i want to create users for my webapplication.
im using symfony. i wonder if i should do that with sfDoctrineGuardPlugin or symfony's provided methods for this?
// Add one or more credentials
$user->addCredential('foo');
$user->addCredentials('foo', 'bar');
// Check if the user has a credential
echo $user->hasCredential('foo'); => true
// Check if the user has both credentials
echo $user->hasCredential(array('foo', 'bar')); => true
// Check if the user has one of the credentials
echo $user->hasCredential(array('foo', 'bar'), false); => true
// Remove a credential
$user->removeCredential('foo');
echo $user->hasCredential('foo'); => false
// Remove all credentials (useful in the logout process)
$user->clearCredentials();
echo $user->hasCredential('bar'); => false
or is the purpose of sfDoctrineGuardPlugin just securing the admin page and not the frontend logging system?
thanks.
I would recommend using sfDoctrineGuardPlugin. It provides forms for managing your users in the backend. It is easily extendable to add extra data base fields to add more info for your users (profiles, etc) and it handles all the SHA/MD5 password encryption when storing user passwords for you. If you are creating your login system from scratch you need to consider password storage.
It is basically a great starting point when building your secure pages. It can be used both for backend and frontend. For the frontend you just need to enable the right modules in the config file and you can use it without problem.
One thing I forgot to add is that sfDoctrineGuardPlugin also provides the "remember me" function. Which is great. Use the plugin. :)
Related
I am using API Platform and JWT token to authenticate during my requests
I am wondering if I should disconnect user's sessions if its password changes/resets?
I heard it's not supposed to happen wtih JWT and it's not a part of the bundle (https://github.com/lexik/LexikJWTAuthenticationBundle), but, is it fine not to disconnect user's sessions if its password gets changed? I'm asking about security point of view
I would appreciate any help
It depends ... :)
PWD and a token actually are "different credentials"
If User can only change PWD via web UI with a "traditional web-requests" (Something like: Homepage → Login → MyAccount → Settings/Security) and Token is only to use with an API then I would say NO, no need to invalidate.
If Frontend build with some JS Lib like React/Vue/Svelte and uses JWT to access secured areas, probably, you should invalidate, since one with a valid and non-expired JWT could still have access after PWD was set to a new one.
It would be a nightmare if some hacker, who somehow acquired your valid JWT, would still have access to User → MyAccount → Settings and potentially be able to do bad stuff after You explicitly changed PWD
I'm implementing Identity in ASP.NET Core 3 and having a bit of a problem understanding the flow of external login authentication, as are my users.
Things start clearly enough:
As expected I'm prompted to pick a Google identity:
Now at this point I'd expect to see a dialog such as the following, asking for permission to grant my app access to various pieces of the Google identity:
But that dialog never happens.
What does happen next is:
The above process step seems completely non-standard to any oauth flow I've ever seen. I've already given it which Google identity I'm using; the email address is unambigious. So this dialog seems extraneous and just confuses my users. Is there a reason for this step that I am not understanding?
...And back to the permission dialog above that I would have expected to get there, this never occurs. Why is the app able to accept a Google login without granting access via that dialog?
Why is the app able to accept a Google login without granting access via that dialog?
That seems Google will automatically grant OpenID Connect Scopes(openid profile email) after creating application . You can verify the scopes in console -->OAuth consent screen :
But if you want to also require additional sensitive scopes , you still need to grant permission dynamically during authentication :
services.AddAuthentication()
.AddGoogle(options =>
{
options.Scope.Add("https://www.googleapis.com/auth/gmail.modify");
options.Scope.Add("https://www.googleapis.com/auth/gmail.settings.basic");
options.ClientId = "xxxx";
options.ClientSecret = "xxxx";
});
Is there a reason for this step that I am not understanding?
