I saw that in the model you have it set to be CI2.0 compatible, you forgot the Controller tho.

Just add this above where you start the function (just below <?php for all others who do not know what I am talking about by function).

if(!class_exists('Controller')) { class Controller extends CI_Controller {} }

Cheers!

Need to enforce that the salt length is >= the minimum password length

I am not using the normal mail function to send email, nor am I using sendmail. I am using an SMTP server for testing, and now I have to paste the configuration code for the SMTP server, username, password, and etc before every $this->email->initialize(). Is it possible to use the configuration in the email.php file for sending emails throughout ion_auth?

I get unknown column group in field set when I pass array("group" => "group_name") in to update user.

Didn't know if I was going about changing the group of a user wrong?

Hello,

After i try to use get_newest_users i get this error :(

Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'group, groups.description AS group_description, meta.first_name, meta.last_name,' at line 1

SELECT users.*, groups.name AS group, groups.description AS group_description, meta.first_name, meta.last_name, meta.company, meta.phone FROM (users) LEFT JOIN meta ON users.id = meta.user_id LEFT JOIN groups ON users.group_id = groups.id ORDER BY users.created_on desc

Library function forgot_password assumes 'email' for identity.

Fixed with these mods:

        // Get user information
        $user = $this->get_user_by_email($email);

        $data = array('identity'                => $user->{$this->ci->config->item('identity')},
                      'forgotten_password_code' => $user->forgotten_password_code
        );

...and a few lines later...

        $this->ci->email->to($user->email);

Bad form to use strlen() to determine if a user id or activation code is being passed to profile.

Hi

I seem to be having some issues when I've 'remembered' a user and left the application to timeout the session. When I reload an authed page, I get a database error on line 838 of ion_auth_model in the update_last_login function.

I think that the following is happening:

1. Ion_auth library is autoloaded
2. __construct() constructor is called
3. ion_auth.php:114 - $this->ci->ion_auth_model->login_remembered_user(); is called since the if conditions are true
4. ion_auth_model.php:888 - $this->update_last_login($user->id); is called (I var_dump-ed the $user var at this point and all is working properly so far)
5. ion_auth_model.php:838 - ->where($this->ion_auth->_extra_where) is added to the query

This is the point of failure - var_dump($this->ion_auth) returns NULL here. Maybe this is because the ion_auth library is still building the instance at this point via __construct(), so it's not been initialized?

Anyway, I've fixed it temporarily by commenting out line 888 of ion_auth_model: $this->update_last_login($user->id);

Error appears when i'm trying use method update_user when data doesn't contain any meta fields. I investigate code and found problem in model.
usage:

$this->ion_auth->update_user((integer)$this->user->id, $data);

example:

if (!empty($this->columns))
{
// 'user_id' = $id
$this->db->where($this->meta_join, $id);

        foreach ($this->columns as $field)

        {

            if (is_array($data) && isset($data[$field]))
            {
                    $this->db->set($field, $data[$field]);
                    unset($data[$field]);
            }
        }

        $this->db->update($this->tables['meta']);
    }

if isset($data[$field]) is not true, $this->db->set($field, $data[$field]); is not done, but $this->db->update($this->tables['meta']); is done at the end... then error appears :)

Maybe I just can't figure it out or something but I am working with pagination to show 15 users per page but i need to be able to pass a $limit and $offset variable and i can't figure out how to modify the library/model to let me. Any thoughts?

I use to retrieve a list of users from another table I have in my database so basically i just need something like this, but I need to be able to retrieve all the data from the meta field as well so I can't just change the name and table name..

function list_beta($limit, $offset) {
$this->db->limit($limit, $offset);
$query = $this->db->get('beta_users');
return $query->result();
}

I received a database syntax error when calling get_user() or get_user_array() when logged in. Fix seems pretty safe (and sane):

In ion_auth_model.php, changed line 621, function get_users() from:

$this->tables['groups'].'.name AS group',

to:

$this->tables['groups'].'.name AS ' . $this->db->protect_identifiers('group'),

and the same modification on line 402, function profile().

Works great for me now, not sure if my configuration is somehow strange.

• Snow Leopard 10.6.4
• PHP 5.3.2
• MySQL 5.1.50

I've recently downloaded Ion Auth and found it to do a great job with the Authorization aspect, but it has very minimal ACL capabilities. The Group functionality should be more robust, allowing for any user to be part of more than one group. Additionally, if Ion Auth is to be a truly robust Auth/ACL solution, there needs to be a full-scale ACL implementation included within it. Something that allows for ACLs to be tied to Groups and then configured individually for each user.

