Auth « DerEuroMark

RSS

Posts Tagged ‘Auth’

Auth – inline authorization the easy way

07 Apr

I wrote a wrapper class to make inline authorization easier.
Often times you want to check on certain roles inside an action or view and depending on the result display specific content or execute specific code.
As an example we only want to display the "admin infos" box on the home screen for an admin. All other users should not see this box.

Status quo

We would need to check the session manually against the roles we want to grant access to. This can get pretty hairy with more than one role allowed (if admins and moderators are allowed to see this box for example).

Preparations

We first need to make the class usable by putting this in our /Config/bootstrap.php:

// these IDs match the role_ids in the DB
define('ROLE_SUPERADMIN', '1');
define('ROLE_ADMIN', '2');
define('ROLE_MOD', '3');
define('ROLE_USER', '4');
// enable the Auth class
App::uses('Auth', 'Tools.Lib');

I like to use constants as they are shorter than Configure::read('admin') etc. But Configure would work just as fine.

Be aware: Since we already try to access the Tools plugin you need to assert first, that we enabled the Tools Plugin (using CakePlugin::loadAll() or a specific load call).

Then we need to decide whether we use single role (cake default) or multi role Authorization. I usually always use multi-roles. Therefore the default case for the Auth class is exactly this.
The session then contains:

Auth.User.Role (with Role being an array of role ids)

If you use single roles, you’re Session array should look like this:

Auth.User.role_id (with role_id being the single role we want to check against)

In this case you should set the following constant manually in your bootstrap:

define('USER_ROLE_KEY', 'role_id');

"Former" usage

For comparison I will outline the manual and "outdated" way of authorization first:

# we want to make sure that piece is only visible to admins and moderators
if ($this->Session->read('Auth.User.role_id') == ROLE_ADMIN || $this->Session->read('Auth.User.role_id') == ROLE_MOD) {}
# or with multi-role
if (in_array(ROLE_ADMIN, (array)$this->Session->read('Auth.User.Role')) || in_array(ROLE_MOD, (array)$this->Session->read('Auth.User.Role'))) {}

Quite a lot to write…

Note: This also only works in controller/component and view/helper scope. You would have to use the static CakeSession::read() in order to make this work in the model/behavior one etc.

Usage

Now the fun part. The wrapper class can be found in the Tools Plugin.

# Same thing as above
if (Auth::hasRoles(array(ROLE_ADMIN, ROLE_MOD)) {}

Now isn’t that nicer to write and read?

The default case is that if one of the roles is matched it will return true right away. If you want to connect them with AND instead of OR, you need to make the second param false:

# This only passed if the user has both roles!
if (Auth::hasRoles(array(ROLE_ADMIN, ROLE_MOD), false) {}

If we only want to check against a single role we could also use the shorthand:

if (Auth::hasRole(ROLE_MOD) {}

Advanced usage

You can also pass in the roles you want to check against. This can be useful if you want to check somebody else’s roles (and not your session roles). This can come in handy in CLI (command line / shell) environment and also in the admin backend.

if (Auth::hasRole(ROLE_MOD, $rolesOfThisUser) {}

And

if (Auth::hasRoles(array(ROLE_MOD, ROLE_USER), true, $rolesOfThisUser) {}

And there is more

There are also some convenience methods available.

Instead of $uid = $this->Session->read('Auth.User.id') you can just write

$uid = Auth::id(); // anywhere in your application

The roles can be fetched like this:

$myRoles = Auth::roles(); // string in single-role and array in multi-role context

Last but not least the user data:

$user = Auth::user(); // complete user array
$username = Auth::user('username'); // string: current username
...

Final notes

Although this wrapper can be used about anywhere in your application with ease does not mean one should do that.
Try to avoid using the auth (and therefore session) data in the model layer, for instance. Those should be kept state-less.
But I also know that there are cases where it is pretty convenient to ignore this warning 🙂

Disclaimer

Just for clarification: This class does not provide you with the Authentication or Authorization. This has to be up and running already. It is only a wrapper to check user roles a more efficient and cleaner way.

