Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paragon Initiative:
Implementing Secure User Auth in PHP Applications with Long-Term Persistence
Jul 23, 2015 @ 10:14:23

On the Paragon Initiative blog there's a post showing you how to implement secure authentication with long term persistence (a secure "remember me" essentially) in a PHP application

A common problem in web development is to implement user authentication and access controls, typically accomplished through sign-up and log-in forms. Though these systems are simple enough in theory, engineering one that lives up to application security standards is a daunting undertaking.

Without a great deal of care and sophistication, authentication systems can be as fragile as a cardboard lemonade stand in a category five hurricane. However, for everything that can go wrong, there is an effective (and often simple) way to achieve a higher level of security and resilience.

He starts with a look at passwords - how to correctly hash them, how salts play into it and some suggestions about password policies. From there he gets into the "remember me" handling, giving two common problems with most systems: insufficient randomness and timing leaks (timing attack issues). He then proposes a different kind of solution, storing some additional information in the database record, a "selector" that's not timing dependent to find the record then use a timing attack safe method to compare the hashes. He ends the post with a brief look at account recovery and some things to watch out for if you plan to implement it.

tagged: secure authentication application longterm persistence

Link: https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence

Rob Allen:
Custom OAuth2 authentication in Apiiglity
Jul 21, 2015 @ 09:05:49

In an article posted to his site Rob Allen shows you how to hook in the OAuth2 authentication for an Apigility-based application with a pre-existing database table structure that may not match the defaults Apigility is looking for.

I have a client that's writing an Apigility API that needs to talk to a database that's already in place. This also includes the users table that is to be used with Apigility's OAuth2 authentication. Getting Apigility's OAuth2 integration to talk to a specific table name is quite easy. [...] However, if you want to use different column names, that's a bit trickier as they are hardcoded in the OAuth2StoragePdo class. To get Apigility's OAuth2 components to look at the correct columns, you create your own OAuth2 Adapter. I chose to extend ZFOAuth2AdapterPdoAdapter which extends OAuth2StoragePdo and go from there.

He includes the code for this extension of the PdoAdapter (a "OAuth2Adapter" class) in the post showing the definitions of the get user, set user and check password methods the OAuth2 flow needs to match users to OAuth sessions. He also includes the code for the "OAuth2AdapterFactory" class that's used to pull the custom PDO adapter class into Apigility and, along with some configuration changes, make it available for use. Then it's just a simple matter of changing the authentication type in the Apigility UI.

tagged: apigility oauth2 authentication custom factory pdo adapter oauth tutorial

Link: http://akrabat.com/custom-oauth2-authentication-in-apiiglity/

Matt Stauffer:
Using Github authentication for login with Laravel Socialite
Jul 17, 2015 @ 10:17:25

In a tutorial posted to his site Matt Stauffer shows you how to integrate Laravel with GitHub's authentication to link a user's profile to your application, made possible through the Socialite package.

Laravel's Socialite package makes it simple to authenticate your users to Facebook, Twitter, Google, LinkedIn, GitHub and Bitbucket. You can authenticate them for the purpose of connecting their pre-existing user account to a third-party service, but you can also use it as your primary login mechanism, which we'll be talking about here. I'm working on a new little micro-SaaS that is purely dependent on GitHub in order to operate, so there's no reason to set up any user flow other than just GitHub.

He starts with just a bit of insight into the overall flow of an OAuth connection with an application (which this is) and the pieces involved. Next he helps you get Socalite installed and working with your Laravel application. With this in place he shows you how to create a simple GitHub application and configure your Laravel instance with the provided client ID/secret and redirect URL. He adds in some routes to handle the two page requests and the controller methods to process the input. He makes a simple "users" migration to hold user information and a model to match. Finally he shows the result, stepping through the authorization flow, complete with screenshots.

tagged: laravel github social authentication login socalite package tutorial

Link: https://mattstauffer.co/blog/using-github-authentication-for-login-with-laravel-socialite

KnP University:
Introducing Guard: Symfony Security with a Smile
Jul 14, 2015 @ 09:15:05

The KNP University site has a post that talks about a new library they've created (and matching tutorial series) about an easier method to handle authentication in your Symfony applications: Guard.