For example:

User:
Joe Cool

Groups:
PHP Coders
Java Coders

ACLs:
PHP Coders -> Read Access to Code Repo
Java Coders -> Read Access to Code Repo, Edit Access to Forum Postings

If Ion Auth had this capability, it would be the schnizzle.

There is no way to know that you have already made an entry with an existing email address. It just pops the form back up and you just have to try again.

The identity_check doesn't consider the extra_where-clause.

Hi,
In my opinion, the columns salt and password of table "users" should be char(40) as they have constant length. Column "active" should be "tinyint", an int is way too big. The number between parenthesis in int(1) just indicates on how many characters (or numbers) an index should concider. Finally you should add an index on (username, password) columns for faster DB lookup.

I know it's just small optimisations. Sorry to open an "issue" just for that.
Jordan

Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'group, groups.description AS group_description, meta.first_name, meta.last_name,' at line 1

SELECT users.*, groups.name AS group, groups.description AS group_description, meta.first_name, meta.last_name, meta.company, meta.phone FROM (users) LEFT JOIN meta ON users.id = meta.user_id LEFT JOIN groups ON users.group_id = groups.id ORDER BY users.created_on desc LIMIT 10

Filename: /Users/slav/Sites/cads/models/ion_auth_model.php

Line Number: 659

It's the same problems as before...

$this->db->select(array(
$this->tables['users'].'.*',
$this->tables['groups'].'.name AS '. $this->db->protect_identifiers('group'),
$this->tables['groups'].'.description AS '. $this->db->protect_identifiers('group_description')
));

This generates SELECT users . * , groups.name AS group ,
Should be:
SELECT users . * , groups.name AS group

function protect_identifiers is for part before AS

Not sure if this is an issue with my code, but it at least begs some looking into:

• I am using the template library to render pages in partials
• I notice an awful lot of db session sets for each full page load:
  UPDATE sessions SET last_activity = '1269400780', user_data =
• It looks like a session update after each view partial is rendered.

Any way to override this manually, or call it manually (i.e. so I can implement a session update after my template wrapper has done it's work) ?

It's not possible to update user's "group_id" with update_user() function. update_user() function only checks for "username", "password" and "email" but not "group_id". Is there any way to update user's "group_id" with ion_auth?

$this->ion_auth->update_user(1, array('group_id' => 3)); is not working.

Using a recent copy of the CodeIgniter 2.0 code with Ion Auth causes an error, "Unable to load the requested class: language". This is fixed by changing line 92 in libraries/Ion_auth.php to $this->ci->load->library('lang');. However, this fix is not backwards compatible and thus creates a catch-22. If you could detect whether CI2 is in use or not it would solve the problem.

See the lines: 124-132.

/**
 * Should the salt be stored in the database
 **/
$config['store_salt'] = false;

/**
 * Should the salt be stored in the database
 **/
$config['store_salt'] = true;

Install doesn't mention need for url helper.
url helper is needed for the redirect() function.

In the example controller there is the following call:
elseif( !$this->ion_auth->is_auth() )

and is_auth() does not appear to be defined in library/ion_auth.php

Example out of sync with library perhaps?

I have moded quite a bit of Ion Auth, and my build isn't your most recent... but I believe this is a bug:

The change_password function changes the password fine, but it doesn't account for if you have:

$config['store_salt'] = true;

It doesn't use the stored salt, then the login is broken as the login checks against a password using the stored salt.

It would be great to add a parameter into get_users() function allowing define an "order by" statement. It's useful when you want to list a users table.

The error fails loading of the auth.php example controller.

Line 65:
$this->load->helper('cookie');

should be:

$this->ci->load->helper('cookie');

An Error Was Encountered

Unable to load the requested language file: language/english/ion_auth_lang.php

I could be wrong and I apologize in advance if I'm wasting your time.

The statement :

$where =& func_get_args();

inside this function might always return empty array since the function definition of function calling it has no arguments itself:

public function extra_where()
{
...
$where =& func_get_args();
...
}

Anyways, I found this issue when trying to test the 'activate' function in ion_auth_model.php.
Having said that, I wonder if the definition for the extra_where function should be something like this:
public function extra_where($args)
{
...

where $args contains the array returned by func_get_args(); of the function calling it.

Auth config items are currently interspersed in the global config - they should be in their own array i.e. CI_Config_Object / Config / ion_auth so as to avoid overwriting other potentially global config elements with the same name.

Passing a bogus code to forgotten_password_complete errors out:

A PHP Error was encountered
Severity: Notice
Message: Trying to get property of non-object

On the file: libraries/Ion_auth.php on line 210, the code reads:

$this->set_error('forgot_password_successful');

but it should probably say:

$this->set_message('forgot_password_successful');

Since it's a success message.

