About the implementation of Remember Me using AuthenticationPlugin's Cookie Authenticator - authentication

I use CakePHP's AuthenticationPlugin. I was trying to implement RememberMe functionality into this.
I found the following article when I was reading the Cakephp documentation.
Cookie Authenticator aka “Remember Me”
However, the documentation here is difficult for me to understand. I have no idea what to do with it.
I've successfully implemented EncryptedCookieMiddleware. I have no idea what to do after that.
I don't know how to use rememberMeField, how to use fields and how to use cookies.
$this->Authentication->rememberMeField
$this->Authentication->fields
I tried to see if I could use it like these, but it was still no good.
Please let me know how to use these.
Also, do you know of any RememberMe tutorials?
How do I implement it?
Sorry. Please help me...
// in config/app.php
'Security' => [
.....
'cookieKey' => env('SECURITY_COOKIE_KEY', 'AnyString'), // <- add
],
// in src/Application.php
use Cake\Http\Middleware\EncryptedCookieMiddleware; // <- add
// in middleware()
public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
{
$cookies = new EncryptedCookieMiddleware( // <- add
['mail', 'password'],
Configure::read('Security.cookieKey')
);
$middlewareQueue
// . . .
->add($cookies) // <-add
->add(new AuthenticationMiddleware($this));
So far I've been able to implement it myself. I'm confident.
The problem is after this. We have no idea what to do with it...
A Remember me checkbox was implemented in the template Form.
$this->request->getData('rememberMe'); to get it.
If this is 1, the checkbox was pressed.
// in src/Controller/UsersController
public function login()
{
$this->request->allowMethod(['get', 'post']);
if ($this->request->is('post')) {
$result = $this->Authentication->getResult();
// If the user is logged in, whether POST or GET, we will redirect
$requestGetData = $this->request->getData('rememberMe');
if ($requestGetData['rememberMe'] == 1){
$this->Authentication->cookie['name'] = $requestGetData['mail'];
$this->Authentication->cookie['name'] = $requestGetData['password']
}
if ($result->isValid()) {
$redirect = $this->request->getQuery('redirect', [
'controller' => 'Stores',
'action' => 'index',
]);
return $this->redirect($redirect);
}
// If the user fails to authenticate after submitting, an error is displayed.
if (!$result->isValid()) {
$this->Flash->error(__('Your email address or password is incorrect.'));
}
}
$title = $this->config('Users.title.login');
$message = $this->config('Users.message.login');
$this->set(compact('login_now', 'title', 'message'));
}
I know that's not true. But I tried to implement something like this just in case.
Please help me!
Changed around the login.
public function login()
{
$this->request->allowMethod(['get', 'post']);
if ($this->request->is('post')) {
$result = $this->Authentication->getResult();
$requestData = $this->request->getData();
if ($result->isValid()) {
$redirect = $this->request->getQuery('redirect', [
'controller' => 'Stores',
'action' => 'index',
]);
$this->Authentication->getAuthenticationService()->loadAuthenticator( 'Authentication.Cookie', [
'fields' => ['mail', 'password']
]
);
return $this->redirect($redirect);
}
if ($this->request->is('post') && !$result->isValid()) {
$this->Flash->error(__('Your email address or password is incorrect.'));
}
}
$title = $this->config('Users.title.login');
$message = $this->config('Users.message.login');
$this->set(compact('title', 'message'));
}

