Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Alison Gianotto:
Demystifying Custom Auth in Laravel 5
Nov 21, 2016 @ 11:49:17

Alison Gianotto (a.k.a. Snipe) has a new post on her site talking about custom authentication in Laravel-based applications including built-in functionality and how you can override it to your needs.

I’m a big fan of Laravel. I use it in most of my personal and professional projects, and for the most part it really does make coding fun for me again. One of the things Laravel tries to do (similar to Rails) is to build in the most repetitive things a developer would have to do, for example a user registration/login/forgotten password system.

[...] In each of my current Laravel apps, auth works just a tiny bit differently. Add to that the fact that a few of them were pulled forward from Laravel version 4.2, and things can get confusing and messy. [...] Laravel makes this really, really easy – they just don’t document how to do it very well.

She starts by mentioning the "fresh" install version of building out the auth pieces (php artisan make:auth) but points out that, if a more "hybrid" system is needed, a bit more work is required. She shows you the routes that are created in the "make:auth" process and how/where you need to modify things to customize it to your system. She illustrates with some of her own changes including code examples.

tagged: laravel tutorial custom authentication framework

Link: http://snipe.net/2016/11/demystifying-custom-auth-in-laravel-5/

Scotch.io:
Laravel Social Authentication with Socialite
Nov 17, 2016 @ 12:17:41

The Scotch.io site has posted a tutorial for the Laravel users out there showing you how to use the Socalite package in your application to make authentication handling with external services simpler.

Laravel introduced a built in Authentication module in version 5.2. To set this up, you just have to run php artisan make:auth and everything is generated for you, from the views to the controllers and the routes.

[...] And that is a great thing. However, this command will only make you a traditional login. In most sites nowadays when signing up, users have the option of signing up with a social provider such as Facebook. In this tutorial, I will teach you how to add multiple social providers to a Laravel app using Socialite package. For this tutorial we will add Facebook, Github and Twitter signups.

They start off with a new Laravel application (but, of course, you can use your current one), setting up a new database and creating a custom "users" table that includes "provider" information. The User model is then updated to allow the population of this data and the "make:auth" command is run. The Socialite package is then included and the application is configured to include its service provider. The tutorial then steps you through creating Github, Twitter and Facebook applications, getting the keys needed to drop into your app's configuration. Finally they update the login/registration pages with the social login buttons and how they'll now "magically" work.

tagged: tutorial socalite authentication laravel github twitter facebook

Link: https://scotch.io/tutorials/laravel-social-authentication-with-socialite

SitePoint PHP Blog:
2FA in Laravel with Google Authenticator – Get Secure!
Nov 01, 2016 @ 10:47:02

On the SitePoint PHP blog there's a tutorial posted from Christopher Thomas showing you how to integrate two-factor authentication into your Laravel application with a Google Authenticator-compatible library, helping to secure your site even better than just one level of authentication and authorization.

In this tutorial, we will use Laravel and Google Authenticator to demonstrate how to implement 2FA in a webapp. Google Authenticator is just one implementation of the Time-Based One-Time Password (TOTP) algorithm, RFC 6238. This industry standard is used in a lot of various 2FA solutions.

[...] How the TOTP works is that the server generates a secret key. This secret key is then passed to the user. The secret key is used in combination with the current Unix timestamp to generate a six digit number, using a keyed-hash message authentication code (HMAC) based algorithm. This six digit number is the OTP. It changes every 30 seconds.

They start with a clean slate and build a new Laravel project out and include the libraries needed for the TFA support: pragmarx/google2fa and paragonie/constant_time_encoding. You then add in the provider to Laravel's config, build out the models/tables to hold the two-factor information and add a few routes to handle the validation steps. They also include the details in building out the controllers, updating the AuthController for the new step in the authentication flow and how to handle the code validation. The code for all of this (as well as the views) is included as well as screenshots showing the setup and usage of the two-factor handling in the standard authentication flow.

tagged: tutorial google authenticator security laravel twofactor authentication

Link: https://www.sitepoint.com/2fa-in-laravel-with-google-authenticator-get-secure/

Auth0 Blog:
Creating your first Symfony app and adding authentication
Aug 03, 2016 @ 12:36:21

In this new post to the Auth0 blog Prosper Otemuyiwa shows you how to create a first Symfony framework based application and add in authentication with the included Guard functionality.