So if you need to setup a fresh authentication, you can just use the cake Form authenticate for example. If you want multi-role authorization you would want to throw in some additional spices:
You would need to write the Role array to your session upon successful login for the authorization module to work. See the above notes on how the session data array should look like.

For a new authorization take a look at my TinyAuth. It can handle single and multi role auth and those classes work well together (yeah – they have been designed to do that, of course^^).

No Comments

Posted in CakePHP

Qlogin – Quicklogins für CakePHP

08 Feb

Have you ever thought how nice it would be to send emails with an url that automatically logs you in?
Especially for a messaging system this can be quite handy: One click in the notification email and you can answer right away.

How does it work?

Here an example with a notification email:

$text = 'You got mail!'.PHP_EOL;
if (!isset($this->Qlogin)) {
	$this->Qlogin = ClassRegistry::init('Tools.Qlogin');
}
$text .= $this->Qlogin->url(array('admin'=>false, 'plugin'=>false, 'controller'=>'conversations', 'action'=>'view', $conversation['Conversation']['id'])), $user['User']['id']).PHP_EOL;
//send email

We create a quicklink using the url where the user should be redirect to after the login as first param and the actual user_id to authenticate with as second param.
Pretty straight forward.
Let’s say, the generated url is http://domain/qlogin/1234567890 .

Once the user clicks on the link, the "go" action of the QloginController gets triggered and tries to find the corresponding user as well as target url. If found, the user is logged in and directly passed on to the desired page.
Note: If the user is already logged in, he will be redirected immediately (skipping the login).

I added this to my routes.php

Router::connect('/qlogin/*', array('plugin'=>'tools', 'controller' => 'qlogin', 'action'=>'go'));

in order to result in the above url which is pretty short and convenient.

The code

Its available at github (currently only for 2.x): Tools plugin.
You need the model as well as the controller.

Some notes

The Module is still pretty basic. But it works flawlessly with my setup. I would like your feedback on it, though.
AuthComponent::login() should respect the scope you defined as well as the default redirect urls.
Right now I am trying out the Qlogins in combination with AutoLogin – if those cookies don’t intefere. But it seems to work fine.

Dependencies

Model Token (@see article) (to store the tokens) as well as the url validation method and get() of my MyModel (can also be put into your AppModel).
And since it is deeply integrated in my usual everyday apps it also requires at least the CommonComponent of the Tools plugin. For the optional admin backend there are more dependencies.
So basically you need:

//AppController
public $components = array('Tools.Common');
//AppModel
App::uses('MyModel', 'Tools.Lib');
class AppModel extends MyModel {}

Of course you may through out any methods you don’t need.

And you can always cherry-pick the stuff you specifically want to use.

No Comments

Posted in CakePHP

More persistent sessions in Cake2.x

02 Feb

This has been an issue for me way too long.
I always hated the fact that users are logged out almost every few hours. Compared to other sites on the www it was ridiculously short, no matter how long you set timeout and cookieTimeout in core settings.

I looked into it more than twice in the last year coming up with almost nothing. After many hours of investigating I just postponed it again for times unknown.
It should be said that debugging the session/cookie based stuff – here Authentication – is quite a difficult past. Many things play into it making it hard to reproduce the issue.

The cake documentation also doesn’t tell us, that for php sessions to work this long it is also required to raise the internal max_lifetime. I stumpled across this by accident. Always thought this would be taken care of by cake itself.
But after switching to database as session container I didn’t notice any improvements either. So the server side garbage collector maybe wasn’t responsible after all. At least not all alone.

So, to sum it up:

Setting up timeouts was a waste of time
Security level, as well (I just left it at low)
Moving from php/cake to database didn’t work either – although it provides little more control
Raising the php.ini settings for gc_maxlifetime didn’t work too well, either

I still get logged out after totally different lengths. Sometimes minutes, sometimes a few hours. It never lasts much longer.
Not only a deadly problem for a social network running with Cake.