You're not supposed to load authenticators in your controllers, authentication happens at middleware level, before any of your controllers are being invoked.
The cookie authenticator is ment to be loaded and configured just like any other authenticator, that is where you create the authentication service, usually in Application::getAuthenticationService() in src/Application.php.
By default the field in the form must be remember_me, not rememberMe, that is unless you would configure the cookie authenticator's rememberMeField option otherwise.
Furthermore the default cookie name of the cookie authenticator is CookieAuth, so if you wanted to encrypt it, you'd have to use that name in the EncryptedCookieMiddleware config accordingly.
tl;dr
Remove all cookie related code from your controller, and load the authenticator in your Application::getAuthenticationService() method:
use Authentication\Identifier\IdentifierInterface;
// ...
public function getAuthenticationService(ServerRequestInterface $request): AuthenticationServiceInterface
{
$service = new AuthenticationService();
// ...
// The cookie authenticator should be loaded _after_ the session authenticator,
// and _before_ other authenticators like the form authenticator
$service->loadAuthenticator('Authentication.Cookie', [
// 'rememberMeField' => 'custom_form_field_name', // if you want to change the default
'fields' => [
IdentifierInterface::CREDENTIAL_USERNAME => 'mail',
IdentifierInterface::CREDENTIAL_PASSWORD => 'password',
],
]);
// ...
return $service;
}
set the authentication cookie name in the EncryptedCookieMiddleware config:
$cookies = new EncryptedCookieMiddleware(
['CookieAuth'],
Configure::read('Security.cookieKey')
);
and change the field name in your form to remember_me if you're using the cookie authenticator's defaults:
echo $this->Form->control('remember_me', [
'type' => 'checkbox'
]);
That's all that should be required, if you tick the checkbox in your login form, then the authentication middleware will set a cookie after successful authentication accordingly, and it will pick up the cookie if it's present on a request and no other authenticator successfully authenticates the request first (like the session authenticator for example).

Related

cakephp3 entities relationship error when login (the error is going after refresh)

I am struggling with this issue for a few days. I've tried to debug step by step with Xdebug, but I cannot find where it is the problem.
Basically when login into the cakephp3.9 I get this error:
App\Model\Table\UsersTable association "Roles" of type "manyToMany" to "Slince\CakePermission\Model\Table\RolesTable" doesn't match the expected class "App\Model\Table\RolesTable".
You can't have an association of the same name with a different target "className" option anywhere in your app.
As I mentioned above, I am using cakephp 3.9 and the slince package ("slince/cakephp-permission": "^1.0") to manage roles/permissions. After get this error if I refresh the browser evertyhing works as normal. The error only appears once, always after login.
Relations in UsersTable.php
$this->belongsToMany('Roles', [
'foreignKey' => 'user_id',
'targetForeignKey' => 'role_id',
'joinTable' => 'users_roles'
]);
UsersController.php
public function login()
{
if ($this->request->is('post')) {
$user = $this->Auth->identify();
if ($user) {
if (Configure::read('Options.status') == 2) {
$this->Flash->error('Please confirm your account - click on the validation link emailed to you');
return $this->redirect(['action' => 'login', 'controller' => 'Users']);
}
$UsersRoles = TableRegistry::getTableLocator()->get('UsersRoles');
// Get User role_id
$AuthRole = $UsersRoles
->find()
->select(['role_id'])
->where(['user_id' => $user['id']])
->first();
// if the status of the user is false an error appears and it will be redirected back || check if is an admin role?
if ($user['status'] != 1 || $AuthRole->role_id > 3) {
$this->Flash->error('Your account is not authorized to access this area. Contact the support team or check your inbox');
return $this->redirect(['action' => 'login', 'controller' => 'Users']);
}
$Roles = TableRegistry::getTableLocator()->get('Roles');
// Get Role name
$AuthRoleName = $Roles
->find()
->select('name')
->where(['id' => $AuthRole['role_id']])
->first();
$user['role_id'] = $AuthRole['role_id'];
$user['role_name'] = $AuthRoleName['name'];
// Set the use into the session
$this->Auth->setUser($user);
// Save the previous login date to the session and enable tour vars
$session = $this->getRequest()->getSession();
if (empty($user['last_login'])) {
$session->write('Options.run', true);
$session->write('Options.player', true);
}
// Now update the actual login time
$this->Users->updateLastLogin($this->Auth->user('id'));
// Handle case where referrer is cleared/reset
$nextUrl = $this->Auth->redirectUrl();
if ($nextUrl === "/") {
return $this->redirect(['action' => 'index', 'controller' => 'Adminarea']);
} else {
return $this->redirect($nextUrl);
}
}
$this->Flash->error(__('Invalid username or password, please try again'));
}
$this->viewBuilder()->setLayout('admin_in');
}
The issue it is in the relationship "Roles", it already exists in the file "PermissionsTableTrait.php" from the slice package, and it seems that cannot be two relationships with the same name.