I modified my own version of Ion-Auth (great product btw *:thumbs_up:*) and thought I might suggest it here to see if it is useful to you, or if I am doing something tremendously wrong. :)

I was thinking that perhaps the users_meta table might be better served with only four columns :
- id(same as current)
- user_id
- property(blob/text)
- value(blob/text)

This would allow me (or other developers) to add/remove meta data from the database without having to always re-configure the ion_auth config to specify which columns were in use.

Example
id : 1
user_id : 1
property : First Name
value : Ben

id : 2
user_id : 1
property : Last Name
value : Edmunds

If wanted I can provide my horribly mangled code changes that made this work for me but be warned : in my 11/12 years of coding with php/mysql I can never get my head around a proper "JOIN" syntax so I don't use that. I write a separate query to grab the meta data.

Anyway, just a suggestion...Or if someone could point out the problem with this method that I am overlooking (which is very possible) that would be awesome as well.

Is the ip_address field merely a placeholder? Ion Auth does not seem to update it automatically during authorization.

Yeah, as the title says, there's a problem when you have numbers in your usernames/passwords.

Fix, pl0x?

It was all working fine, and sending both emails only I have stored_salt = TRUE so after reseting password I was unable to login.

I added $profile->salt to libraries/ion_auth.php

    $new_password = $this->ci->ion_auth_model->forgotten_password_complete($code, $profile->salt);

And processed it correctly in models/ion_auth_model.php

public function forgotten_password_complete($code, $salt=FALSE)

            'password'                => $this->hash_password($password, $salt),

Seemed to be quick fix.

I've noticed that, in my own development project, sometimes I need email activation to be enabled and sometimes not. For example, when a user is created through the website, the activation email should be sent. But when the admin is creating a user, he doesn't necessarily need the email to be sent. Is it possible to make this option both configurable as default and while calling the function E.G.:

[code]
public function register($username, $password, $email, $additional_data, $group_name = false, $email_activation = $this->ci->config->item('message_start_delimiter', 'ion_auth'))
{
//...
}
[/code]

Thanks!

The data type for the created_on and last_login fields are incorrect. As a result, when you create a new user or login, the fields does not get updated.

The datatype should be INT or something else instead of the mediumint.

See (http://dev.mysql.com/doc/refman/5.1/en/numeric-types.html).

mediumint(11): 11 is not the number of digits you can save in the field. 11 is number of digits that will be displayed. so having mediumint(2) or mediumint(8) or mediumint(11) does not make any difference to the storage capacity.

//from mysql install
created_on mediumint(11) unsigned NOT NULL,
last_login mediumint(11) unsigned NOT NULL,
active int(1) unsigned DEFAULT NULL,

//should be changed to:
created_on int unsigned NOT NULL,
last_login int unsigned NOT NULL,
active tinyint unsigned DEFAULT NULL,

Hi, I'm a noob on object oriented php and CI so I decided to try this one to get me started.
I'm trying CodeIgniter_1.7.2 with benedmunds-CodeIgniter-Ion-Auth-b15a45f.zip
CI install went fine, did the DB stuff and copied Ion-Auth files to respective directorys.

Now when I try: http://mytestserver/codeigniter/index.php/auth/login
I get: An Error Was Encountered
Unable to load the requested file: auth/login.php

Any clues of where I got it wrong?
Permissions seems fine.

When I update only group_id and no columns from metatable, there happened to be a problem that model tries update first the metatable, even though there's no column to update. This results in fail of UPDATE command. Fix:

ion_auth_model.php -> originally line 817:
instead of:

    if (!empty($this->columns))
    {
        // 'user_id' = $id
        $this->db->where($this->meta_join, $id);

        foreach ($this->columns as $field)
        {
            if (is_array($data) && isset($data[$field]))
            {
                    $this->db->set($field, $data[$field]);
                    unset($data[$field]);
            }
        }

        $this->db->update($this->tables['meta']);
    }

i put there this and it works:

  if (!empty($this->columns))
  {
 // 'user_id' = $id
 $col_count = 0;

 foreach ($this->columns as $field)
 {
    if (is_array($data) && isset($data[$field]))
    {
       $col_count++;
       $this->db->set($field, $data[$field]);
       unset($data[$field]);
    }
 }
 if ($col_count > 0)
 {
    $this->db->where($this->meta_join, $id);
    $this->db->update($this->tables['meta']);
 }
  }

Hope this helps. Thanks for the library!