I tried multiple times to add an encrypted cookie as RememberMe functionally (to quicklogin such a logged out user again). But I failed – as I later found out due to a PHP bug with srand/mt_srand and suhosin (details).
Thanks to miles’ post regarding this bug I took a step forward and decided to take action (a lot of users have been complaining about unexplainable logouts the past months anyway).

Another not quire related problem is, that PHP (or Cake) stores the session cookies with a fixed expiring date. This date doesnt get updated with every request and therefore at some point will make the session cookie invalid. Nothing you can do about it at the moment…

AutoLogin? A way out?

I finally – after putting up with it for many years – adjusted Miles’ great spadework with his AutoLogin component to work with my apps.

Basically, this component saves the user data to a cookie on login. As soon as the session gets lost again (for whatever reason!?) the component re-logins the user. It happens silently without bothering the user.

The code can be found in my Tools plugin (the standalone rep. is deprecated).

Usage and Features

After successfully running it in a few cake2.x apps, I want to share the basic HOWTO.
The only required thing to do is adding the component globally in AppController:

public $components = array('Session', 'RequestHandler', 'AutoLogin', 'Auth', ...);

It is important to include it before any AuthComponent to avoid getting any "not logged in" error messages triggered by it.

You can use /Config/configs.php (or any other Configure place) to define its settings:

$config['AutoLogin'] = array(
	'controller' => 'account',
	'username' => 'login',
	'requirePrompt' => false
	... //see the component for details on other options
);

Please use the last one with caution. If requirePrompt is disabled you use AutoLogin for ALL logins. This requires users to always log out correctly in public places (especially in internet cafes this can be quite dangerous as others opening the site could hijack this logged in user even after several days). So make sure you use is only for sites where all users are properly informed and educated on this.

So for the default case you will need to add a checkbox into your login form:

if (Configure::read('AutoLogin.active')) {
	echo $this->Form->input('auto_login', array('type'=>'checkbox', 'label'=>__('Remember on this computer')));
}

That’s it.
You can easily test it using database sessions and truncating the session table after login.
It should log the user right back in as well as creating the new session table row. If everything is working right, the user shouldn’t even notice that he wasn’t logged in for a split second.

The if statement is optional. I use it to dynamically enable/disable the component based on the environment.
But if you use it, make sure you defined active as true in Configure.

Getting rid of the suhosin bug
As explained by Miles in the above links, most linux apache environments come with the suhosin patch which messes up srand by default. My localhost WAMP doesn’t. So there it worked right away. But to get it to work on the linux environment, all there is to do is:
In your /etc/php5/apache2/php.ini add this line at the bottom:

suhosin.srand.ignore = Off

And don’t forget to restart apache or at least /etc/init.d/apache2 force-reload.

TIP: I added a test case for this bug (see test file in the rep). Run it on every environment if you are not sure whether it is affected or not.

More tips
If you want to disable AutoLogin for specific sites you can simply set active to false for this site in your configs or dynamically in the controllers’ constructor.
Remember: Since you need to include it before Auth etc you cannot dynamically add it to the list of components. But you can always disable the included component this way 🙂

The debug mode is on auto-detect by default. If you develop locally (debug > 0) you have it enabled right away. But, of course, you can overwrite this value in your configs.

Another important setting is expires – it defaults to 2 weeks but can also easily be adjusted.

Alternatives

In 2.x there now are alternatives, as well. One is to use a custom CookieAuthenticate adapter for this.

Update 2013-06: Insight in the Cake session handling

Took me a while to realize how the sessions work in detail. Now I finally got it 🙂
I have to point out that using the above without knowing what you are doing will most likely just cloak the issue – or treat the symptoms.
It will work. But wouldn’t it be nice if it was working without the above remember me functionality?

For that we first have to understand how sessions are generated, validated and re-newed on page click:

User visits the first time, session cookie will be generated (valid x seconds) and session timeout will be stored (y seconds)
User clicks again: Of course we raise the session lifetime (valid y + z more seconds now) – stored inside the cookie as value
Cookie itself does not get a new lifetime, though (still x seconds). That is a limitation in the cookie handling itself. This timeout limit is fixed.

