Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Auth0 Blog:
Creating your first Symfony app and adding authentication
Aug 03, 2016 @ 12:36:21

In this new post to the Auth0 blog Prosper Otemuyiwa shows you how to create a first Symfony framework based application and add in authentication with the included Guard functionality.

Symfony is a PHP framework, made up of a lot of decoupled and reusable components. It's a framework that promotes standardization and professionalism, supports best practices and interoperability of applications. In this tutorial, I'll show you how easy it is to build a web application with Symfony and add authentication to it without banging your head on a wall! Check out the repo to get the code.

They start with a brief overview of some of the components the framework is made up of (the most commonly used ones) and its concept of "bundles". He then helps you create your first Symfony application, explains its basic structure and starts in setting up controllers. Then comes the authentication and user validation pieces: registration handling, user functionality and creating its related database storage. Next up is setting up the routes for the application applying the authentication handling and finishing out the views for output. They end the post with a look at the profile debug bar, how Symfony compares to other frameworks and how to optionally integrate the Auth0 functionality in if you choose.

tagged: auth0 symfony introduction basics tutorial authentication integration

Link: https://auth0.com/blog/creating-your-first-symfony-app-and-adding-authentication/

Gonzalo Ayuso:
Sharing authentication between socket.io and a PHP frontend (using JSON Web Tokens)
Jun 06, 2016 @ 11:50:29

In a follow up to his previous post about sharing authentication information between socket.io and PHP, Gonzalo Ayuso has posted an updated method using JSON Web Tokens instead.

I’ve written a previous post about Sharing authentication between socket.io and a PHP frontend but after publish the post a colleague (hi @mariotux) told me that I can use JSON Web Tokens (jwt) to do this. I had never used jwt before so I decided to study a little bit.

JWT are pretty straightforward. You only need to create the token and send it to the client. You don’t need to store this token within a database. Client can decode and validate it on its own.

He updates the code from the previous post, showing how to replace the HTTP basic authentication with the JWT functionality. He makes use of some simple JWT library handling to encode/decode the claims when the token is made a part of the request.

tagged: socketio share authentication frontend jwt jsonwebtokens

Link: https://gonzalo123.com/2016/06/06/sharing-authentication-between-socket-io-and-a-php-frontend-using-json-web-tokens/

Gonzalo Ayuso:
Sharing authentication between socket.io and a PHP frontend
May 16, 2016 @ 10:56:30

In a post to his site Gonzalo Ayuso shows you how to combine authentication between Socket.io and a PHP frontend running a simple Silex-based application.

Normally, when I work with websockets, my stack is a socket.io server and a Silex frontend. Protect a PHP frontend with one kind of authentication of another is pretty straightforward. But if we want to use websockets, we need to set up another server and if we protect our frontend we need to protect our websocket server too.

If our frontend is node too (express for example), sharing authentication is more easy but at this time we we want to use two different servers (a node server and a PHP server). I’ve written about it too but today we`ll see another solution.

He sets up a simple Silex application with three routes - the root (/), a login route and a "private" one requiring a user to be logged in. This last route makes the connection to the websocket server in the template. This connection sends the current session ID to the backend where it's verified with a simple Socket.io middleware. Sometimes the session ID cookie will be set as HttpOnly so he provides an alternative for that: a new endpoint just for getting the current session ID for the websocket request.

tagged: socketio websocket server frontend sharing authentication session silex tutorial

Link: https://gonzalo123.com/2016/05/16/sharing-authentication-between-socket-io-and-a-php-frontend/

Paragon Initiative:
Solve All Your Cryptography Problems in 3 Easy Steps
May 12, 2016 @ 11:55:55

On the Paragon Initiative site there's a new post that promises a way to solve all of your cryptography problems in PHP with three simple steps.

Last year, we began developing Halite, a FOSS high-level wrapper for the PHP bindings to libsodium. We use Halite extensively in our own projects (including our upcoming CMS which has quite a few of its own innovative cryptography features baked-in).