Symfony is a PHP framework, made up of a lot of decoupled and reusable components. It's a framework that promotes standardization and professionalism, supports best practices and interoperability of applications. In this tutorial, I'll show you how easy it is to build a web application with Symfony and add authentication to it without banging your head on a wall! Check out the repo to get the code.

They start with a brief overview of some of the components the framework is made up of (the most commonly used ones) and its concept of "bundles". He then helps you create your first Symfony application, explains its basic structure and starts in setting up controllers. Then comes the authentication and user validation pieces: registration handling, user functionality and creating its related database storage. Next up is setting up the routes for the application applying the authentication handling and finishing out the views for output. They end the post with a look at the profile debug bar, how Symfony compares to other frameworks and how to optionally integrate the Auth0 functionality in if you choose.

tagged: auth0 symfony introduction basics tutorial authentication integration

Link: https://auth0.com/blog/creating-your-first-symfony-app-and-adding-authentication/

Gonzalo Ayuso:
Sharing authentication between socket.io and a PHP frontend (using JSON Web Tokens)
Jun 06, 2016 @ 11:50:29

In a follow up to his previous post about sharing authentication information between socket.io and PHP, Gonzalo Ayuso has posted an updated method using JSON Web Tokens instead.

I’ve written a previous post about Sharing authentication between socket.io and a PHP frontend but after publish the post a colleague (hi @mariotux) told me that I can use JSON Web Tokens (jwt) to do this. I had never used jwt before so I decided to study a little bit.

JWT are pretty straightforward. You only need to create the token and send it to the client. You don’t need to store this token within a database. Client can decode and validate it on its own.

He updates the code from the previous post, showing how to replace the HTTP basic authentication with the JWT functionality. He makes use of some simple JWT library handling to encode/decode the claims when the token is made a part of the request.

tagged: socketio share authentication frontend jwt jsonwebtokens

Link: https://gonzalo123.com/2016/06/06/sharing-authentication-between-socket-io-and-a-php-frontend-using-json-web-tokens/

Gonzalo Ayuso:
Sharing authentication between socket.io and a PHP frontend
May 16, 2016 @ 10:56:30

In a post to his site Gonzalo Ayuso shows you how to combine authentication between Socket.io and a PHP frontend running a simple Silex-based application.

Normally, when I work with websockets, my stack is a socket.io server and a Silex frontend. Protect a PHP frontend with one kind of authentication of another is pretty straightforward. But if we want to use websockets, we need to set up another server and if we protect our frontend we need to protect our websocket server too.

If our frontend is node too (express for example), sharing authentication is more easy but at this time we we want to use two different servers (a node server and a PHP server). I’ve written about it too but today we`ll see another solution.

He sets up a simple Silex application with three routes - the root (/), a login route and a "private" one requiring a user to be logged in. This last route makes the connection to the websocket server in the template. This connection sends the current session ID to the backend where it's verified with a simple Socket.io middleware. Sometimes the session ID cookie will be set as HttpOnly so he provides an alternative for that: a new endpoint just for getting the current session ID for the websocket request.

tagged: socketio websocket server frontend sharing authentication session silex tutorial

Link: https://gonzalo123.com/2016/05/16/sharing-authentication-between-socket-io-and-a-php-frontend/

Paragon Initiative:
Solve All Your Cryptography Problems in 3 Easy Steps
May 12, 2016 @ 11:55:55

On the Paragon Initiative site there's a new post that promises a way to solve all of your cryptography problems in PHP with three simple steps.

Last year, we began developing Halite, a FOSS high-level wrapper for the PHP bindings to libsodium. We use Halite extensively in our own projects (including our upcoming CMS which has quite a few of its own innovative cryptography features baked-in).

As of version 2.1.0, we are confident that Halite solves all of the application-layer cryptography problems that most PHP developers face; and it does so in three easy steps. (For transport-layer cryptography, you should still use TLS, of course.)