Symfony’s authorization system - the stuff related to voters and roles - is awesome. It’s simple, it kicks butt, and it’s one of my favorite things, just behind fresh-baked cookies.

But then there’s that other part: authentication. This is how you login: maybe with a form or via OAuth, like Facebook login. This part is probably the single worst part of Symfony. It’s over-engineered, hard to customize and no fun to work with. [...] This problem was screaming for a solution. If we could make Symfony’s authentication system simple and fun, the whole security system would go from a pain, to a powerful tool.

The library they've created, Guard centralizes the authentication handling into one place (via an interface) and makes the basics of authentication handling simpler. In their tutorial they walk you through the use of Guard as a part of a bundle complete with examples of login form and API token authentication handling. He ends the post with a quick comment about a "secret goal" he has to try to have Guard included in symfony itself.

tagged: guard symfony authentication library bundle tutorial simple

Link: http://knpuniversity.com/blog/guard-authentication

Scotch.io:
Token-Based Authentication for AngularJS and Laravel Apps (continued)
Jul 06, 2015 @ 11:57:54

Scotch.io has posted the second part of their series (here's part one) continuing their look at using tokens for authentication in an AngularJs+Laravel application. They pick up where they left off in the previous part and focus on adding more of the systems around the token.

In the tutorial on Scotch.io we created a new app called jot-bot to look at how to implement token-based authentication in AngularJS and Laravel by using jwt-auth and Satellizer together. On the Laravel side, jwt-auth let’s us generate JSON web tokens when the user inputs their credentials. [...] There were a few things for a complete authentication solution that we didn’t get to in the last tutorial, including: Setting the logged-in user’s data (such as name and email address) and their authentication status, a way to redirect the user to the login page if they become logged out and how to log the user out and the implications of token-based authentication on logout.

He starts by updating the AuthenticateController to handle getting the authenticated user based on the token information. He also adds the matching route and show the kind of data it should return. He then switches to the Angular side and creates the controller to hook into the backend and get the current user information. The tutorial then shows how to relay user information back to the view and what it might look like. He then goes through a similar process for adding the logout handling including redirecting the user when logged out. Finally, he shows how to initialize the user on the frontend when the application loads, pulling the data from localstorage and checking for a valid existing session.

tagged: scotchio token authentication angularjs laravel application series part2

Link: http://ryanchenkie.com/token-based-authentication-for-angularjs-and-laravel-apps/

Laravelista.com:
JSON Web Token Authentication for Lumen
Jun 29, 2015 @ 12:07:36

The Laravelista.com site has a new tutorial posted showing you how to integrate JSON Web Tokens (JWT) into a Lumen application. JWTs provide a simple, portable way to share authentication and session information in a more robust way than just a single randomly generated token.

This is my third post on how to build an API with Fractal, but in this post I will be focusing on authentication using JWT (JSON Web Tokens). [...] In Build an API with Lumen and Fractal I have shown you a way of creating an API using Lumen and Fractal. In this post we will continue with the same project called Treeline and implement authentication and protected routes. Also at the very end of the post is a small chapter on when to use Lumen over Laravel.

They make use of the tymon/jwt-auth library to handle the actual JWT functionality including a service provider making it simple to integrate. They talk about "improving Lumen" by adding a configuration directory for the JWT package to put its configuration file. From there they add in the necessary facades and configuring the library itself. Next comes the actual authentication handling that, post login, generates the token and resending it along with each response. Finally, they show you how to set up the protection on routes and verifying the token contents on each request.

tagged: lumen tutorial jsonwebtoken jwt tutorial integration provider authentication

Link: http://laravelista.com/json-web-token-authentication-for-lumen/

Luciano Mammino:
Symfony security: authentication made simple (well, maybe!)
Jun 04, 2015 @ 10:36:41

Luciano Mammino has a quick post to his site with information that tries to help make Symfony authentication simple (well, maybe).

The Symfony2 security component has the fame of being one of the most complex in the framework. I tend to believe that's partially true, not because the component is really that complex, but because there are (really) a lot of concepts involved and it may be difficult to understand them all at once and have a clear vision as a whole.

