http-authentication's Introduction

middlewares/http-authentication

Middleware to implement RFC 2617 Http Authentication. Contains the following components:

BasicAuthentication
DigestAuthentication

Requirements

Installation

This package is installable and autoloadable via Composer as middlewares/http-authentication.

composer require middlewares/http-authentication

BasicAuthentication

The Basic access authentication is the simplest technique.

You have to provide an Array or ArrayAccess with the usernames and passwords of all available users. The keys are the usernames and the values the passwords.

Dispatcher::run([
    new Middlewares\BasicAuthentication([
        'username1' => 'password1',
        'username2' => 'password2'
    ])
]);

Optionally, you can provide a Psr\Http\Message\ResponseFactoryInterface as the second argument, that will be used to create the error responses (401). If it's not defined, Middleware\Utils\Factory will be used to detect it automatically.

$responseFactory = new MyOwnResponseFactory();

$route = new Middlewares\BasicAuthentication($users, $responseFactory);

realm

The realm value. By default is "Login".

attribute

The attribute name used to save the username of the user. If it's not defined, it wont be saved. Example:

Dispatcher::run([
    (new Middlewares\BasicAuthentication([
        'username1' => 'password1',
        'username2' => 'password2'
    ]))->attribute('username'),

    function ($request) {
        $username = $request->getAttribute('username');

        return new Response('Hello '.$username);
    }
]);

verifyHash

This option verifies the password using password_verify. Useful if you don't want to provide the passwords in plain text.

$users = [
    'username' => password_hash('secret-password', PASSWORD_DEFAULT);
]

Dispatcher::run([
    (new Middlewares\BasicAuthentication($users))
        ->attribute('username')
        ->verifyHash(),

    function ($request) {
        $username = $request->getAttribute('username');

        return new Response('Hello '.$username);
    }
]);

DigestAuthentication

The Digest access authentication is more secure than basic.

The constructor signature is the same than BasicAuthentication:

$users = [
    'username1' => 'password1',
    'username2' => 'password2'
];
$responseFactory = new MyOwnResponseFactory();

Dispatcher::run([
    new Middlewares\DigestAuthentication($users, $responseFactory)
]);

realm

The realm value. By default is "Login".

attribute

The attribute name used to save the username of the user. If it's not defined, it wont be saved.

nonce

To configure the nonce value. If its not defined, it's generated with uniqid

Please see CHANGELOG for more information about recent changes and CONTRIBUTING for contributing details.

The MIT License (MIT). Please see LICENSE for more information.

http-authentication's People

Contributors

Stargazers

Watchers

http-authentication's Issues

Method declaration doesn't match with Interface

Version: 0.5.0

I've just done a composer update of a early-stage project, and after that, I got the following error:

PHP Fatal error: Declaration of Middlewares\BasicAuthentication::process(Psr\Http\Message\ServerRequestInterface $request, Interop\Http\Server\RequestHandlerInterface $handler): Psr\Http\Message\ResponseInterface must be compatible with Psr\Http\Server\MiddlewareInterface::process(Psr\Http\Message\ServerRequestInterface $request, Psr\Http\Server\RequestHandlerInterface $handler): Psr\Http\Message\ResponseInterface in /path/to/project/vendor/middlewares/http-authentication/src/BasicAuthentication.php on line 11

Ok, after a bit of digging around: Possible solution found here … but you're probably already aware of that ;)

Option to use password_verify() in basic auth

Currently, it looks like the only way to check if credentials are valid is by comparing the raw or hashed password to the stored version. E.g.,

new Middlewares\BasicAuthentication([
	'username1' => 'password1',
	'username2' => \crypt('password2', 'mysalt')
]);

Would be nice if we can use password_verify() instead? Something like this maybe:

$hashFromDb = $db->getPasswordHashFromUser('username1');
$authenticated = \password_verify('password1', $hashFromDb);
new Middlewares\BasicAuthentication($authenticated);

Edit: I don't think it's possible to hash the first example above so \crypt() woudn't work also. This means we have to store the password in plain text?

Recommend Projects

middlewares / http-authentication Goto Github PK

http-authentication's Introduction

middlewares/http-authentication

Requirements

Installation

BasicAuthentication

realm

attribute

verifyHash

DigestAuthentication

realm

attribute

nonce

http-authentication's People

Contributors

Stargazers

Watchers

Forkers

http-authentication's Issues

Recommend Projects

Recommend Topics

Recommend Org