That is because you enable the ASP.NET Core Identity. In asp.net core identity ,for external login ,after authentication , identity will help create a local user associated with external login user .After scaffolding Identity in ASP.NET Core projects , you could check the ExternalLogin.cshtml.cs file inside Areas/Identity/Pages/Account folder . In function OnGetCallbackAsync you will find identity will check the external login user information and confirm a local user is associated with external user , if yes , sign in user ; If no, it will redirect user to another page to ask the user to create an account in local database .
If you don't need that feature , just remove asp.net core identity or customize OnGetCallbackAsync function to skip the process .
I am creating api using cakePHP. I have created an api for user log in. This log in functionality is working fine.
Here is the log in function -
public function login(){
if ($this->request->is('post')) {
$user = $this->Auth->identify();
}
}
Now, the I am facing problem is, how I can test from other api that is the user is logged in or not? In web application it can be done by default auth system ($this->Auth->user()). But I am not getting how I can check is this user logged in or not from another api. Do I need to send api parameter to each api request ? or any other suggestion ?
Note : I can't send any token in header. Because in header I am sending jwt token. Because in my application there are two kind of authentication. One is log in or not? and another one is depending some other input from user. That is handling by jwt. So jwt token I am already sending by header. So header is already used.
A couple of things to clarify.
In a regular app, the user logs in with a post request and on successful authentication a session is created. This session is a bit of information that the user supplies in each of the following requests and the server then recognises the user. This accomplished by the Auth component in it's default settings.
In an API you could do the same: the user logs in, receives the session and attaches the session cookie-like object on each following requests. (Example of such a Python client.) However, this is not considered good practice as APIs should be stateless (so without requiring something like cookies). The solution of working with tokens, for instance hashes of some secret token together with a timestamp. The Auth component also supports this pretty well. After setting it up, you can simply call $this->Auth->user(), like you would normally and it returns either false or an array of user information. See link below.
Note that by default this authentication type will block unauthenticated users, so you will never see ->user() return false unless you make pages as public.
See also:
(Cookbook > Authentication > Creating stateless authentication systems)
I have the following scenario:
Rails app with User and Admin devise models, so I have two scopes.
Created on ember app on router:
Router.map(function() {
this.route('panel', function() {
this.route('login');
this.route('logout');
});
this.route('admin', function() {
this.route('login');
this.route('logout');
});
});
I'm using jj-abrams branch once my app is Ember 2.0
Both authenticating on /users/sign_in and /admins/sign_in
I followed steps on https://github.com/simplabs/ember-simple-auth/tree/master/packages/ember-simple-auth-devise#server-side-setup and authentication is working.
Ember is hitting the right urls after creating authenticators and adapters, but the problem is that ESA just have one session service. Once user or admin is logged in session.isAuthenticated is true and I don't know which scopes are logged in.
Which is the best way to proceed:
Add a role on user reply and set on session
Create a new session for admin user
I solved this problema creating 3 authenticators for each scope, and I handle each one.
It is a particular solution once I don't use other authenticators (OAuth2), but now I can check if authenticator:user, authenticator:admin, authenticator:manager was used on to login.
I have created checks on routes, so user can only access his panel, admin can access user and admin panel, and manager can access the whole system.
I've posted the ember and the API on github:
https://github.com/fernandes/ember-auth-web for the ember
https://github.com/fernandes/ember-auth-api for the devise api
ps: I think would be better to create sessions for each scope, but I don't know how to do it (and if its better or not), in this solution you can login one scope at once (not like devise on rails you can log with many scopes at once).
I'm just trying to make a little, simple application (that i already made two years ago in Objective-C with api V1) that presents a screen with time of event and description and a button : "insert event in your calendar".
Every user has, obviously, to configure the application with his google username and password.
The app simplifies some process using the first calendar available.
I had infinite problem trying to do it with javascript (this app will be made in html5), so, looking at docs, I ended up trying to make a back-end on my server in php5 (thought it could be easier...ohohoho).
So, i read docs from here : https://developers.google.com/google-apps/calendar/
What i did :
1)
Get to the Google Developers Console.
Created a project.
