A minimal package that helps you login with any password on local environments

Laravel Anypass Built with ❤️ for every "lazy" laravel developer ;) It is always painful to remember and type in the correct password in the login for

Iman 208 Jan 1, 2023
A Blade component to quickly login to your local environment

Quickly login to your local environment When developing an app that has an admin section (or any non-public section), you'll likely seed test users to

Spatie 233 Dec 22, 2022
API stubs for developing a plugin that provides a 2FA authentication factor in JobRouter®.

Authentication Factor API JobRouter® is a scalable digitisation platform which links processes, data and documents. Starting with JobRouter® 5.2, a se

JobRouter 4 Nov 4, 2021
Laravel Auth is a Complete Build of Laravel 8 with Email Registration Verification, Social Authentication, User Roles and Permissions, User Profiles, and Admin restricted user management system.

Laravel Auth is a Complete Build of Laravel 8 with Email Registration Verification, Social Authentication, User Roles and Permissions, User Profiles, and Admin restricted user management system. Built on Bootstrap 4.

Jeremy Kenedy 2.8k Dec 31, 2022
Laravel Passport is an OAuth2 server and API authentication package that is simple and enjoyable to use

Introduction Laravel Passport is an OAuth2 server and API authentication package that is simple and enjoyable to use. Official Documentation Documenta

The Laravel Framework 3.1k Dec 31, 2022
Minimal Laravel authentication scaffolding with Blade and Tailwind.

Introduction Breeze provides a minimal and simple starting point for building a Laravel application with authentication. Styled with Tailwind, Breeze

The Laravel Framework 2.1k Jan 3, 2023
This is registration and authentication forms written in PHP, JQuery

Registration-form This is registration and authentication forms written in PHP, JQuery Each file is: header.php - html-file for links "Главная", "Реги

Galina 2 Nov 2, 2021
Authentication and authorization library for Codeigniter 4

Authentication and Authorization Library for CodeIgniter 4. This library provides an easy and simple way to create login, logout, and user registratio

Rizky Kurniawan 12 Oct 10, 2022
Backend controllers and scaffolding for Laravel authentication.

Introduction Laravel Fortify is a frontend agnostic authentication backend for Laravel. Fortify powers the registration, authentication, and two-facto

The Laravel Framework 1.4k Dec 20, 2022
Social OAuth Authentication for Laravel 5. drivers: facebook, github, google, linkedin, weibo, qq, wechat and douban

Social OAuth Authentication for Laravel 5. drivers: facebook, github, google, linkedin, weibo, qq, wechat and douban

安正超 330 Nov 14, 2022
PHP class to generate and verify Google Authenticator 2-factor authentication

Google Authenticator PHP class Copyright (c) 2012-2016, http://www.phpgangsta.de Author: Michael Kliewe, @PHPGangsta and contributors Licensed under t

Michael Kliewe 2.1k Jan 2, 2023
PSR-7 and PSR-15 JWT Authentication Middleware

PSR-7 and PSR-15 JWT Authentication Middleware This middleware implements JSON Web Token Authentication. It was originally developed for Slim but can

Mika Tuupola 782 Dec 18, 2022
Log user authentication details and send new device notifications.

Laravel Authentication Log is a package which tracks your user's authentication information such as login/logout time, IP, Browser, Location, etc. as well as sends out notifications via mail, slack, or sms for new devices and failed logins.

John S Nwanosike 2 Mar 13, 2022