Podio API - Session Management class error in accessing tokens in Redis

I'm trying to use Session Management for API calls, so I don't trigger Auth class function everytime my script run. I mostly used App ID authentication so I used the sample provided for Redis.
However, I'm getting an error "Fatal error: Uncaught Error: Cannot access self:: when no class scope is active in /var/www/html/authcheck.php:22 Stack trace: #0 {main} thrown in /var/www/html/authcheck.php on line 22"
The code in line 22 is this - Podio::$oauth = self::$session_manager->get(Podio::$auth_type);
Here's the PHP Script for Session manager class:
Filename: SessionManager.php
<?php
require ('podio/podio_lib/PodioAPI.php');
require ('predis/autoload.php');
class PodioRedisSession {
/**
* Create a pointer to Redis when constructing a new object
*/
public function __construct() {
$this->redis = new Predis\Client();
}
/**
* Get oauth object from session, if present. We use $auth_type as
* basis for the cache key.
*/
public function get($auth_type = null) {
// If no $auth_type is set, just return empty
// since we won't be able to find anything.
if (!$auth_type) {
return new PodioOauth();
}
$cache_key = "podio_cache_".$auth_type['type']."_".$auth_type['identifier'];
// Check if we have a stored session
if ($this->redis->exists($cache_key)) {
// We have a session, create new PodioOauth object and return it
$cached_value = $this->redis->hgetall($cache_key);
return new PodioOAuth(
$cached_value['access_token'],
$cached_value['refresh_token'],
$cached_value['expires_in'],
array("type"=>$cached_value['ref_type'], "id"=>$cached_value['ref_id'])
);
}
// Else return an empty object
return new PodioOAuth();
}
/**
* Store the oauth object in the session. We ignore $auth_type since
* it doesn't work with server-side authentication.
*/
public function set($oauth, $auth_type = null) {
$cache_key = "podio_cache_".$auth_type['type']."_".$auth_type['identifier'];
// Save all properties of the oauth object in redis
$this->redis->hmset = array(
'access_token' => $oauth->access_token,
'refresh_token' => $oauth->refresh_token,
'expires_in' => $oauth->expires_in,
'ref_type' => $oauth->ref["type"],
'ref_id' => $oauth->ref["id"],
);
}
}
?>
Filename: authcheck.php
<?php
require ('podio/podio_lib/PodioAPI.php');
include ('SessionManager.php');
$client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
$client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxx";
$app_id = "xxxxxxxxxxx";
$app_token = "xxxxxxxxxxxxxxxxxxx";
Podio::setup($client_id, $client_secret, array(
"session_manager" => "PodioRedisSession"
));
// podio-php will attempt to find a session automatically, but will fail
because
// it doesn't know which $auth_type to use.
// So we must attempt to locate a session manually.
Podio::$auth_type = array(
"type" => "app",
"identifier" => $app_id
);
Podio::$oauth = self::$session_manager->get(Podio::$auth_type);
// Now we can check if anything could be found in the cache and
// authenticate if it couldn't
if (!Podio::is_authenticated()) {
// No authentication found in session manager.
// You must re-authenticate here.
Podio::authenticate_with_app($app_id, $app_token);
} else {
//echo "<pre>".print_r($_SESSION, true)."</pre>";
echo "You already authenticated!";
}
// // We can safely switch to another app now
// // First attempt to get authentication from cache
// // If that fails re-authenticate
// Podio::$auth_type = array(
// "type" => "app",
// "identifier" => $another_app_id
// );
// Podio::$oauth = self::$session_manager->get(Podio::$auth_type);
// if (!Podio::is_authenticated()) {
// // No authentication found in session manager.
// // You must re-authenticate here.
// Podio::authenticate_with_app($another_app_id, $another_app_token);
// }
?>
Hi opted not to use redis instead I used session and PDO Mysql on storing podio auth.