As of version 2.1.0, we are confident that Halite solves all of the application-layer cryptography problems that most PHP developers face; and it does so in three easy steps. (For transport-layer cryptography, you should still use TLS, of course.)

Their three steps to effectively using Halite and libsodium in your application are:

  • Step One: Managing Cryptography Keys
  • Step Two: Encrypting or Authenticating with Halite
  • Step Three: Decrypt or Verify

Each step comes with example code showing how to use the tool to accomplish it. There's also a few other problems that are solved by using the library including generating encrypted password hashes and whole file cryptography.

tagged: cryptography problem halite libsodium steps keys authentication encrypt decrypt

Link: https://paragonie.com/blog/2016/05/solve-all-your-cryptography-problems-in-three-easy-steps-with-halite

Mohamed Said:
Building an API for 3rd party applications
Mar 30, 2016 @ 09:30:31

In this post to his site Mohamed Said shows you how to build an API that allows for easier integration with your content/functionality by 3rd party applications. This example uses the Laravel framework but the ideas could be applied in any framework.

APIs are cool, & laravel can handle all the coolness you may desire. Here we talk about building an API for third party applications and allowing them to communicate with your application on behalf of users.

He starts where any good project should: planning for what features need to be included and the flow of the request/response process. He then walks you through the whole process for setting up the API:

  • Updating the routes for the API request endpoints
  • Creating the new Auth and Home controllers
  • Setting up the migration for the "applications" table
  • Using the firebase/php-jwt library for authentication/authorization handling
  • Registering a token and validating it on the incoming request

He wraps up the post talking about user authentication via a simplified OAuth-ish process flow, making requests using the resulting token and logging the user out (expiring the token).

tagged: api tutorial laravel application integration jwt token authentication authorization

Link: http://themsaid.github.io/laravel-api-3rd-party-20160327/

Matt Stauffer:
Multiple authentication guard drivers (including API) in Laravel 5.2
Jan 25, 2016 @ 09:24:31

Matt Stauffer has a new post in his series looking at the features in the latest version of the Laravel framework (v5.2) with this look at guard drivers and how 5.2 allows you to use more than one at once.

Let's get back to Laravel 5.2 features, shall we? 5.2 introduced a significant boost to the power of the entire authentication system, including making it much simpler to have multiple "guards" running at once. The default authentication guard in Laravel prior to 5.2 (now named the web guard) is your traditional web-based application authentication layer: username and password post to a controller. [...] But what if you want to have an API running in the same app, and it uses JSON web tokens (or some other stateless, non-session authentication mechanism)? In the past you'd have to jump through a lot of hoops to have multiple authentication drivers running at the same time.

He shows how to edit the auth.php configuration file to add in more "guard" instances to the default request handling. He also talks about the new driver that backends the "api" guard: the token driver. He briefly introduces the driver and talks about how it works with the current authentication setup. He also looks at changes you can make to use non-default drivers in your auth requests and how to set up your own custom drivers.

tagged: multiple authentication api token guard driver tutorial laravel

Link: https://mattstauffer.co/blog/multiple-authentication-guard-drivers-including-api-in-laravel-5-2

NetTuts.com:
WP REST API: Setting Up and Using OAuth 1.0a Authentication
Jan 15, 2016 @ 10:54:12

The NetTuts.com site has a new tutorial posted showing you how to work with the authentication of the WordPress REST API and using its OAuth 1.0a handling. This is part three in their series of tutorials introducing the WordPress REST API.

In the previous part of the series, we set up basic HTTP authentication on the server by installing the plugin available on GitHub by the WP REST API team. [...] For using authentication on production servers, there needs to be a more secure way of sending authenticated requests without risking exposing the login credentials. Thanks to the OAuth authentication method, those requests can be sent without exposing the username and the password in an unsafe manner.

In the current part of the series, we will learn to set up and use the OAuth authentication method to be used with the WP REST API plugin.

