Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Matt Stauffer:
Multiple authentication guard drivers (including API) in Laravel 5.2
Jan 25, 2016 @ 09:24:31

Matt Stauffer has a new post in his series looking at the features in the latest version of the Laravel framework (v5.2) with this look at guard drivers and how 5.2 allows you to use more than one at once.

Let's get back to Laravel 5.2 features, shall we? 5.2 introduced a significant boost to the power of the entire authentication system, including making it much simpler to have multiple "guards" running at once. The default authentication guard in Laravel prior to 5.2 (now named the web guard) is your traditional web-based application authentication layer: username and password post to a controller. [...] But what if you want to have an API running in the same app, and it uses JSON web tokens (or some other stateless, non-session authentication mechanism)? In the past you'd have to jump through a lot of hoops to have multiple authentication drivers running at the same time.

He shows how to edit the auth.php configuration file to add in more "guard" instances to the default request handling. He also talks about the new driver that backends the "api" guard: the token driver. He briefly introduces the driver and talks about how it works with the current authentication setup. He also looks at changes you can make to use non-default drivers in your auth requests and how to set up your own custom drivers.

tagged: multiple authentication api token guard driver tutorial laravel

Link: https://mattstauffer.co/blog/multiple-authentication-guard-drivers-including-api-in-laravel-5-2

NetTuts.com:
WP REST API: Setting Up and Using OAuth 1.0a Authentication
Jan 15, 2016 @ 10:54:12

The NetTuts.com site has a new tutorial posted showing you how to work with the authentication of the WordPress REST API and using its OAuth 1.0a handling. This is part three in their series of tutorials introducing the WordPress REST API.

In the previous part of the series, we set up basic HTTP authentication on the server by installing the plugin available on GitHub by the WP REST API team. [...] For using authentication on production servers, there needs to be a more secure way of sending authenticated requests without risking exposing the login credentials. Thanks to the OAuth authentication method, those requests can be sent without exposing the username and the password in an unsafe manner.

In the current part of the series, we will learn to set up and use the OAuth authentication method to be used with the WP REST API plugin.

They start the tutorial with a brief look at what OAuth is and how it's used to authenticate the end user/client/software/etc. They then walk through the flow of a simple OAuth-based authentication system and the pieces that make it up. Then the article gets into how to install the plugin for your WordPress instance and activate it from the command line. They show how to test that it's enabled and how to use a command line client to create tokens you can then use to access the API in your own clients.

tagged: wordpress tutorial wpapi api rest oauth authentication series part3

Link: http://code.tutsplus.com/tutorials/wp-rest-api-setting-up-and-using-oauth-10a-authentication--cms-24797

NetTuts.com:
WP REST API: Setting Up and Using Basic Authentication
Jan 08, 2016 @ 11:37:58

On the NetTuts.com site there's a tutorial posted showing you how to set up and use basic authentication in the WordPress REST API. This is part two in their series introducing the WordPress REST API.

In the introductory part of this series, we had a quick refresher on REST architecture and how it can help us create better applications. [...] In the current part of the series, we will set up a basic authentication protocol on the server to send authenticated requests to perform various tasks through the REST API.

They talk about the methods that are available for authentication and how to configure your server and WordPress instance to use it. From there they show how to make authenticated requests to the API using various tools:

  • Postman
  • a Javascript framework (jQuery)
  • the command line via curl
  • using the WP HTTP API

Example code and screenshots are provided for each (where appropriate) helping to ensure you're up and working quickly.

tagged: wordpress rest api tutorial authentication basic postman javascript commandline

Link: http://code.tutsplus.com/tutorials/wp-rest-api-setting-up-and-using-basic-authentication--cms-24762

SitePoint PHP Blog:
Easier Authentication with Guard in Symfony 3
Dec 22, 2015 @ 09:49:03

The SitePoint PHP blog has posted a new tutorial from author Daniel Sipos showing the Symfony framework users out there how to do easier authentication with Guard, a newer component introduced to the framework to take some of the complexity out of the process.

The Symfony2 security system is a complex part of the framework, one that is difficult to understand and work with for many people. It is very powerful and flexible, however not the most straightforward.