I now have this (not real keys):
OAuth 2.0
Client ID 352xxxyy9.apps.googleusercontent.com
Email address 3527xxxy#developer.gserviceaccount.com
Service Account
Client ID 3523xxxyy419-vpfgdfg9u77s0.apps.googleusercontent.com
Email address 35ssss9-zzzzsnhavna78ea0b9gvn6a9u77s0#developer.gserviceaccount.com
Public key fingerprints :ac15ddfxdffrtg5565fgfg545r
2)
I installed Google APIs Client Library for PHP (beta) in my server.
doc says:
Using the Google APIs Client Library for PHP requires that you download the PHP source. In the future, packages will be provided. Refer to the project page for more details.
Run the following commands to download and install the source: svn blaj blah blah.
I copied the entire source in my server. Easy :)
Then..
3) You can now import the classes you will need using the following statements:
require_once "../src/apiClient.php";
require_once "../src/contrib/apiCalendarService.php";
Ok, i'll insert them in my php script !
4)" Configure your app"
You must instantiate a client to make requests to the API. All requests to the Google Calendar API require authorization.
The following code demonstrates how to configure an authorized service object using OAuth 2.0 for native applications. For more information, see Authorize Requests.
To find your project's client ID and client secret, do the following:
Go to the Google Developers Console.
Select a project.
In the sidebar on the left, select APIs & auth. In the displayed list of APIs, make sure the Google Calendar API status is set to ON.
In the sidebar on the left, select Credentials.
Find the lines labeled Client ID and Client secret. Note that there may be a client ID without a client secret, for use with Compute Engine and App Engine; in that case, create a new client ID and client secret by selecting Create New Client ID.
Edit the src/config.php file to put in your developer API information.
global $apiConfig;
$apiConfig = array(
// Site name to show in Google's OAuth authentication screen
'site_name' => 'www.example.org',
// OAuth2 Setting, you can get these keys in Google Developers Console
'oauth2_client_id' => 'YOUR_CLIENT_ID',
'oauth2_client_secret' => 'YOUR_CLIENT_SECRET',
'oauth2_redirect_uri' => 'YOUR_REDIRECT_URL',
// The developer key; you get this from Google Developers Console
'developer_key' => 'YOUR_DEVELOPER_KEY',
...
// Which Authentication, Storage and HTTP IO classes to use.
'authClass' => 'apiOAuth2',
....
// Definition of service specific values like scopes, OAuth token URLs, etc
'services' => array(
'calendar' => array('scope' => 'https://www.googleapis.com/auth/calendar'),
)
);
But they are DIFFERENT from the key i have, what's wrong ????
What are client secrets ? redirect_url??
Please help.
I think you need to setup a service account access as described here:
https://code.google.com/p/google-api-php-client/wiki/OAuth2#Service_Accounts
I had difficulties to get it work as I made many trial and errors and my cache got filled with non-working token.
If ever you find yourself not able to access the calendar even after following all the steps, try to change this line of code:
$client->setAssertionCredentials(new Google_AssertionCredentials(SERVICE_ACCOUNT_NAME, array('https://www.googleapis.com/auth/prediction'),$key));
to this:
$client->setAssertionCredentials(new Google_AssertionCredentials(SERVICE_ACCOUNT_NAME, array('https://www.googleapis.com/auth/prediction'),$key, 'notasecret','http://oauth.net/grant_type/jwt/1.0/bearer',false,false));
The last false tells AssertionCredential class to not use any cache. I did it once and then it worked with it set to true afterward.
First go here https://console.developers.google.com/project that is where you configure your app...
Click on your project, then on the left side you will see APIs & Auth, click on Credentials. You will need to create your OAuth, and Public API Access keys.
Once you have done that you will then enter those into the appropriate client_id, secret, redirect etc.
The redirect uri is the same page your app is on, its the page the user gets sent back to after authorizing.
I had the same problem.
On this page, when you click on the Create new Client Id, choose Web application and it shoudl give you the client secret key as well.
https://console.developers.google.com/project
Add a project etc.
Hope it helps