PHPixie Authentication library
This is the base package of the PHPixie authentication subsystem, which is split into several components. This manual covers all of them for.
Authentication is the most critical part of any application, implementing it the right way is hard, and any errors can compromise a lot of user, especially in opensource projects. Using old hash functions, cryptographically unsecure random generators and the misues of cookies are sadly things we still encounter frequently. This is why I spent a lot of time to carefully implement authentication in PHPixie.
The last point is the most interesting and currently no other framework supports it out of the box. The idea behind it lies in the use of a special table for storing auth tokens.
This approach has huge benefits when compared to the usual approach of storing a single token in the users table:
And basically if your framework is storing the paristent token as-is in the database without hashing it, it is comparable to storing an unhashed password there. And there are still a lot of popular frameworks doing this, just take a look.
The initialization might seem a bit overwhelming, but that is because the architecture is highly modular and tries to minimize any unneeded dependencies. If you don’t need a particular extension, feel free to not build it. Of course if you are using the PHPixie framework all of this is handled automatically.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
$slice = new \PHPixie\Slice();
// The database component is only required if you need
// the token storage functionality
$database = new \PHPixie\Database($slice->arrayData(array(
'default' => array(
'driver' => 'pdo',
'connection' => 'sqlite::memory:'
)
)));
// the security component handles hashing, random numbers and tokens
$security = new \PHPixie\Security($database);
// This plugin allows using the login/password auth
$authLogin = new \PHPixie\AuthLogin($security);
// To use HTTP authorization we must first
// build an HTTP context
$http = new \PHPixie\HTTP();
$request = $http->request();
$context = $http->context($request);
$contextContainer = $http->contextContainer($context);
$authHttp = new \PHPixie\AuthHTTP($security, $contextContainer);
$authConfig = $slice->arrayData(array(
// config options
));
// This is your class that must impplement the
// \PHPixie\Auth\Repositories\Registry interface
$authRepositories = new AuthRepositories();
// Initialize the Auth system with both extensions
$auth = new \PHPixie\Auth($authConfig, $authRepositories, array(
$authLogin->providers(),
$authHttp->providers()
));
The first thing you need is a user repository. The most basic one is PHPixie\Auth\Repositories\Repository which only provides fetching users by their id. But for any practical use you will probably need the \PHPixie\AuthLogin\Repository interface, which allows for the password based login. You will need a repostory builder to pass to the Auth component:
1
2
3
4
5
6
7
8
9
10
class AuthRepositories extends \PHPixie\Auth\Repositories\Registry\Builder
{
protected function buildUserRepository()
{
return new YourRepository();
}
}
// that is the second parameter we passed to Auth
$authRepositories = new AuthRepositories();
If you are using the PHPixie ORM all you need is to extend the premade wrappers:
1
2
3
4
5
6
7
8
9
10
11
12
namespace Project\App\ORMWrappers\User;
// Repository wrapper
class Repository extends \PHPixie\AuthORM\Repositories\Type\Login
{
// You can supply multiple login fields,
// in this case its both usernam and email
protected function loginFields()
{
return array('username', 'email');
}
}
1
2
3
4
5
6
7
8
9
10
11
12
namespace Project\App\ORMWrappers\User;
// Entity wrapper
class Entity extends \PHPixie\AuthORM\Repositories\Type\Login\User
{
// get hashed password value
// from the field in the database
public function passwordHash()
{
return $this->passwordHash;
}
}
Don’t forget to register these wrappers with the ORM:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
namespace Project\App;
class ORMWrappers extends \PHPixie\ORM\Wrappers\Implementation
{
protected $databaseEntities = array('user');
protected $databaseRepositories = array('user');
public function userEntity($entity)
{
return new ORMWrappers\User\Entity($entity);
}
public function userRepository($repository)
{
return new ORMWrappers\User\Repository($repository);
}
}
And register an AuthRepositories class in your bundle
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
namespace Project\App;
class AuthRepositories extends \PHPixie\Auth\Repositories\Registry\Builder
{
protected $builder;
public function __construct($builder)
{
$this->builder = $builder;
}
protected function buildUserRepository()
{