Now that makes it pretty clear that even if you raise your session limit to years, if your cookie lifetime reaches the limit (it has been created with), the session will be destroyed either way.
Thus it is vital to understand that you want a high session limit and an even way higher cookie lifetime here for the settings to make sense:

Configure::write('Session', array(
	'defaults' => 'php',
	'timeout'  => 14400,  // 4 hours, refers to 'session.gc_maxlifetime' in PHP settings
	'cookieTimeout' => 10 * 14400, // 20 hours, refers to 'session.cookie_lifetime' in PHP settings 
	// ...
));

Both values are set as minutes in CakePHP config.

With this the user is logged out if he has

not shown any session (click, ajax) activity for consecutive 4 hours
has reached the 20 hours cookie timeout (independent from your activity)

And as this will log him out after those 20 hours either way, it might make sense to set this limit to a huge value (months for example) or combine it again with the above remember me functionality.

So again:

'session.gc_maxlifetime' => relative value, will be raised on activity
'session.cookie_lifetime' => absolute value, can only be set at the beginning of the session

And don’t forget to check your ini settings regarding session.gc_divisor and session.gc_probability to make sure the garbage collector does his work once it a while.

Hope that clears things up.

14 Comments

Posted in CakePHP

TinyAuth – The fastest and easiest authorization for CakePHP

18 Dec

Note: This is for CakePHP 2.x, for 3.x please see the bottom of the article.

The CakePHP built in row based CRUD auth is way too powerful and way too slow and memory consuming.
In 99% of all cases there is no need for that. Also, I never really used the groups + roles of the core ACL. Basic groups usually do the trick.

If you just want to have some basic control over the access to specific actions, you need something else.
Here it comes.

Demo (NEW)

A live implementation can be found in my fun app cakefest.
Note how lean and clean the User model and the controllers are. Separation of concerns. DRY. Cool 😛

Preparations

Please make sure the Tools Plugin is properly loaded (see the plugin readme for details).
If you plan on using prefixed routing (admin, …), enable those in your core.php or bootstrap.php.

I assume you already got the AuthComponent included in the $components array of your AppController.
You probably also excluded all public views with something like

$this->Auth->allow('contact_form'); // in beforeFilter() of the specific controllers

This here (in the contact controller) makes Auth skip this action completely. The action will be accessible to everybody right away.

This is especially important for your login/register actions:

// UsersController
public function beforeFilter() {
	parent::beforeFilter();
	$this->Auth->allow('login', 'logout', 'register', ...);
}

Those actions should never trigger any Authorize module. All other actions then use our ACL to determine if access is granted or not.

You probably got a Role model (User belongsTo Role / User hasAndBelongsToMany Role) attached to the User.
If you don’t want this, use Configure to store your keys like so:

// in your config.php if applicable or using Configure::write('Role', array(...))
$config['Role'] = array(
	// slug => identifier (unique magical number or maybe better a constant)
	'superadmin' => 1,
	'admin' => 2,
	'moderator' => 3,
	'helper' => 4,
	'user' => 5,
);

You should at least have a user – and maybe an admin role – for it to make sense.
The advantage here: At any time you can switch from Configure to a Role model + roles table and vice versa without having to change much.

You must also have some kind of Authentication in your AppController:

$this->Auth->authenticate = array('Form'); // Uses username and password for login

Important: At least one type of authentication is necessary for any Authorize module to be usable.

So far so good. You can login/logout and once you are logged in browse all non-public pages.
Even admin pages, of course. Thats where the TinyAuth class comes in.

TinyAuth

The code can be found at github.

First of all include it in your beforeFilter() method of the AppController:

$this->Auth->authorize = array('Tools.Tiny');

Alternatively, you could pass it as component settings right away:

public $components = [
        ...
        'Auth' => [
            'loginRedirect' => ...,
            'logoutRedirect' => ...,
            'authenticate' => ['Form'],
            'authorize' => ['Tools.Tiny']            
        ],
];

Now create a file in /Config/ called acl.ini like so:

[Tools.Countries]
* = superadmin ; this is a comment
[Account]
edit,change_pw = *
[Activities]
admin_index,admin_edit,admin_add,admin_delete = admin,superadmin
index = *
[Users]
index,search = user
* = moderator,admin

The format is normal PHP INI style. I already included all kind of examples. * is a placeholder for "any".
The plugin prefix for controllers is not necessary as of now (maybe for CakePHP 3 where the same controller name is allowed multiple times due to PHP5.3 namespaces).
Comments in INI files start with ";".