Authentication in laravel

I am making api in laravel. I am using the database that is already built and is live. That system uses md5 with salt values.
I want to do authentication for that system . how should do i have to do?
My source code :
public function authenticate(Request $request)
{
$email = $request->input('email');
$password = md5('testpassword' . 'saltvaluehere');
try {
//
// attempt to verify the credentials and create a token for the user
if (!$token = JWTAuth::attempt([
'email' => $email,
'pass' => $password
])
) {
return response()->json(['error' => 'invalid_credentials'], 401);
}
} catch (JWTException $e) {
// something went wrong whilst attempting to encode the token
return response()->json(['error' => 'could_not_create_token'], 500);
}
// all good so return the token
return response()->json(compact('token'));
}
In core php these authentication is done by:
$getpass = $mydb->CleanString($_POST['password']);
$getusername = $mydb->CleanString($_POST['username']);
$dbpass = $mydb->md5_decrypt($mydb->getValue("pass","tbl_admin","username = '".$getusername."'"), SECRETPASSWORD);
if($dbpass == $getpass){
return 'success full login';
}
above code doesnot give same value of hash, so i am not being able to authenticate in system.
Edited:
I have got the password that matched with database but token is not bieng generated.
here is my code:
public function authenticate(Request $request)
{
$email = $request->input('email');
$password = $request->input('password');
$password = md5($password);
try {
//
// attempt to verify the credentials and create a token for the user
if (!$token = JWTAuth::attempt([
'email' => $email,
'password' => $password
])
){
//return response()->json(compact('token'));
return response()->json(['error' => 'invalid_credentials','_data'=>[$password,$email]], 401);
}
} catch (JWTException $e) {
// something went wrong whilst attempting to encode the token
return response()->json(['error' => 'could_not_create_token'], 500);
}
// all good so return the token
return response()->json(compact('token'));
}
can anybody tell me the reason why is token not being generated and why is it saying invalid credintials. as it shows the password and email of database of encrypted form.
This is a situation I've dealt with and I have foss code to give as a proof of concept.
Essentially, I added another password field for old passwords. I imported users with password_legacy set to a JSON object of old password data, in my case:
{ 'hasher' : 'algo', 'hash' : '#####', 'salt' : 'salt here' }
Then, I used a modified user service provider so that authentication checked for password_legacy if password was null. It then used the Illuminate Hasher contract as a base and constructed a new instance of a class (dynamically, using the hasher property, so for instance a app\Services\Hashing\AlgoHasher) and then used that for authentication instead of the default system.
If it did succeed, I bcrypt'd the password, set password and unsetpassword_legacy. This upgraded the password to the much higher standard of security that bcrypt offered.
Migration code for new field:
https://github.com/infinity-next/infinity-next/blob/ccb01c753bd5cedd75e03ffe562f389d690de585/database/migrations_0_3_0/2015_06_12_181054_password_legacy.php
Modified user provider:
https://github.com/infinity-next/infinity-next/blob/ccb01c753bd5cedd75e03ffe562f389d690de585/app/Providers/EloquentUserProvider.php
Hasher contract for Vichan (md5+salt):
https://github.com/infinity-next/infinity-next/blob/ccb01c753bd5cedd75e03ffe562f389d690de585/app/Services/Hashing/VichanHasher.php
Relevant user code:
https://github.com/infinity-next/infinity-next/blob/ccb01c753bd5cedd75e03ffe562f389d690de585/app/User.php#L124-L165
Hope that helps!

