• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
flexi auth - A user authentication library for CodeIgniter

#1
[eluser]haseydesign[/eluser]
Hey folks,

I would like to announce the release of 'flexi auth', a user authentication (login) library.

The flexi auth library initially started out as a modified version of the popular Ion Auth library.
As the original library was tweaked with feature after feature being added, the original code base had transformed into a new library all of its own.

For those that have used the Ion Auth library, the general structure of the library may be familiar, but to help anyone wanting to get a running start with using flexi auth, there is an comprehensive user guide and demo covering every function within the library.

The flexi auth library includes the following core features:

<strong>Core Functions</strong>
+ User registration, with options to send an activation email, auto activate or suspend an account pending review by an admin.
+ Login function including a 'Remember me' option.
+ Logout function, with the option to log a user out of all computers they are logged into, or just the current computer.
+ User permission validation functions to check a users user group, privileges and login status.
+ Functions to reset forgotten passwords.
+ Functions to validate a users change of email address.
+ Password validation helper functions.
+ Many functions for obtaining user data stored within the database.
+ Admin CRUD functions to manage records within the libraries database tables.

<strong>Security</strong>
+ Passwords are hashed using the popular PHPASS library.
+ Login sessions are managed via a hashed session token technique as described by Barry Jaspan.
+ Users making multiple failed login attempts can be set to have any further login attempts throttled by preventing them from making any further attempts for a short definable time period.
+ Googles reCAPTCHA or a custom math based question and answer CAPTCHA can be deployed to login and registration forms.

<strong>Miscellaneous</strong>
+ The library includes fully customisable email templates for account activation, forgotten password, new password and validate updated email.
+ Multilingual and customisable status and error messages.

<strong>Highly Customisable</strong>
+ A highly configurable config file allows you to customise how features within the library behave, ranging from password validation to login session expiry settings.
+ All database tables and column names are renamable via just one config file setting to match whatever name coding convention you prefer.
+ The library consists of only 5 tables to provide every feature within flexi auth.
+ Unlimited additional custom tables can be added and related to the core library tables, allowing you to capture whatever data you require.
+ The 5 core library tables can be modified with the addition of new columns that can then be managed via library functions.

The purpose of the flexi auth library is to offer modularised user authentication features, that allow a developer to pick and choose which features they require, without having to include features that are surplus to the clients requirements.

The library, documentation, and a comprehensive live online demo are available from the flexi auth site.
<strong>http://haseydesign.com/flexi-auth</strong>

The work on the library started well over a year ago and has been used for some of my own client sites.
I would now like to release the code to the public so that others can also make use of it.

Enjoy =)

P.s. If anyone particularly likes the style of this library, I have also built a comprehensive shopping cart library called 'flexi cart'. Like the flexi auth library, it is highly customisable including features like shipping, taxes, discounts, reward points, multiple currencies, localisation plus much much more.
The flexi cart library is available from http://haseydesign.com/flexi-cart

#2
[eluser]michaelh99[/eluser]
I.... Hate.... You....

You just released a library that has a lot of features that I spent this week adding to or fixing in A3M.

Now I've got to go check yours out and see if I need to jump ship to a better auth library.

Thanks a lot.

;-)

If you'll add it to Git you'll probably attract a large number of contributors. I'm saying that without looking at the code but the lib sounds good.

#3
[eluser]michaelh99[/eluser]
Silly me. It is on Git. Cool.

#4
[eluser]michaelh99[/eluser]
At the risk of spamming the thread without having looked at the code....

Do you do a simple hash of the email address? That's something I added to a3m so that even if the database is jacked the email addresses won't be in cleartext.

#5
[eluser]haseydesign[/eluser]
The library doesn't hash or encrypt email addresses within the database, but you could potentially use CI's encryption library to encypt them and then decrypt them when passing them to and from functions. However, you would need to test this. I'd be interested to hear how you get on with it.

#6
[eluser]skunkbad[/eluser]
My Community Auth application has an example of encrypting and decrypting data going to/from the database. The field is named `license_number`. The problem with encrypting and decrypting an email addresses is going to be that if you are using email addresses to login, depending on the specific query(ies) used to login, you may need to modify the query(ies) so that the email address is encrypted. This is slightly more complex that just encrypting data as it goes in and out of your database. Also, remember that encrypting always makes a string longer. CI's default encryption creates strings that are roughly 10 times the size of the original. You may need to adjust the length of the field holding the email address in the database table.

Have said all that, you might consider that an email address is not usually considered sensitive data. Yes, it would be inconvenient, or perhaps annoying if somebody started emailing your users, but an email address is not by itself going to lead to identity theft. We generally encrypt birth dates, bank account numbers, social security numbers, and driver's license numbers.

#7
[eluser]michaelh99[/eluser]
The reason I encrypted the email address was not for fear of spamming. I never reveal email addresses to my users, if they message another user, all they see is the user name and the messages are sent by my server.

The reason I did it is that if the DB is ever compromised, the attackers will have a harder time correlating my users with other DB leaks. Many (most?) users use the same password on multiple systems and having the email address makes it that much easier for the crackers to start guessing passwords.

Of course, this assumes that the attacker didn't also gain access to the php source and hence the salt.

Where I went initially wrong is in using CI's encryption for the email. CI apparently rotates the key which means I can't do a simple result comparison when checking to see if an email address has already been used when a user is signing up.

Soon I'll be converting that to use an hash with salt which will take care of that issue.

#8
[eluser]Procode[/eluser]
I think that if you can add social options (fb and twitter) for authentication purposes this would be a very good library. Any plans to do so?

#9
[eluser]haseydesign[/eluser]
Hey Procode,
For the time being I want to see the library tested by the community in its current form so that I can establish whether its on a good base that users are happy with.

If the library does prove popular, then I may well go down the road of including Facebook and Twitter authentication as I'm fully aware a lot of users will want this kind of functionality.

In the meantime, if anyone out there is interested in contributing to adding/improving features like this, then I'm more than willing to lend a hand to get it included into the library.
All contributions will of course be credited within the library.

#10
[eluser]Klausch[/eluser]
Hi,

I am very interested in this library, we have just begin our first greate CodeIgniter project with the need of a flexible and scalable user registration and adminsitration system.
I have installed the full demo version but until now it fails running correctly.
Opening the demosite on my local machine, using the URL:
http://adsite.localhost (this is the development domain of our project)
the homepage shows but in the upper part of the screen the following error is shown:

A PHP Error was encountered
Severity: Notice
Message: Undefined index: custom
Filename: models/flexi_auth_lite_model.php
Line Number: 86

And this particular line looks like:
$this->auth->tbl_custom_data = $this->auth->auth_database['custom'];

Also I notice some strange thingd in the DB script:
-Some fields labeled _fk but no actual FK constraints are defined
-Some Primary Key fields are also defined as UNIQUE which is redundant IMHO

I willpost more details as I encounter them, I see that the code is very new and I am willing to use it, but we must get on track pretty soon, or my boss will demand for falling back to Ion Auth...
Any suggestions are welcome Smile


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2017 MyBB Group.