Explanations:

Superadmin can access all Countries actions of the Tools plugin
Account actions are accessible by all roles (and therefore logged in persons)
Activities can be modified by all admins and listed by all (logged in persons)
Users can search and list other users, but only moderators and admins have access to all other actions

That’s it. Really easy, isn’t it?

Some details

TinyAuth expects a Session Auth User like so:

Auth.User.id
Auth.User.role_id (belongsTo - role key directly in the users table)

or so:

Auth.User.id
Auth.User.Role (hasAndBelongsToMany - multi role array containing all role keys)

As you can see it can manage both single and multiple role setup.
That’s something the core one lacks, as well.

The current configuration is cached in the persistent folder by default. In development mode (debug > 0) it will be regenerated all the time, though. So remember that you have to manually clear your cache in productive mode for changes to take effect!

For more insight into the different role setups see this Wiki page.

Quicktips

If you have a cleanly separated user/admin interface there is a way to allow all user actions to users right away;

$this->Auth->authorize = array('Tools.Tiny' => array('allowUser' => true));

Only for admin views the authorization is required then.

If you got a "superadmin" role and want it to access everything automatically, do this in the beforeFilter method of your AppController:

$userRoles = $this->Session->read('Auth.User.Role');
if ($userRoles && in_array(Configure::read('Role.superadmin'), $userRoles)) {
	// Skip auth for this user entirely
	$this->Auth->allow('*'); // cake2.x: `$this->Auth->allow();` without any argument!
}

What about login/register when already logged in

That is something most are neither aware of, nor does the core offer a out-of-the-box solution.
Fact is, once you are logged in it is total nonsense to have access again to login/register/lost_pwd actions.
Here comes my little trick:

// In your beforeFilter() method of the AppController for example (after Auth adapter config!)
$allowed = array('Users' => array('login', 'lost_password', 'register'));
if (!$this->Session->check('Auth.User.id')) {
	return;
}
foreach ($allowed as $controller => $actions) {
	if ($this->name === $controller && in_array($this->request->action, $actions)) {
		// Flash message - you can use your own method here - or CakePHP's setFlash() - as well
		$this->Common->flashMessage('The page you tried to access is not relevant if you are already logged in. Redirected to main page.', 'info');
		return $this->redirect($this->Auth->loginRedirect);
	}
}

It is also visible in the linked CakeFest app demo.

UPDATE 2012-01-10

The auth model can now be anything you like. It doesn’t have to be Role or role_id.
The new CakePHP 2.x uses "groups" per default.
You can easily adjust that now by passing aclModel => 'Group' or aclKey => 'group_id' to the Tiny class, for instance.

UPDATE 2013-03-10

Some will be happy to hear that the deeper "contained" Role array is now supported besides the flat array of role keys. This deep/verbose array of roles has been introduced in CakePHP 2.2 with the new "contain" param for Auth. So it made sense to support this in TinyAuth. See the test case for details.

UPDATE 2013-06-25

A new option allowAdmin makes it now possible to use TinyAuth even with less configuration in some cases. True makes the admin role access any admin prefixed action and together with allowUser (allows all logged in users to allow non admin prefixed URLs) this can be used to set up a basic admin auth. No additional configuration required except for the adminRole config value which needs to be set to the corresponding integer value.
Of, course, you can additionally allow further actions. But if you just need to quickly enable an admin backend, this could be the way to go.

Notes

NOTE 2012-02-25

It seems that especially new-beys seem to mix up the meaning of * in the ACL. Although it is already laid out in the above text I will try to make it more clear:
This any placeholder for "roles" only refers to those users that are logged in. You must not declare your public actions this way!
All those must be declared in your controller using $this->Auth->allow() (in earlier versions of CakePHP `$this->Auth->allow(‘*’)).

