Symfony2 - A good way to manage users - authentication

I'm starting a new project with Symfony 2 and I have to create and manage some users with many personnal informations.
I must decide to chose a way to manage us and i wish receive some advice for chose Symfony 2 basic implementation or FOSUserBundle for example.

Use FOSUserBundle. It's easy to install and configure.
At the most basic level, it lets you easily handle user storage and authentication through the database. It requires that your user entity conform to some of its 'standards', but after that you're free to write your user entity how you see fit.
AFAIK, it's also the most popular user management solution for Symfony2 right now, so you should be able to easily find resources/information for it online.

Related

What pitfalls or consequences could there be when structuring a solution in 3 projects (.net core, vue.js and webapi)?

I want to make a quick, safe and nice application.
For many years I have been programming in PHP and regular ASP. But wanted to go on with .NET and vue.js.
So I have an idea, I wanted to create and plan to do it like this:
I was thinking of using hosting from an external service.
Then I would have three projects:
domain.com/index - Vue.js which will be a SPA, where the user can filter through a catalog, press like and send few api requests (mainly get-requests).
secure.domain.com - Here I will have a .net mvc project where I can use identity. This will make it simple to handle/register users. I will also give the correct session here for authenticated users. And it will affect domain.com/index, where they only are allowed to do some of the things if they are logged in
api.domain.com - This will be the webapi api. Only authenticated users will be allowed to send some of the requests.
I have used several weeks at looking into how to structure this.
But as I do not have much experience with this.
What pitfalls and bad consequences do you see in structuring it like this?
Are there any heads up you want to give me? Or any other recommendations?
I have been trying to melt all of this together in one project, but that has been difficult, because they operate in different ways. So now I have ended up with this, and look forward to
Size of project
It will be a relative small project.
People should be able to register/authenticate themselves (through facebook/google/server login).
Authenticated People should be able to add records(links) to a database. When adding this to the database they may also want to upload files, and choose some additional information.
All people should be able to filter through the catalog of records (5000+) ( Here I am using vue.js/vuex/axios). Here they should be able to comment too on links too.
Webapi will have 8 entities/tables and one view which will GET all the information. 3 tables should be able to have POST.
So it is more or less a catalog, where people should be able to add records and find new ones.
I was planning to use the identity from asp.net core 3.1. It is a "template" where I can easily add 3rd party logins. (https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-3.1&tabs=visual-studio)
Additional questions:
Can you tell me how request from SPA will be authenticated in your API? (Jwt or cookie)? Why would you like to have a separate identity service, also Why you would like to use asp.net identity (is it because of ease of setup)?
I have not been thinking about authenticating API requests. Was thinking to only have authenticated users who can send POST-requests. And the rest will be get requests. Limited only from the server. Should I have some additional authentication? Does JWT make web APIs safe enough for my use?
Was thinking of using .net identity because it is simple. And I don't want to use time on setting it up.
Since this is your first project of this type, I would recommend to keep it simple.
Just create one web site. Otherwise you might get issues with the cookies not working for subdomains and you will also get issues with CORS. That is, you will get all problems at the same to time (configuration issues, infrastructure issues and the pain from writing the application itself).
You can still have a clean separation by using sub folders (or Areas in MVC) and by using class libraries for the backend (API) business logic.
Once you have mastered the basics (i.e. writing the actual application) you can start looking at other means of separation etc.

ASP.NET MVC 5 simple login

I need simple log in functionality in my project (logged in users can access and modify their profile). I've read a book "PRO ASP.NET MVC 5" by Adam Freeman where he quickly written a simple, short and elegant login mechanism just by using authorization and authentication filters and extending from some built-in classes. However, I just checked the internet and found many completely opposite approaches using classes such as Identity and Claim and achieved by writing LOTS of code, i.e. this or this.
Is it really necessary to implement a huge framework and write many lines of code just for a simple log in approach with some security? Is it really that bad to rely on authentication and authorization filters?
Yes, I am planning on publishing my project, but it's really very small.
What would be the best and the most beneficial practice for creating a basic log in functionality?
when you create asp.net mvc 5 webapp you will find asp.net-identity already exist you just have to make simple changes in the user to link it to your other entites

