A3M - Account Authentication & Authorization Module

[eluser]Unknown[/eluser]
Hi, Peng,

I failed to install A3M to replace existing FreakAuthen. I guess maybe I need to know the dependencies for A3M implementation.

Currently I have to work on the following server configuration:

FreeBSD 4.1 + PHP 4.4.2 + MySQL + Apache/1.3.33 (Unix) mod_jk/1.2.6 without mod_rewrite

And usually I will EasyPHP 1.8 localhost to test new module:

Windows XP + PHP 4.3.10 + MySQL 4.1.9 + Apache/1.3.33

Before I use CI, I tried CakePHP. However it sticks to Rewrite, so I change to CI, since it offers compatible code.

According to the .htaccess, A3M also relies on Rewrite. I tried to run the code, the server error reports 500 code. Please check out server error log message as following:

[Mon Mar 15 16:55:01 2010] [alert] [client 127.0.0.1] d:/www2/a3m/.htaccess: Invalid command 'RewriteEngine', perhaps mis-spelled or defined by a module not included in the server configuration

I can enable mod_rewrite in my localhost or test it in the latest Linux box. However it doesn't make sense to me, since I have to work on the FreeBSD server anyway.

If I remove the .htaccess file, I got the following error message:

Parse error: parse error, expecting `'('' in d:\www2\a3m\system\application\libraries\MY_Router.php on line 7

I wonder if you can offer some work-around solution for legacy servers? Thanks in advance. Or maybe I just have to migrate server to another provider.

[eluser]Naatan[/eluser]
mod_rewrite is pretty standard these days. If your host does not support it I wonder what else they lack.. would definitely suggest switching hosts.

[eluser]Peng Kong[/eluser]
[quote author="codeninja" date="1268556252"]My quick thoughts:

1. The account signup should check for multiple emails. Currently it doesn't.
2. Can a user who already has an account able to connect his Facebook/Google/Yahoo/etc account with it? Forexample, if I already have an account and one day I decide to use facebook to login, can it give me two options: a) continue creating new account or b) login with previous account and the system merges them together?
3. Notification emails. I know you are not done but when will these be implemented?

Thanks[/quote]

1. I've changed the way email works in ver 0.5. One account email no longer have a many-to-many relationship because i found this pointless. Each account just has ONE email, which you can use to contact your user. After a lengthy debat with my team we agreed that many accounts can share the same email. who has control over the email has control over the account.

2. Yes. but it's not yet done. in ver 0.5. you'll see a page called "Linked Accounts" (copy from facebook but it's not yet implementated.

3. What kind of notifcation emails are you looking at?

[eluser]Peng Kong[/eluser]
a3m dependencies all cascades from the libraries which
which i downloaded from the respecitive official websites, namely:

1) codeigniter-1.7.2
2) facebook-platform
3) jmathai-twitter-async
4) phpass-0.2
5) php-openid-php5.3
6) recaptcha-php-1.10

Other then that the only requirement i enforced was "query strings required"
because that's what OpenID and OAuth requires.

if a particular library doesn't work for you, you can replace it since a3m is pretty modular.

sorry, i didn't test w/o mod_rewrite but like naatan pointed out it's pretty basic.

[eluser]Peng Kong[/eluser]
Download ver0.5 http://it.euphoriatwentythree.com/projec...3m-0.5.zip
Demo for ver0.5 https://it.euphoriatwentythree.com/proje...nt/sign_in

[EDIT] Don't use this anymore check first post for newest version

[eluser]Naatan[/eluser]
Very nice peng! Going to check your new version out tonight.

You mentioned discussing something with your team. Out. If curiousity; how many people are working on this project?

[eluser]Peng Kong[/eluser]
erm for a3m, coding just 1 person, me.

But I brainstorm and conduct some kind of 'user acceptance tests' with 2 to 3 other, who are developers too. They are building other systems with codeigniter and will make use of this module in future.

We basically always focus on how the system can be simplified to increase usability.

- In v0.5, you'll notice that to change your password your current password isn't needed. It isn't a mistake rather the conclusion after a long debate on why it's (or isn't) necessary. (If anyone disagrees adding the current password check should be easy. that's the good part about a3m)

- You'll also notice that "Signing Up" is nearly as easy as "Signing In". (extra captcha and email needed)

- Your regular users will either always be authenticated or "1-click" away from being authenticated

- Users have full control. They can omit anything. (what's the point of enforcing "required" fields and getting "asdasd" for all of them? If the user sees the need to give you the information he/she will. If he/she doesn't we respect that.

- Users have full control. They can change everything. (i can't change my yahoo account username! or at least i couldn't find where to change it =x and that sucks that's why I don't use my yahoo account. Twitter allows me to change my username and that's sweet)

We ask ourselves questions like:
"Do we REALLY need to collect "x information" at sign up?" (http://ui-patterns.com/pattern/LazyRegistration)
"What is the purpose of collecting the "x information"?"
"What happens if the user forgets his password? or his username?
"What if the user types the wrong email and forgets his password?"
"What happens if the user forgets his email account password?"
"What is Facebook doing in this aspect? and Twitter? and..."

We don't think in terms of right and wrong but rather the likely hood of something occuring and whether it's worth sacrificing usability to reduce potential problem.

Usability and security is a balancing game

[eluser]codeninja[/eluser]
[quote author="Peng Kong" date="1268831791"]Download ver0.5 http://it.euphoriatwentythree.com/projec...3m-0.5.zip
Demo for ver0.5 https://it.euphoriatwentythree.com/proje...nt/sign_in[/quote]


I like the progress on this version. I like the idea of linked accounts.

When do you think linked accounts will be done?

Thanks mate

[eluser]Peng Kong[/eluser]
1-4 weeks =x sorry can't really say because im working on oauth and ACL now.

[eluser]LiamD[/eluser]
Fantastic work, this is a great module.
How about setting up a Google Code group for it?