[...] With the release of version 2.8 (and the much awaited version 3), a new component was accepted into the Symfony framework: Guard. The purpose of this component is to integrate with the security system and provide a very easy way for creating custom authentications. It exposes a single interface, whose methods take you from the beginning to the end of the authentication chain: logical and all grouped together.

He starts off with the configuration changes you'll need to add/make to use the Guard component, defining an "in memory" admin user type. He shows how to define the firewall to use a Guard form authenticator and update the security configuration with the path matches and related roles. He then gets into the controller side of things, defining a loginAction and a simple username/password form in the matching view. Finally, he updates the services configuration for the authenticator and creates the full FormAuthenticator class to go along with it. He then explains each piece of this puzzle and how it all works together to make the authentication happen.

tagged: authentication guard symfony3 tutorial easy introduction security

Link: http://www.sitepoint.com/easier-authentication-with-guard-in-symfony-3/

SitePoint PHP Blog:
Basic User Management in Symfony2 with FOSUserBundle
Nov 17, 2015 @ 12:44:05

The SitePoint PHP blog has a tutorial posted looking to help you with managing your application's users via the Symfony2 FOSUserBundle. This bundle provides much of the basic user functionality (creation, login, etc) is a easy-to-drop-in package for your Symfony 2 application.

Symfony has a very powerful authentication and authorization system, which can cater to a lot of our needs out of the box. FOSUserBundle is a library built on top of Symfony’s security system, which provides functionality such as registration, login, password resets, etc. It has built in support for MongoDB, as well as ORMs such as Doctrine, Propel, etc.

The tutorial walks you through the setup of a new Symfony 2 application (living on a Homestead instance) and grabbing the FOSUserBundle code via Composer and pulling into the project. They help you configure the application's security via the security.yml file and create the base user class and matching database table. From there they talk about customizing the templates that come as defaults with the bundle (Twig) and how to handle the email verification of new accounts as well as user logins/forgot password features. The tutorial ends with an example template showing the user's profile information including username, email address and and "edit" link.

tagged: tutorial user management fosuserbundle symfony2 authentication

Link: http://www.sitepoint.com/basic-user-management-in-symfony2-with-fosuserbundle/

Joshua Sampia:
CORS Slim PHP Setup
Nov 05, 2015 @ 10:38:47

In this post to his site Joshua Sampia shows how to set up and configure CORS in your Slim-based application. CORS or Cross-Origin Resource Sharing, lets you further lock down what sources can access your application and some requirements around the ones that can.

Ok, another PHP post but this time it’s about setting up some middleware for a slim PHP application.

Let me set this up. We are building a simple REST API for use with a basic phone native app (both Android and iOS). Me being new to this, I wasn’t sure if the native app domain call is considered cross browser or not, plus there are some outside companies we are working with who MAY access the API as well. [...] I setup some middleware by extending the Slim Middleware class and adding them via the app.

He talks about the steps he had to take in the middleware to set up an AccessControlOrigin middleware (and two others requiring HTTPS and HTTP Basic Auth). He includes the simple code to send the required HTTP headers to support CORS on the response object and the update to his Javascript to include credentials with every request.

tagged: cors slim framework security middleware https httpbasic authentication crossorigin

Link: http://joshuasampia.com/2015/11/05/cors-slim-php-setup/

Cees-Jan Kiewiet:
Github auth token on TravisCI
Sep 24, 2015 @ 11:42:01

In a post to his site Cees-Jan Kiewiet shows you how to get an authentication token from GitHub to use in your testing on the Travis-CI continuous integration service.

The composer cache greatly speeds up your composer part of the build by only going to Github for new downloads. When combined with test lowest, current, and highest possible on Travis you only reach out to Github for new versions. Most likely to happen during the highest possible set of builds, but also when you've updated composer.*. This normally isn't an issue unless you hit Github's rate limit. And since composer is running on a 'public' travis box with a 'public' IP address that has been use by many builds before it there is a very very high chance it already hit the 60 requests per hour limit.

[...] To counter this problem we have to set a Github authentication token as environment variable in Travis for each project. And update .travis.yml so the token is used by composer.

