Ion Auth - Lightweight Auth System based on Redux Auth 2

[eluser]gscharlemann[/eluser]
Thanks Ben. I was having trouble getting the user, making modifications and then trying to update the user without unset[ing]('group') and unset('group_description'). Anyways... I think I have it working now.

One more question:

should the date helper be loaded in ion_auth_model->register()? I think (while working with the package earlier today) I was getting an error trying to register from this code (specifically the now() call):

Code:

$data = array(
    'username'   => $username,
    'password'   => $password,
    'email'      => $email,
    'group_id'   => $group_id,
    'ip_address' => $ip_address,
           'created_on' => now(),
    'last_login' => now(),
    'active'     => 1
    );

adding $this->load->helper('date') at the beginning of the function fixed it.

[eluser]Ben Edmunds[/eluser]
The date helper is loaded now, thanks man.

[eluser]uptown[/eluser]
Can somebody explain how to use the "salt" field? When I loaded the initial database tables and records I received an error that salt required a value. I set the "admin@admin.com" salt to the empty string just to get up and running.

I'm testing out the different actions in the controller ... creating a new user, and when I tried to save the new user I'm getting an error:

Code:

A Database Error Occurred
Error Number: 1364
Field 'salt' doesn't have a default value
INSERT INTO `users` (`username`, `password`, `email`, `group_id`, `ip_address`, `created_on`, `last_login`, `active`) VALUES ('john doe', 'dacf48b3019db2564065f4c88315e9a6c86b76cd', '[email protected]', '2', '127.0.0.1', 1268878260, 1268878260, 1)

The initial database creation setup the "salt" column as a 40 character non-null value. So it seems that some of the inserts aren't providing values for that column and it's causing these errors.

So how is the "salt" column supposed to be used, and what do I need to modify in order to make it work with my code? I'm familiar with the concept of a salt in regards to encryption ... just seems like I may have missed a step somewhere in my setup of Ion Auth.

Thanks,
Dave

[eluser]uptown[/eluser]
Maybe I can answer my own question. The error I experienced in creating a new user seemed to go away when I modified the /system/application/config/ion_auth.php to set: $config['store_salt'] = true;

The downloaded default of this field is "false" which seems to conflict with the default table creation SQL as salt being a non-null value.

[eluser]Ben Edmunds[/eluser]
Hey uptown,

That was a bug left from the feature we just added for stored salts. If you do not use stored salts (which is the default) that field should be null.

I just changed the sql files on github to default to null.


Thanks!

[eluser]uptown[/eluser]
It seems that when

Code:

$config['store_salt'] = true;

is set in the config file, I'm unable to login. Does using salts provide enhanced security? With that value set to true, I'm unable to even login as the admin ... but when I set it back to false, I can login without a problem. The salt database field for the admin is blank.

[eluser]uptown[/eluser]
Seems that since the admin account is created with the initial database setup it doesn't include the salt value. So when the config file gets changed to use store_salt=true it breaks the admin's ability to login. Seems like the best work-around if you want to use salts stored in the database is to leave that value as false initially, login as the admin, set the value to true, create a new user, then change that new user's group to the administrator group id and delete the original administrator. From then on, all new users will have salts in the database, and everyone will be able to login.

[eluser]Ben Edmunds[/eluser]
uptown,

I fixed the default sql file to insert the correct data and added a comment to the store_sql config variable with what the default password will be if you use stored salt.

In regards to your questions about security, using stored salts like this is the way most auth systems handle passwords so it can help if your porting over another auth system to Ion Auth. I added this through my integration of Ion Auth into PyroCMS for compatibility with passwords from the old auth library.

Personally I don't believe using stored salts is quite as secure as the default as the default is a more complex encryption algorithm, but that is always debatable.

[eluser]uptown[/eluser]
Thanks for the quick responses. Your auth system looks great. I'm planning on tweaking a few things. The biggest problem I see is how you handle the value put into the username field. Right now you merge the first and last names into the username field. The problem occurs when you have two users have the same first and last names. Your code appends a counter onto the end of the name, essentially corrupting your own data. Seems like a less-than ideal way of handling the collision.

For my solution, I'm going to modify the code to remove the username field (or maybe leave it around as a non-unique 'Display Name' for use on the website). Then I'm planning to add separate fields for first and last names. I'll enforce uniqueness of the email address upon account creation since that's what's being used as the actual "username" for authentication.

Great auth system though .... very easy to understand and modify.

[eluser]Ben Edmunds[/eluser]
Hey uptown,

You actually don't have to modify the library for this. Just pass the email in as the username, the username is not needed if you are using email as the identity.

There are separate columns for the first and last name in the meta table.


Glad you're liking the library. Thanks for letting me know about the bugs you found!



Have fun,