The reason is that Authenticate comes before Authorize. So without Authentication (logged in) there will never be any Authorization (check on roles).

NOTE 2013-02-12

You can use this in conjunction with my Auth class for a quick way to check on the current user and its role(s) anywhere in your application:

App::uses('Auth', 'Tools.Lib'); // In your bootstrap (after plugin is loaded)
if (Auth::id()) {
	$username = Auth::user('username');
	// do sth
}
if (Auth::hasRole(Configure::read('moderator'))) { // if you used configure slugs
	// do sth
}
if (Auth::hasRoles(array(ROLE_ADMIN, ROLE_MODERATOR)) { // if you used configure and constants instead of magic numbers
	// do sth
}

See the inline class documentation or the test cases for details.

Upcoming

A shell to quickly modify the INI file (and batch-update for new controllers etc) should be ready some time soon.

There might some day also the possibility to use some CRUD backend to manage the ACL (either via database or modifying the INI file).
If someone wants to help, go for it.

2014-09: CakePHP 3.0

With the release of CakePHP 3.0 I upgraded the TinyAuth code and moved it into an own repository.
Please see the wiki page there for docs and migration guide.

64 Comments

Posted in CakePHP

CakePHP Sandbox
- Try it out now!
Search the site
Search
Support this site
Tags
Access ACL Auth Authentication Authorization Bake Behavior Bootstrap CakePHP CakePHP1.3 CakePHP2 CakePHP3 Coding Standards Component Composer Console Custom Template Database date Debian Git Helper HTML5 IDE Lib Migration Model Passwords PHP PHP5 PHP5.4 PHPUnit Placeholder Plugin redirect Security Subversion SVN Testing Tips Unit-Tests Upgrade Validation XHTML XSS
Categories
- Common (6)
- VersionControl (7)
  - Git (2)
  - SVN (5)
- WebDevelopment (137)
  - HTML (2)
  - JS (2)
    - jQuery (2)
  - MySQL (1)
  - PHP (130)
    - CakePHP (115)
  - Testing (5)
Recent Posts
Recent Comments
- Christian on Helper? Component? Lib? CakePHP2
- Gio on ACL – Access Control Lists – revised
- Erik Oberhausen on Queue – Deferred execution in CakePHP
- Oliver Dev on What REALLY speeds up your cakephp app
- Mark on Developing CakePHP 3+ Plugins, it’s fun!
Calendar
June 2018

M T W T F S S

« Apr

1 2 3

4 5 6 7 8 9 10

11 12 13 14 15 16 17

18 19 20 21 22 23 24

25 26 27 28 29 30
Archives
Archives
Pages
Popular Posts
Bookmark this
Facebook Google+ Twitter Pinterest

Delicious Digg Fark Google Instapaper LinkedIn MySpace Newsvine Pocket Readability Reddit StumbleUpon Tumblr Yahoo!

DerEuroMark

Posts Tagged ‘Auth’

Auth – inline authorization the easy way

Status quo

Preparations

"Former" usage

Usage

Advanced usage

And there is more

Final notes

Disclaimer

Qlogin – Quicklogins für CakePHP

How does it work?

The code

Some notes

Dependencies

More persistent sessions in Cake2.x

AutoLogin? A way out?

Usage and Features

Alternatives

Update 2013-06: Insight in the Cake session handling

TinyAuth – The fastest and easiest authorization for CakePHP

Demo (NEW)

Preparations

TinyAuth

Some details

Quicktips

What about login/register when already logged in

UPDATE 2012-01-10

UPDATE 2013-03-10

UPDATE 2013-06-25

Notes

NOTE 2012-02-25

NOTE 2013-02-12

Upcoming

2014-09: CakePHP 3.0

CakePHP Sandbox

Search the site

Support this site

Tags

Categories

Recent Posts

Recent Comments

Calendar

Archives

Pages

Popular Posts

Bookmark this