Laravel 5 customizing authentication

In Laravel 5 how can you customize the default authentication which comes out of the box? For example I have multiple types of users to authenticate against. Each type of user is defined by a role i.e Jobseeker, Recruiter etc. Each type of user will have a different type of registration form to capture some of the profile details as well. So I have the following tables:
users
roles
role_user
jobseeker_profile
recruiter_profile
The default authcontroller and passwordcontroller in Laravel 5 uses traits for all the authentication methods. How would you go about customizing it - do you guys edit the existing trait files? So for example the getRegister method returns the register view but I would want it to check the route before deciding which view to show.
// default method
public function getRegister()
{
return view('auth.register');
}
// custom method
public function getRegister()
{
if (Request::is('jobseeker/register'))
{
return view('auth.jobseeker_register');
}
elseif (Request::is('recruiter/register'))
{
return view('auth.recruiter_register');
}
}
Similarly the default postLogin method is as follows:
public function postLogin(Request $request)
{
$this->validate($request, [
'email' => 'required|email', 'password' => 'required',
]);
$credentials = $request->only('email', 'password');
if ($this->auth->attempt($credentials, $request->has('remember')))
{
return redirect()->intended($this->redirectPath());
}
return redirect($this->loginPath())
->withInput($request->only('email', 'remember'))
->withErrors([
'email' => 'These credentials do not match our records.',
]);
}
But I would want the method to also check the user roles as follows:
public function postLogin(Request $request)
{
$this->validate($request, [
'email' => 'required|email', 'password' => 'required',
]);
$credentials = $request->only('email', 'password');
if ($this->auth->attempt($credentials, $request->has('remember')))
{
if(Auth::user()->role->name == 'recruiter')
{
return redirect()->to('/recruiter/dashboard');
}
elseif(Auth::user()->role->name == 'jobseeker')
{
return redirect()->to('jobseeker/dashboard');
}
}
return redirect($this->loginPath())
->withInput($request->only('email', 'remember'))
->withErrors([
'email' => 'These credentials do not match our records.',
]);
}
So my question is how do you go about customizing the existing authentication? Do you guys create a new controller perhaps CustomAuthController, CustomPasswordController and copy all the traits from the default auth controllers into these custom controllers and edit them as appropriate? I'm unable to find any Laravel 5 tutorials on how to acheive this - they all simply talk about the default out of the box authentication. If anyone has done something similar before I would love to hear about how you went about it and which files were edited to wire this custom auth up.
You have a couple of options:
Override the methods in the existing auth controller.
Just don’t implement the AuthenticatesAndRegistersUsers trait at all, and implement authentication logic entirely yourself.
With regards to redirect, I’d listen on the auth.login event, check your user’s type there, and then redirect to the specific dashboard there and then.

Yii 2 RESTful API authenticate with OAuth2 (Yii 2 advanced template)

