auth's Introduction

Solution10\Auth

Powerful and extremely flexible authentication

Key Features

Framework agnostic:
Can work with any framework and any ORM / database layer. Implement two classes to integrate with your tools of choice and Auth will do the rest.
Learn more about Integration
Multiple Instances:
No statics or manky global scope. Every auth instance is totally self contained and can talk to entirely different backends and session handlers.
Learn more about Multiple Instances
Powerful Permissions:
Package based permissions allow you to define broad access control groups, and Overrides allow you to allow/disallow permissions on a per-user basis
Learn more about Permissions

Installation

Installation is as you'd expect, simply via a Composer requirement:

{
    "require": {
        "solution10/auth": "^1.2"
    }
}

Note: Auth provides absolutely no storage capability (no database layer / access). You will need to provide this by implementing a StorageDelegate. This approach might seem awkward at first, but it allows you to take completely control over the logic of data-retrieval, whilst Auth handles the actual mechanics for you. Learn more about Integration

Basic Usage

Your first step should be to complete everything in the Integration guide, but that doesn't make for a sexy demo, so we'll assume you've done that!

Let's pretend that I have fully implemented a StorageDelegate called "PDOStorageDelegate".

// The storage delegate handles reading/writing User data from
// your data store. That could be a database, REST service, whatever.
$storageDelegate = new PDOStorageDelegate();

// The session delegate handles maintaining state between
// page loads. Essentially, it's a front to the $_SESSION array,
// but if you do it different, you can re-implement!
$sessionDelegate = new Solution10\Auth\Driver\Session();

// Fire up a new instance called "MyAuth"
$auth = new Solution10\Auth\Auth('MyAuth', $sessionDelegate, $storageDelegate);

// Play with some API methods:
if ($auth->loggedIn()) {
    echo 'Hi, '.$auth->user()->username.', welcome to the site!';
}

As you may have noticed, we give auth instances names. This gives us a way of referencing them later. More on that in the Instances chapter.

Logging In

if ($auth->login($username, $password)) {
    echo 'User was logged in!';
} else {
    echo 'Please check your username and password.';
}

Logging Out

$auth->logout();

Checking Login State

if ($auth->loggedIn())) {
    echo "You're logged in!";
} else {
    echo "You are not logged in :(";
}

Getting the Current User

$user = $auth->user();

Forcing a Login

This should be used with extreme caution, it will allow you to log a user in without their password. Probably only useful after registration.

// The $user object needs to be a class that implements the
// Solution10\Auth\UserRepresentation interface.
// It's a tiny interface, but it just gives us enough info to
// do our work.

$user = new UserRepresentationInstance();

$user->forceLogin($user);

You can read more about UserRepresentation in the Integration guide

PHP Requirements

PHP >= 5.4

Documentation

For a user guide: Check out the Wiki here on GitHub.

Author

Alex Gisby: GitHub, Twitter

License

MIT

Contributing

Contributors Notes

auth's People

Stargazers

Watchers

auth's Issues

Missing method: hasPackage()

The method hasPackage() as used in the last example of the Managing the packages on a user section does not exist in the Auth class. I'd love to open a pull request with a fix, but I'd need to know if this is a mistake in the docs or simply a missing method.

Hardcoded use of PASSWORD_BCRYPT

The Auth::hashPassword method is using a hard coded PASSWORD_BCRYPT when calling password_hash. While the current versions of password_hash (5.5 thru 7.1) only support two valid values PASSWORD_DEFAULT and PASSWORD_BCRYPT, and they both have the same value, this is not an issue. Hopefully this will change in PHP 7.2 with the stronger cryptography being added. The php.net site indicates that PASSWORD_DEFAULT 'may' change with stronger cryptography, thus it should be the stronger/secure algorithm. I would suggest adding the 'algo' argument to $options as the 'cost' is. I can work on a pull request if you would like.

buildPermissionsForUser() will always return an empty array for packages

The method requests a list of all packages for a user and get an array of the package names. Those are then passed to the Collection for sorting. The problem here is that the Collection is supposed to sort by the package precedence, which it has no access to! Also, there is no way to get the precedence or permissions just from a package's name. I suggest to remove the package names completely and instead use their class names. This way we can initialize the needed package objects when needed and the system stays decentralized.

solution10 / auth Goto Github PK