[...] Going back to the Symfony2 security component, the point is that I found out difficult at first glance to get a clear idea of what is going on behind the scenes and what I need to write to create a custom authentication mechanism. So in this post I will try to collect few interesting resources that helped me understanding it better and a graph I drawn to resume what I learned.

He provides a good list to some of the other resources that helped him along the way including several blog posts and links to the Symfony "cookbooks" about creating custom providers. He also shares a graph showing the full flow of the Symfony authentication process including commentary about each step.

tagged: symfony authentication simple resources graph flow provider

Link: http://loige.co/symfony-security-authentication-made-simple/

NetTuts.com:
Using Laravel 5's Authentication Facade
May 19, 2015 @ 11:26:34

The NetTuts.com site has a new tutorial posted today sharing more information about the authentication facade in Laravel 5 and how to use it to implement simple, custom authentication handling.

Authentication is a part of almost all the web applications you work with. It's really boring to keep repeating all the boilerplate code in every project. Well, the good news is Laravel 5 rids you of this boredom by providing a ready-to-use authentication facade. All you need to do is configure and customize the authentication service provider to your project's needs. In this quick tip, I am going to show you exactly how to do that.

It's a seven step process to get things up and running (it sounds like a lot but all the code is provided):

  • Setting Up the Environment
  • Setting Up the Migrations
  • Configuring the Registrar Service
  • Updating the User Model
  • Updating the View
  • Securing Your Routes
  • Modifying the Default Authentication Routes

Each step includes the code needed and a brief summary of what's happening and how it effects the overall authentication setup. He also ends the post with a brief mention of the "password reset" email functionality and where the content for that email is located.

tagged: laravel5 authentication facade custom tutorial database

Link: http://code.tutsplus.com/tutorials/using-laravel-5s-authentication-facade--cms-23461

SitePoint PHP Blog:
Symfony2 Registration and Login
May 11, 2015 @ 09:55:57

The SitePoint PHP blog continues their series looking at authentication and authorization in a Symfony2 application with part two of their series. This time author Taylor Ren focuses on the registration and login systems for your users.

In part 1, we discussed the basics of setting up a security system in our app (database and security.yml settings). We also covered the pre-registration stage where a user verifies their invitation status with the app. In this article, we will talk about registration, logins and post-login actions.

He starts with the registration side of things, showing how to create a simple form asking for a username, password (and confirming it), a homepage URL and email address. He shows how to link it to a User instance and render the form out to a Twig template. Once the request is submitted the user is created, including encoding (bcrypt) of the password. Next up is the login form that's linked to the "AuthenticationSuccessHandler" for post-success handling. The tutorial finishes off with a piece of code showing how to redirect the user back to their requested URL once authenticated.

tagged: symfony2 series part2 authentication register login tutorial

Link: http://www.sitepoint.com/symfony2-registration-login/

SitePoint PHP Blog:
Symfony2 Pre-registration and Invite System
May 07, 2015 @ 08:25:48

The SitePoint PHP blog has kicked off a new series of posts today with part one of a set of tutorials showing you how to create a registration and invitation system with Symfony2. While they've talked about general Symfony2 development before, this series will focus more on the security side, on authentication and authorization.

In this article series of two parts, we are going to talk about a very important area of web application development: Authentication and Authorization. Symfony2 has a very detailed elaboration of these two topics in its official documentation. Anyone who is seriously looking into this is encouraged to read through that official document after absorbing the essentials from this tutorial.

The author starts with a brief list of common user management tasks including registration via a form, sending confirmation emails and verifying the user's login. He helps you create the underlying "user" table (complete with the SQL) and talks a bit about the contents of a few of the columns. He includes the settings you'll need to put into your "security.yml" configuration file and a bit of detail on what each section and its settings mean. He then moves on to the "User" entity and class file, adding some functionality to the standard generated class. He also includes the code needed to create the invite and registration actions.

tagged: registration invite system symfony2 tutorial user management authentication authorization

Link: http://www.sitepoint.com/symfony2-pre-registration-invite-system/