Hello there,

I contacted you through email because the "forgotten password" functionality was not working for me. I found what the problem was, duplicate email entries in the database. One would say that when I am changing the identity to username rather than email, I wouldn't need the register function to check for duplicate emails. But since the existance of duplicate emails renders the forgotten_password function useless, I recommend the following three ways, with the code for each one (please note that I am a PHP-CodeIgniter beginner, and this is my first ever paid project, so you may want to further check my pieces of code to see if they meet your standards, but I hope they help as much as I have wanted them to):

1. Add a duplicate_emails to the configuration file, which asks the programmer whether duplicate emails are allowed. And then, add this to the end of the __construct() function of Ion_auth_model:

   $this->duplicate_emails       = $this->config->item('duplicate_emails', 'ion_auth');
   

Then, in the register function in the same file, change the if statement to:

    if (($this->identity_column == 'email' || $this->duplicate_emails == true) && $this->email_check($email))

1. You can also forget completely about duplicate emails and such, and make the forgotten_password based on the identity set in the configuration file. So, in the forgotten_password() function in the model, change the update command to:

   $this->db->update($this->tables['users'], array('forgotten_password_code' => $key), array($this->identity_column => $email));
   

Of course, then you should change $email in the list of arguments to $identity to make it more readable.

1. Do both of these, if you're going for maximum customization. In other words, make it configurable whether Ion_Auth should check for duplicate emails even though it is not the identity column, and also make the recovery of forgotten passwords based on another line in the configuration file. (I personally hope you'd choose this option).

Thank you for this awesome project. You're my hero. smiles

On the file: libraries/Ion_auth.php on line 265, the code reads:
$this->set_error('password_change_successful');

but it should probably say:

 $this->set_message('password_change_successful');

Since it's a success message.

Hey Ben,

Just wondering if you have an SQL schema for Ion Auth V2, or a proposed structure?

As I was hoping to test out the V2 framework thus far and try and weed out any bugs.

The documentation doesn't mention the need to autoload the 'database' helper. Many times this is already setup, but you may want to specifically mention it in your README.

The problem happens when you try to register a new user. It causes an error when inserting data to metatable in case you don't provide all the values in $additional_data. Ion_auth_model tries to fetch those missing data from $this->input->post() (line 554 in ion_auth_model.php) and when it's missing, it tries to insert 0 (zero). But it can be incorrect value in some cases for DB (for example enum type with allowed NULL).

The solution is to check also if the parameter appears in POST array. My fix (works for me) is here:

line 552, instead:

            else
            {
                $data[$input] = $this->input->post($input);
            }

I use:

    elseif($this->input->post($input))
    {
       $data[$input] = $this->input->post($input);
    }

Hope this helps.

I love Ion Auth except for the fact that it uses single iteration sha1 hashing when stores passwords.

Why single MD5, SHA1, SHA256, SHA512, SHA-3 hashing is bad?:

1. Because it's so fast. A modern server can calculate the MD5 hash of about 330MB every second. If your users have passwords which are lowercase, alphanumeric, and 6 characters long, you can try every single possible password of that size in around 40 seconds. sha1 is about the same speed. And that’s without investing anything. If you’re willing to spend about 2,000 USD and a week or two picking up CUDA, you can put together your own little supercomputer cluster which will let you try around 700,000,000 passwords a second. And that rate you’ll be cracking those passwords at the rate of more than one per second.

2)Salts Will Not Help You - It’s important to note that salts are useless for preventing dictionary attacks or brute force attacks. It doesn’t affect how fast an attacker can try a candidate password, given the hash and the salt from your database. Salt or no, if you’re using a general-purpose hash function designed for speed you’re well and truly effed.

3)SHA-1 is being retired for most government uses; the U.S. National Institute of Standards and Technology says, "Federal agencies should stop using SHA-1 for...applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010".

What to do?

Use bcrypt. Actually - use php's bcrypt implementation - crypt function (there are several different
options - best ones would be crypt_sha256, crypt_sha512 or crypt_blowfish). Imho -i'd go for crypt_sha512.

Why is it better?

Because it introduces a work factor, which allows you to determine how expensive the hash function will be. Because of this, bcrypt can keep up with Moore’s law. As computers get faster you can increase the work factor and the hash will get slower.How much slower is bcrypt than, say, MD5? Depends on the work factor. Using a work factor of 12, bcrypt hashes the password yaaa in about 0.3 seconds on my laptop. MD5, on the other hand, takes less than a microsecond.So we’re talking about 5 or so orders of magnitude. Instead of cracking a password every 40 seconds, I'd be cracking them every 12 years or so. Your passwords might not need that kind of security and you might need a faster comparison algorithm, but bcrypt allows you to choose your balance of speed and security. Use it.

