Comments (4)
thekid
commented on June 18, 2024
For sessions and form-based login, this abstraction would not work. It would rather be something like:
class Authentication implements Filter {
// ...
public function filter($request, $response, $invocation) {
if ($session= $this->sessions->locate($request)) {
$request->pass('user', $session->value('user'));
try {
return $invocation->proceed($request, $response);
} finally {
$session->transmit($response);
}
}
// Redirect to login screen, it will fill the session
}
}Maybe the filter needs to be named StatelessAuthentication or HttpAuthentication instead?
from web.
thekid
commented on June 18, 2024
Basic Authentication
Via Header: Authorization: Basic BASE64($username ":" $password) -> lookup user via username, verify password
Token Authentication
Via Header: Authorization: Token XXX or via parameter ?api_token=XXX -> lookup user via token
JWT
Via Cookie, payload can contain user value directly, optionally only user id -> lookup
Form-based
Via session, which is filled with user by lookup after submitting login form
CAS
Via session, which is filled with user by reading from what serviceValidate returns
OpenID + OAuth
Using OAuth 2.0 Authorization Code Grant or OAuth 2.0 Device Flow Grant, get access token, with that, acquire user information via UserInfo request, store that in session.
from web.
thekid
commented on June 18, 2024
Because all of these work different, maybe the only thing we can do here in this base library is to add a User class and accessors in the web.Request class, e.g.:
/** Base user model. Can be extended by applications if necessary. */
class User {
public function __construct(private string $id, private array<string> $roles) { }
/** Returns user ID */
public function id() ==> $this->id;
/** Returns all of the user's roles */
public function roles() ==> $this->roles;
/** Checks whether user is in a given role */
public function hasRole($role) ==> in_array($role, $this->roles, true);
}The Request class would have two new methods, authenticate to set the user and user to access it. They could be used as follows:
// HTTP Basic Auth
$authenticate= new class() implements Filter {
public function filter($request, $response, $invocation) {
sscanf($request->header('Authorization'), 'Basic %s', $authorization);
[$username, $password]= explode(':', base64_decode($authorization));
if ($user= $this->users->authenticate($username, new Secret($password)) {
return $invocation->proceed($request->authenticate($user), $response);
}
$response->header('WWW-Authenticate', 'Basic realm="Administration"');
$response->answer(401, 'Unauthorized');
}
};
// Inside a handler
$handler= new class() implements Handler {
public function handle($request, $response) {
$user= $request->user();
// ...
}
};from web.
thekid
commented on June 18, 2024
Now in https://github.com/xp-forge/web-auth
from web.
Related Issues (20)
- Limit HTTP headers, respond with 431 "Entity Too Large" HOT 7
- Undefined variable $message HOT 1
- Logging to Console isn't working in dev mode on Linux HOT 4
- Integrate web entry point
- Application initialization HOT 1
- Error message design HOT 8
- Call to undefined method xp::stringOf()) HOT 2
- Hide stack trace in prod environments HOT 1
- Warnings with PHP 8.1 HOT 1
- Slow transfers block entire server HOT 8
- Cache control HOT 6
- Development server: Response already flushed
- Shutdown duration HOT 4
- Add SSL support
- Isn't working with xp-framework/networking 9 since version 2.8 HOT 4
- Make "async" the default server model HOT 3
- Dependants compatibility HOT 1
- Make Application routable HOT 3
- Startup errors verbosity
- Ignore I/O write errors for partial requests HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from web.