They start the tutorial with a brief look at what OAuth is and how it's used to authenticate the end user/client/software/etc. They then walk through the flow of a simple OAuth-based authentication system and the pieces that make it up. Then the article gets into how to install the plugin for your WordPress instance and activate it from the command line. They show how to test that it's enabled and how to use a command line client to create tokens you can then use to access the API in your own clients.

tagged: wordpress tutorial wpapi api rest oauth authentication series part3

Link: http://code.tutsplus.com/tutorials/wp-rest-api-setting-up-and-using-oauth-10a-authentication--cms-24797

NetTuts.com:
WP REST API: Setting Up and Using Basic Authentication
Jan 08, 2016 @ 11:37:58

On the NetTuts.com site there's a tutorial posted showing you how to set up and use basic authentication in the WordPress REST API. This is part two in their series introducing the WordPress REST API.

In the introductory part of this series, we had a quick refresher on REST architecture and how it can help us create better applications. [...] In the current part of the series, we will set up a basic authentication protocol on the server to send authenticated requests to perform various tasks through the REST API.

They talk about the methods that are available for authentication and how to configure your server and WordPress instance to use it. From there they show how to make authenticated requests to the API using various tools:

  • Postman
  • a Javascript framework (jQuery)
  • the command line via curl
  • using the WP HTTP API

Example code and screenshots are provided for each (where appropriate) helping to ensure you're up and working quickly.

tagged: wordpress rest api tutorial authentication basic postman javascript commandline

Link: http://code.tutsplus.com/tutorials/wp-rest-api-setting-up-and-using-basic-authentication--cms-24762

SitePoint PHP Blog:
Easier Authentication with Guard in Symfony 3
Dec 22, 2015 @ 09:49:03

The SitePoint PHP blog has posted a new tutorial from author Daniel Sipos showing the Symfony framework users out there how to do easier authentication with Guard, a newer component introduced to the framework to take some of the complexity out of the process.

The Symfony2 security system is a complex part of the framework, one that is difficult to understand and work with for many people. It is very powerful and flexible, however not the most straightforward.

[...] With the release of version 2.8 (and the much awaited version 3), a new component was accepted into the Symfony framework: Guard. The purpose of this component is to integrate with the security system and provide a very easy way for creating custom authentications. It exposes a single interface, whose methods take you from the beginning to the end of the authentication chain: logical and all grouped together.

He starts off with the configuration changes you'll need to add/make to use the Guard component, defining an "in memory" admin user type. He shows how to define the firewall to use a Guard form authenticator and update the security configuration with the path matches and related roles. He then gets into the controller side of things, defining a loginAction and a simple username/password form in the matching view. Finally, he updates the services configuration for the authenticator and creates the full FormAuthenticator class to go along with it. He then explains each piece of this puzzle and how it all works together to make the authentication happen.

tagged: authentication guard symfony3 tutorial easy introduction security

Link: http://www.sitepoint.com/easier-authentication-with-guard-in-symfony-3/

SitePoint PHP Blog:
Basic User Management in Symfony2 with FOSUserBundle
Nov 17, 2015 @ 12:44:05

The SitePoint PHP blog has a tutorial posted looking to help you with managing your application's users via the Symfony2 FOSUserBundle. This bundle provides much of the basic user functionality (creation, login, etc) is a easy-to-drop-in package for your Symfony 2 application.

Symfony has a very powerful authentication and authorization system, which can cater to a lot of our needs out of the box. FOSUserBundle is a library built on top of Symfony’s security system, which provides functionality such as registration, login, password resets, etc. It has built in support for MongoDB, as well as ORMs such as Doctrine, Propel, etc.

The tutorial walks you through the setup of a new Symfony 2 application (living on a Homestead instance) and grabbing the FOSUserBundle code via Composer and pulling into the project. They help you configure the application's security via the security.yml file and create the base user class and matching database table. From there they talk about customizing the templates that come as defaults with the bundle (Twig) and how to handle the email verification of new accounts as well as user logins/forgot password features. The tutorial ends with an example template showing the user's profile information including username, email address and and "edit" link.

tagged: tutorial user management fosuserbundle symfony2 authentication

Link: http://www.sitepoint.com/basic-user-management-in-symfony2-with-fosuserbundle/