Managing users with Pirhana CMS

What is the best way to manage users with PirhanaCMS?
I would like to prevent some users from adding content (posts etc...) in some categories and prevent that some sites be listed for some users. (For people who don't know it, PirhanaCMS is a micro CMS programmer oriented).
I would like to use the sites features because I'm working on a project in which I'll have a "network" of several sites managed by different entities of an organization. I would like that each entity be only able to see its own site but that the big organization at the top be able to manage every sites. Moreover, within a site I would like that some users be only able to edit some part of the site.
Are these features built-in ? Otherwise what is the best way to implement them myself around the CMS ?
I am using ASP.NET MVC 4 and EF5.
If you take a look at System > Permissions in the manager area you can see that there are permissions you can give to groups for different parts of the manager interface.
There's however currently no built in support for restricting access to different site trees, but you are free to add a feature request for this at GitHub or maybe participate by implementing it and sending a pull request!

What is the recommended way to implement admins in a webapp

I know of 2 ways to implement admins:
add admin role flag to the user entity
add a new admin entity
I don't know if there are more ways of doing it
1. Does it matter in terms of admin usability? security?
2. which is easier to scale or maintain?
for a rails-specific (but not limited to) sub-question
Is using a premade admin services such as active_admin or adminium are worth it for the long run (heavy use application, not small sized), or would it just be better to make my own admin panel and incrementally add features as I need them?
The answer to that question depends on your needs for a particular project.
Using the premade admin services makes life easier as what you can do is to customize the services by the help of ease that they provide and then use them in your application.
In ActiveAdmin railscasts, there is a video about ActiveAdmin that shows that how it is very customizable. Apart from that there are comments by various people in the railscasts from their experience about its usage.
This will clearly give you the idea in the right direction.
There is also a very good article by batsov which explains the differences between RailsAdmin and ActiveAdmin.
Short version: Do it yourself with the admin role flag. For security do not allow mass assignment of this flag. Build your own admin interface, especially for a big project nothing premade will suit your needs.
Long Version:
I haven't actually used any of the premade admin services as in general my experience has shown me that my users are either normal/admin or semi-admin.
Having your own flag means that you have full control over how to add admin users.
Example: some apps I have allowed anyone with admin access to make anyone else an admin.
Rails allows you to quickly scaffold/build your own custom admin interface and here I can't see anything 'off the shelf' beating the add as you go/need mentality as the end result will be custom built to fully suit your needs vs spending your time with an admin interface that you have to customize yourself.

Using couchdb authentication by xmpp users

I'd like use couchdb for a web application with external user authentication by a XMPP-Server (Openfire). How can I achieve that? Let's say we have thre users:
basicuser#mydomain.tld
advanceduser#mydomain.tld
moreadvanceduser#mydomain.tld
Now basicuser#mydomain.tld should be able to read all documents that are suited for basic users.
advanceduser#mydomain.tld should be able to read AND write all documents that are suited for basic users.
moreadvanceduser#mydomain.tld should be able to read all documents that are suited for basic and advanced users.
Is that possible?
following OpenFire's Database installation Guide, only relational Databases work directly with Open Fire:
MySQL
Oracle
Microsoft SQLServer
PostgreSQL
IBM DB2
HSQLDB
My first thought was to try and move the complete database to couchdb.
Anyways, you will need different groups for mapping the different types of users. As far as I know, read/write access in CouchDB cannot be granted or revoked for single documents, but for databases. So you will end up with 3 databases, each for one type of access level.
I am not sure if it is a good advice to hanlde document based authentication in CouchDB by "tagging" documents with authlevels.
So, I can think of different szenarios:
If your XMPP server ot the database
was able to verify credentials via
webservices, you could make use of
that in the login procedure in your
couchapp.
If there are Webservices to your Openfire backing database, you could use these to synchronize users with couchdb and map them to auth lvl groups. I think this is not a very good approach, as you will have to handle updated or deleted users as well and have another point to think about security as well. This could of course also be done by scripting on python or what ever language you prefer.
Use LDAP to provide auth. Does not work with CouchDB for now.
Maybe a good idea would be to make
use of Z-XMPP, strophe or
basically any js framework that
handles XMPP in some way? There you
could learn about XMPP
authentication and maybe use this to
verify auth credentials with XMPP. I also just learned that there is a book about "Professional XMPP Programming with JavaScript and jQuery".
Now, these are no complete solutions provided, but something to think about, and discuss it.
Oh, and there's another Thread here at StackOverflow.
Regards, Chris