$orm = $this->builder->components()->orm();
return $orm->repository('user');
}
}
1
2
3
4
5
6
7
8
9
namespace Project\App;
class Builder extends \PHPixie\DefaultBundle\Builder
{
protected function buildAuthRepositories()
{
return new AuthRepositories($this);
}
}
The configuration is split into domains. A domain is a context that consists of a repository and authentication providers. Usually your app will have only a single domain, but sometimes you may need more. E.g. imagine you have some sort of the social login for site users, but site administrators are logged in on a separate page using their database accounts.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
// /assets/auth.php
return array(
'domains' => array(
'default' => array(
// using the 'user' repository from the 'app' bundle
'repository' => 'app.user',
'providers' => array(
// include session support
'session' => array(
'type' => 'http.session'
),
// include persistent cookies (remember me)
'cookie' => array(
'type' => 'http.cookie',
// when a cookie is used to login
// persist login using session too
'persistProviders' => array('session'),
// token storage
'tokens' => array(
'storage' => array(
'type' => 'database',
'table' => 'tokens',
'defaultLifetime' => 3600*24*14 // two weeks
)
)
),
// password login suport
'password' => array(
'type' => 'login.password',
// remember the user in session
// note that we did not add 'cookies' to this array
// because we don't want every login to be persistent
'persistProviders' => array('session')
)
)
)
);
As you can see all providers are entirely independent of each other, whcih means we can alter the behavior easily. For example let’s assume that we don’t want to use sessions at all, just the cookie based login, and turn off token regeneration on each request:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
// /assets/auth.php
return array(
'domains' => array(
'default' => array(
'cookie' => array(
'type' => 'http.cookie',
// token storage
'tokens' => array(
'storage' => array(
'type' => 'database',
'table' => 'tokens',
'defaultLifetime' => 3600*24*14,
// don't refresh tokens
'refresh' => false
)
)
),
'password' => array(
'type' => 'login.password',
// persist lgoin with cookie
'persistProviders' => array('cookie')
)
)
)
);
In both examples we referenced a database table used to store tokens. In fact this can also be a MongoDB collection. The SQL for the table creation would be as follows:
1
2
3
4
5
6
7
CREATE TABLE `tokens` (
`series` varchar(50) NOT NULL,
`userId` int(11) DEFAULT NULL,
`challenge` varchar(50) DEFAULT NULL,
`expires` bigint(20) DEFAULT NULL,
PRIMARY KEY (`series`)
);
Now that we have everything configured, lets test how it all works together. Here is a simple processor:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
namespace Project\App\HTTPProcessors;
class Auth extends \PHPixie\DefaultBundle\Processor\HTTP\Actions
{
protected $builder;
public function __construct($builder)
{
$this->builder = $builder;
}
// Check if the user is logged in
public function defaultAction($request)
{
$user = $this->domain()->user();
return $user ? $user->username : 'not logged';
}
// Action for adding user to the database
public function addAction($request)
{
$query = $request->query();
$username = $query->get('username');
$password = $query->get('password');
$orm = $this->builder->components()->orm();
$provider = $this->domain()->provider('password');
$user = $orm->createEntity('user');
$user->username = $username;
// Hash password using the password provider
$user->passwordHash = $provider->hash($password);
$user->save();
return 'added';
}
// Attempt to login user using his password
public function loginAction($request)
{
$query = $request->query();
$username = $query->get('username');
$password = $query->get('password');
$provider = $this->domain()->provider('password');
$user = $provider->login($username, $password);
if($user) {
// Generate persistent login cookie
$provider = $this->domain()->provider('cookie');
$provider->persist();
}
return $user ? 'success' : 'wrong password';
}
// logout action
public function logoutAction($request)
{
$this->domain()->forgetUser();
return 'logged out';
}
protected function domain()
{
$auth = $this->builder->components()->auth();
return $auth->domain();
}
}
To test it try hitting these URLs:
At some point you will probably need to add your own login providers (e.g. for social networks), to do that you need to satisfy a PHPixie\Auth\Providers\Builder interface and pass it along with the other extensions. Try looking at the AuthLogin component for an example. If you are using the PHPixie Framework you can pass your custom extensions to the Auth component by overloading this method.