He walks you through the steps you'll need to get a token of your very own:

  • Go to the Settings section on your GitHub account
  • Generate a new Personal Access Token
  • Add the token to the Travis-CI account you're using for your builds
  • Update your .travis.yml configuration with the token information

Each step includes either a screenshot of where to go or the configuration example you'll need to use (like in the yml file).

tagged: github authentication token travisci ratelimit

Link: http://blog.wyrihaximus.net/2015/09/github-auth-token-on-travis/

SitePoint PHP Blog:
Removing the Pain of User Authorization with Sentinel
Sep 21, 2015 @ 14:23:10

The SitePoint PHP blog has posted a tutorial showing you how to "take the pain out of user authorization" with the help of Sentinel, a package from Cartalyst that already includes functionality for both user authorization and authentication.

Most non-basic multi-user applications need some roles and permission levels. If you ever used WordPress, you must have noticed that they have a super admin, admin, editor, author, etc. Simplifying the development and integration of a permission system is what Cartalyst’s Sentinel package is trying to accomplish. The package provides an API for dealing with users, groups, permissions, etc. In this article, we’ll use it to create a small demo app.

They walk through the creation of a simple Slim framework application, installing it, Sentinel and other suggested packages via Composer. They then help you execute the migrations to create the necessary tables and set up a basic front controller file. From there they configure Twig templating, the Illuminate database connection and finally adding a Sentinel instance to the application's DI container. They include code to help you create roles for "user" and "admin". From there the tutorial shows how to create a login & registration form, send a registration email, create permissions and activating users. Finally they build a simple administration page that allows you to hide functionality from normal users.

tagged: tutorial authentication authorization sentinel cartalyst slim illuminate

Link: http://www.sitepoint.com/removing-the-pain-of-user-authorization-with-sentinel/

Paragon Initiative:
Implementing Secure User Auth in PHP Applications with Long-Term Persistence
Jul 23, 2015 @ 10:14:23

On the Paragon Initiative blog there's a post showing you how to implement secure authentication with long term persistence (a secure "remember me" essentially) in a PHP application

A common problem in web development is to implement user authentication and access controls, typically accomplished through sign-up and log-in forms. Though these systems are simple enough in theory, engineering one that lives up to application security standards is a daunting undertaking.

Without a great deal of care and sophistication, authentication systems can be as fragile as a cardboard lemonade stand in a category five hurricane. However, for everything that can go wrong, there is an effective (and often simple) way to achieve a higher level of security and resilience.

He starts with a look at passwords - how to correctly hash them, how salts play into it and some suggestions about password policies. From there he gets into the "remember me" handling, giving two common problems with most systems: insufficient randomness and timing leaks (timing attack issues). He then proposes a different kind of solution, storing some additional information in the database record, a "selector" that's not timing dependent to find the record then use a timing attack safe method to compare the hashes. He ends the post with a brief look at account recovery and some things to watch out for if you plan to implement it.

tagged: secure authentication application longterm persistence

Link: https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence

Rob Allen:
Custom OAuth2 authentication in Apiiglity
Jul 21, 2015 @ 09:05:49

In an article posted to his site Rob Allen shows you how to hook in the OAuth2 authentication for an Apigility-based application with a pre-existing database table structure that may not match the defaults Apigility is looking for.

I have a client that's writing an Apigility API that needs to talk to a database that's already in place. This also includes the users table that is to be used with Apigility's OAuth2 authentication. Getting Apigility's OAuth2 integration to talk to a specific table name is quite easy. [...] However, if you want to use different column names, that's a bit trickier as they are hardcoded in the OAuth2StoragePdo class. To get Apigility's OAuth2 components to look at the correct columns, you create your own OAuth2 Adapter. I chose to extend ZFOAuth2AdapterPdoAdapter which extends OAuth2StoragePdo and go from there.

He includes the code for this extension of the PdoAdapter (a "OAuth2Adapter" class) in the post showing the definitions of the get user, set user and check password methods the OAuth2 flow needs to match users to OAuth sessions. He also includes the code for the "OAuth2AdapterFactory" class that's used to pull the custom PDO adapter class into Apigility and, along with some configuration changes, make it available for use. Then it's just a simple matter of changing the authentication type in the Apigility UI.

tagged: apigility oauth2 authentication custom factory pdo adapter oauth tutorial

Link: http://akrabat.com/custom-oauth2-authentication-in-apiiglity/