REST API is working without authentication methods. Now i wanted to authenticate REST API with OAuth2 authentication for API requests via mobile application. I tried with yii2 guide, but it didn't work for me.
basically mobile user need to be login with username & password, if a username and password are correct, user need to be login and further API request need to be validate with token.
Do i need to create custom OAuth 2 client like this ?
Creating your own auth clients
access_token field in user table is empty. do i need to save it manually ?
how to return access_token as a respond?
is there any reason for user all three methods(HttpBasicAuth, HttpBearerAuth, QueryParamAuth) at once, why? how?
my application folder structure looks like below.
api
-config
-modules
--v1
---controllers
---models
-runtime
-tests
-web
backend
common
console
environments
frontend
api\modules\v1\Module.php
namespace api\modules\v1;
class Module extends \yii\base\Module
{
public $controllerNamespace = 'api\modules\v1\controllers';
public function init()
{
parent::init();
\Yii::$app->user->enableSession = false;
}
}
api\modules\v1\controllers\CountryController.php
namespace api\modules\v1\controllers;
use Yii;
use yii\rest\ActiveController;
use common\models\LoginForm;
use common\models\User;
use yii\filters\auth\CompositeAuth;
use yii\filters\auth\HttpBasicAuth;
use yii\filters\auth\HttpBearerAuth;
use yii\filters\auth\QueryParamAuth;
/**
* Country Controller API
*
* #author Budi Irawan <deerawan#gmail.com>
*/
class CountryController extends ActiveController
{
public $modelClass = 'api\modules\v1\models\Country';
public function behaviors()
{
$behaviors = parent::behaviors();
$behaviors['authenticator'] = [
//'class' => HttpBasicAuth::className(),
'class' => CompositeAuth::className(),
'authMethods' => [
HttpBasicAuth::className(),
HttpBearerAuth::className(),
QueryParamAuth::className(),
],
];
return $behaviors;
}
}
common\models\User.php
namespace common\models;
use Yii;
use yii\base\NotSupportedException;
use yii\behaviors\TimestampBehavior;
use yii\db\ActiveRecord;
use yii\web\IdentityInterface;
class User extends ActiveRecord implements IdentityInterface
{
const STATUS_DELETED = 0;
const STATUS_ACTIVE = 10;
public static function tableName()
{
return '{{%user}}';
}
public function behaviors()
{
return [
TimestampBehavior::className(),
];
}
public function rules()
{
return [
['status', 'default', 'value' => self::STATUS_ACTIVE],
['status', 'in', 'range' => [self::STATUS_ACTIVE, self::STATUS_DELETED]],
];
}
public static function findIdentity($id)
{
return static::findOne(['id' => $id, 'status' => self::STATUS_ACTIVE]);
}
public static function findIdentityByAccessToken($token, $type = null)
{
return static::findOne(['access_token' => $token]);
}
}
user table
id
username
auth_key
password_hash
password_reset_token
email
status
created_at
access_token
access_token was added after migrate user table
I'm using JWT for validating the request. Basically JWT is a token which also contain information about a user, and about the token itself such as the validity and the expiration time of the token. You can read more about JWT here.
The flow of my application is like this:
First, when a user logged in, create a JWT for the user
$key = base64_decode('some_random_string');
$tokenId = base64_encode(mcrypt_create_iv(32));
$issuedAt = time();
$notBefore = $issuedAt + 5;
$expire = $notBefore + 1800;
$user = User::findByEmail($email);
$data = [
'iss' => 'your-site.com',
'iat' => $issuedAt,
'jti' => $tokenId,
'nbf' => $notBefore,
'exp' => $expire,
'data' => [
'id' => $user->id,
'username' => $user->username,
//put everything you want (that not sensitive) in here
]
];
$jwt = JWT::encode($data, $key,'HS256');
return $jwt;
Then, the client (e.g the mobile app) must provide the token in every request via Authorization header. The header will look like this:
Authorization:Bearer [the JWT token without bracket]
In the User model, add a method like this for validating the token:
public static function findIdentityByAccessToken($token, $type = null) {
$key = base64_decode('the same key that used in login function');
try{
$decoded = JWT::decode($token, $key, array('HS256'));
return static::findByEmail($decoded->data->email);
}catch (\Exception $e){
return null;
}
}
The JWT library will raise an Exception if the token is no longer invalid (have been tampered or have been past the expiry time).
Then, add this to the behaviors function in every controller:
$behaviors['authenticator'] = [
'class' => HttpBearerAuth::className(),
'except' => ['login'] //action that you don't want to authenticate such as login
];
That's it! I hope this work like you wanted. Oh, and there is lot of JWT libraries that you can use (you can see it here), but I personally use this library by people from firebase
You Can create Your Auth System, usually I do it.
You can Save Tokens for every user, and after it authentify user by that token.
In every action You can send that token for authentify user.
You need to do the following:
set the token before saving the user in the User model.
add actionLogin in the UserController to return the auth_key on user login.
in each API request you send the auth_key in the header instead of
sending username and password.
to check if the auth_key is valid, define 'authenticator' in the
UserController behaviors.
you can find code samples in my answer to another question here