How to add it to Ion Auth? Easy.(read php crypt function manual first)

1. In Ion Auth config file set hash length to 16 (for crypt_sha512 variant).
2. use your weapon of choice to modify sql schema (phpmyadmin). Password field has to be extended from 40 to 123 characters.
3. Modify following functions in Ion Auth model
   [code]function hash_password_db
   function hash_password[/code]

Instead of sha1 functions use something like here:

[code]return crypt(string $password, string $salt);[/code]

where $salt variable has to be in the following format (thanks php):

[code] $id$rounds=number$actualsalt[/code]

where:
[b]id[/b] - type of hashing (1 - for md5, 2a for blowfish, 6 for sha512 etc)
[b]rounds[/b] - CPU load, number of iterations. The higher the number - the higher CPU requirements. that's what makes it really hard to break. can be any number from 1000 to 999,999,999. Default 5000
[b]$actualsalt[/b] -obviously 16 characters salt

So - for example:

[code]return crypt($password, '$6$rounds=6000$'.$salt.'$');[/code]

You can use phpmyadmin again to add a 1-st user:

[b]username[/b]: any
[b]password[/b]: password
[b]salt [/b](16 chars): aaaaaaaaaaaaaaaa
[b]hash [/b](if 6000 iterations and crypt_sha512): $6$rounds=6000$aaaaaaaaaaaaaaaa$DIu5Q9s6kgfnxcDQPZZ/Xt6T5gar0eBbZShHRWp.aHbBO5nskNc2U1I6YX5aJD6GnKh43i/9EVxV2L5.jrQsw0

Yeas - that entire thing is a hash starting from $6$ and ending in Qsw0

I like Ion Auth more than any library out there for CI and I think that this should be addedd to it instead of default sha1 mechanism

Hope this helps.

Are there any drawbacks to setting a protected var for each item in the config file that way they could be changed on the fly with a set method of sorts ie:

set('site_title', 'My Awesome Site')?

This would solve some of the issues we have in PyroCMS. Maybe we can leave out the protected var part and just use a set() method to override the config items instead. From my travels in pyro, any attempts to override config items from outside ion_auth is a lost cause. The values i try to set outside the library are overridden when ion_auth initializes with the ones in the config file.

If your not apposed to this idea I can fork and "pull request or stfu"

get_user_by_email method in Ion_auth_model doesn't work since email is not passed to method get_users_by_email. Solution would be to add $email to function call.

before :

public function get_user_by_email($email)
{
$this->db->limit(1);

return $this->get_users_by_email();
}

after :
public function get_user_by_email($email)
{
$this->db->limit(1);

return $this->get_users_by_email($email);
}

there is a missing '.' in the 412 line in model/ion_auth_model.php, could you fix this please.

Only a tiny one - I noticed that the table 'meta' has a user_id column of type int(10) which doesn't match the 'users' table's id column mediumint(8). Not a problem unless you're using InnoDB and setting up foreign keys, in which case it'll fail.

Same for users.group_id mediumint(8) vs groups.id tinyint(3).

This block makes five queries

$this->session->set_userdata($this->identity_column,  $user->{$this->identity_column});
$this->session->set_userdata('id',  $user->id); //kept for backwards compatibility
$this->session->set_userdata('user_id',  $user->id); //everyone likes to overwrite id so we'll use user_id
$this->session->set_userdata('group_id',  $user->group_id);

$group_row = $this->db->select('name')->where('id', $user->group_id)->get($this->tables['groups'])->row();

$this->session->set_userdata('group',  $group_row->name);

that can be accomplished with one like so

$group_row = $this->db->select('name')->where('id', $user->group_id)->get($this->tables['groups'])->row();

$sessiondata = array(
    $this->identity_column => $user->{$this->identity_column},
    'id'  => $user->id, //kept for backwards compatibility
    'user_id'     =>  $user->id, //everyone likes to overwrite id so we'll use user_id
    'group_id' => $user->group_id,
    'group' => $group_row->name
);

$this->session->set_userdata($sessiondata);

I just wanted to give a bit of feedback to the great Ion Auth library. My Version is exactly one week old and downloaded from github. Codeigniter is v1.7.3

In your example controller you heavily use flashdata. So did i but in conjunction with database sessions.
When I updated a user and got a duplicate error, the new session data could not be stored in the database, because the transaction was not completed and so the flashdata message stayed empty. So here is the fix:

ion_auth_model.php
// After line 838, before return FALSE:
$this->db->trans_rollback();