I want to have a subpage on my website that is password protected. There should be a list of 6-digit passwords that allow access to the site. However, I don't want the user to type in a username. He should only type in one of the 6-digit passwords.
Any ideas, how I can accomplish this?
The default login for TYPO3 uses username and password. If you only needed 1 password you could create 1 user and use a custom template with the username in a hidden field. However, since you want multiple passwords, there is no default way to do it without creating your own authentication service.
It's a bit much to explain how to create an authentication service here, but you can read the documentation here https://docs.typo3.org/m/typo3/reference-coreapi/9.5/en-us/ApiOverview/Authentication/Index.html.
You can also look at an example like https://github.com/tschikarski/shibboleth, which is a but complicated, but you'll mainly need to look at \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::addService in ext_localconf.php and the getUser and authUser functions in Classes/ShibbolethAuthentificationService.php.
With Typo3 mechanism, a password is always associated with a user name, I think you should do it by yourself :
if the content is from one of your extension, you can easily do it
if it's not the case, I think you could use a hook before page is displayed and manage password access in that hook
or you can make a specific template with which you can conditionally manage rendering
Why don't reverse the usage?
Create FE-users with the selected passwords as username, then assign all users the same password.
For the login you change the login form:
The password field gets a default value (the password you had set to
all accounts) and is hidden
The input field for the username is changed into a browser passowrdfield so the input is hidden by asteriks.
Then you might change the errormessages as they would confuse the user about his username so he only enters a "password".
There now exists an extension for that, too:
https://extensions.typo3.org/extension/sessionpassword
With that, you just have to create a specific usergroup for your purpose,
set a password an d include the plugin on the desired page.
Works for me in that case.
Related
I need to check that a proper username is entered in the custom signin form on my web site to pass it to Auth.signUp method of aws-amplify.
Things like minimum/maximum number of characters and allowed characters.
Documentation at this link does not help, please point me to a correct page, thank you!
See AWS SDK for validation rules.
The username for the user. Must be unique within the user pool. Must
be a UTF-8 string between 1 and 128 characters. After the user is
created, the username can't be changed.
https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/clients/client-cognito-identity-provider/interfaces/admincreateusercommandinput.html
Not perhaps a perfect description but has at least the minimum and maximum character count.
Edit: Cognito API reference reveals that regex pattern for username validation is: [\p{L}\p{M}\p{S}\p{N}\p{P}]+
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html
BTW, username cannot be changed after creation so perhaps you want to use preferred_username attribute to store the username which a user submits in sign in form (and make back-end to generate a value for username automatically (uuid for example)).
The document behind the link states:
Activate the preferred_username attribute so that your user can change the user name that they use to sign in while their username attribute value doesn't change.
I would like to know where the password field is shown in dashboard. I cant see in password field in user profile object. How can I get it.
You can't see the password for a user (only a secure password hash is stored, so Auth has no way of getting the actual value). As a dashboard administrator, you can however change the password using the red Actions drop down list, and then selecting Change Password.
I want to require that authenticated users provide a password to access a certain page/action.
I know that RoR has authenticate_or_request_with_http_basic() that can be used to protect an action but that requires that a name and password be entered and I'm only interested in requiring a password.
Well, you can always leave user blank.
If it isn't an option I have some bad news - browser will always ask for user and password when using http basic authentication.
However there are some different options:
providing some key in url that works as password (quite unsecure)
login box with password field only, that (when password is correct) set session[:auth] = true. And appropriate before_filter in your ApplicationController.
Normak authentication but with one field (password only) - I'm not sure if it would be good.
I think second option would be best here (if of course, leaving http basic auth login/password box isn't an option).
I have SugarCRM running and able to log in and out using the super admin account. I created a new user with type Regular User and defined it password because I unchecked the auto generation of password.
Even if I change the password through the database I cannot log in. But, if I changed the the type to Administrator that user can now login. Why is that? I want it to be a Regular User only.
Regards,
Ronel
In version 6.5.x I have found that there is a problem with password rules. Perhaps this is the case. Go to config.php and look at passwordsetting array. There is a minpwdlenght and a oneupper. Change 'oneuppper' to 'false' and match minpwdlenght to the lenght you want.
This solved my issue.
I have been looking for the past few hours on how to user the phpBB login script on a custom site. I think I'm just not searching for the right things.
A while ago, I created a phpBB site and have over 900 members registered through phpBB. I am currently face-lifting this site and redoing the user registration along with all of the other custom code I have.
My problem is, I want the users to be able to log in as usual, though I want to input them into my new database so everything can run smoothly. I mainly need their username, password and old ID#, but I don't know how to use phpBB's password authentication or where to find it
The statement needs to look something like this:
On Login, grab username and password variables:
if the username is not in MY database, check phpBB database.
If the username is in phpBB database, check to see if the password is correct **(This is the part I don't know how to do)**
If the password is correct, input the username, user ID and the password (encrypted my way) into MY database
Login
If the password is incorrect - error
if the username is NOT in phpBB database - continue
if the username is not in MY database - input username and encrypted pass into my DB
login
Where can I find a script to authenticate the phpBB user's passwords? I don't care how the script is done, I know that's a secret, I just need to be able to authenticate passwords so that I can make sure it's the same user
I do have access to the phpBB database, I just need a way to authenticate their password
I would rather delete the quesion, but here's the answer:
Check here: http://sunnyis.me/blog/secure-passwords/
and when you download the PasswordHash.php, change all of the $P$ to $H$. It will work. Strange how it creates a password, every time it creates, it's different. But the CHECK part of it makes sure it checks it correctly, no matter what hashed pass it creates.