Their three steps to effectively using Halite and libsodium in your application are:

  • Step One: Managing Cryptography Keys
  • Step Two: Encrypting or Authenticating with Halite
  • Step Three: Decrypt or Verify

Each step comes with example code showing how to use the tool to accomplish it. There's also a few other problems that are solved by using the library including generating encrypted password hashes and whole file cryptography.

tagged: cryptography problem halite libsodium steps keys authentication encrypt decrypt

Link: https://paragonie.com/blog/2016/05/solve-all-your-cryptography-problems-in-three-easy-steps-with-halite

Mohamed Said:
Building an API for 3rd party applications
Mar 30, 2016 @ 09:30:31

In this post to his site Mohamed Said shows you how to build an API that allows for easier integration with your content/functionality by 3rd party applications. This example uses the Laravel framework but the ideas could be applied in any framework.

APIs are cool, & laravel can handle all the coolness you may desire. Here we talk about building an API for third party applications and allowing them to communicate with your application on behalf of users.

He starts where any good project should: planning for what features need to be included and the flow of the request/response process. He then walks you through the whole process for setting up the API:

  • Updating the routes for the API request endpoints
  • Creating the new Auth and Home controllers
  • Setting up the migration for the "applications" table
  • Using the firebase/php-jwt library for authentication/authorization handling
  • Registering a token and validating it on the incoming request

He wraps up the post talking about user authentication via a simplified OAuth-ish process flow, making requests using the resulting token and logging the user out (expiring the token).

tagged: api tutorial laravel application integration jwt token authentication authorization

Link: http://themsaid.github.io/laravel-api-3rd-party-20160327/

Matt Stauffer:
Multiple authentication guard drivers (including API) in Laravel 5.2
Jan 25, 2016 @ 09:24:31

Matt Stauffer has a new post in his series looking at the features in the latest version of the Laravel framework (v5.2) with this look at guard drivers and how 5.2 allows you to use more than one at once.

Let's get back to Laravel 5.2 features, shall we? 5.2 introduced a significant boost to the power of the entire authentication system, including making it much simpler to have multiple "guards" running at once. The default authentication guard in Laravel prior to 5.2 (now named the web guard) is your traditional web-based application authentication layer: username and password post to a controller. [...] But what if you want to have an API running in the same app, and it uses JSON web tokens (or some other stateless, non-session authentication mechanism)? In the past you'd have to jump through a lot of hoops to have multiple authentication drivers running at the same time.

He shows how to edit the auth.php configuration file to add in more "guard" instances to the default request handling. He also talks about the new driver that backends the "api" guard: the token driver. He briefly introduces the driver and talks about how it works with the current authentication setup. He also looks at changes you can make to use non-default drivers in your auth requests and how to set up your own custom drivers.

tagged: multiple authentication api token guard driver tutorial laravel

Link: https://mattstauffer.co/blog/multiple-authentication-guard-drivers-including-api-in-laravel-5-2

NetTuts.com:
WP REST API: Setting Up and Using OAuth 1.0a Authentication
Jan 15, 2016 @ 10:54:12

The NetTuts.com site has a new tutorial posted showing you how to work with the authentication of the WordPress REST API and using its OAuth 1.0a handling. This is part three in their series of tutorials introducing the WordPress REST API.

In the previous part of the series, we set up basic HTTP authentication on the server by installing the plugin available on GitHub by the WP REST API team. [...] For using authentication on production servers, there needs to be a more secure way of sending authenticated requests without risking exposing the login credentials. Thanks to the OAuth authentication method, those requests can be sent without exposing the username and the password in an unsafe manner.

In the current part of the series, we will learn to set up and use the OAuth authentication method to be used with the WP REST API plugin.

They start the tutorial with a brief look at what OAuth is and how it's used to authenticate the end user/client/software/etc. They then walk through the flow of a simple OAuth-based authentication system and the pieces that make it up. Then the article gets into how to install the plugin for your WordPress instance and activate it from the command line. They show how to test that it's enabled and how to use a command line client to create tokens you can then use to access the API in your own clients.

tagged: wordpress tutorial wpapi api rest oauth authentication series part3

Link: http://code.tutsplus.com/tutorials/wp-rest-api-setting-up-and-using-oauth-10a-authentication--cms-24797