Easily extensible auth library

[eluser]davidbehler[/eluser]
Yesterday I had a brief look at the Zend auth library and I actually liked what I saw. To be more specific I liked the idea of having multiple adapters, all using the same interface that allows for easy switch from one adapter to the other.

Before I actually start working on this library I would like to know what you guys think about this kind of approach:
The library itself would be rather simply, having only the constructor, an init method, and a method for each function we might need like login, logout, check_permission.

Depending on an entry in the config array, let's say $config['adapter'], the init function would include the file of the adapater located in a sub-folder of the library folder (e.g. libraries/auth/database_adapter.php) and instantiate the adapter as $this->adapter.

Now all the functions like login, logout and so on would not process the data themselfs, but rather call the correspondent method in the adapater, e.g.

Code:

$this->adapter->login();

That would allow us to easily add new adapters or change existing ones without having to edit the auth library itself.

Possible adapters:
- Memory: Checks for an identifier/password combination that's set in the config file
- Database: Checks a specified table for an identifier/password combination
- oAuth
- OpenId
- Facebook

We might even define an interface that has to be used by all adapters, but we will have to see into that again later.

So tell me, what do you think? Good idea? Sucks?

I'm looking forward to your comments!
waldmeister

[eluser]tomcode[/eluser]
Yeah, nice.

I'm taken right now, 'til the end of this week I'll need a simple auth via config file, it will also :

- have a forgotten password feature
- HTML and XML (AJAX and Flash)

[eluser]jpi[/eluser]

Yesterday I had a brief look at the Zend auth library and I actually liked what I saw.

Me too, it is just perfect. Easy to use and easy to understand. Plus it has a great doc and hundreds of examples on the Internet.

logout, check_permission.

Check permission is a matter of ACL. It's very important to keep authentication and authorization separated.

You also forgot that Zend_Auth has a possibility to set different "storage" to make authentication persistent.

My only question is : why do you want to reinvent the wheel ? Just copy Zend_Auth.php and the Auth directory from ZF, change a few lines in Zend_Auth_Adapter_DbTable to make it working with CI active record and a few lines in Zend_Auth_Storage_Interfac to make it working with CI session and you are all done !

I have already done that and it works like a charm. And if you think, like me, that Zend_Auth lack some feature (add/delete a user) you can easily extend it !

[eluser]davidbehler[/eluser]

Check permission is a matter of ACL. It’s very important to keep authentication and authorization separated.

And if you think, like me, that Zend_Auth lack some feature (add/delete a user) you can easily extend it !

What does adding/deleting of users have to do with authentication?

I know that many people think that a library should have only one purpose, e.g. authentification or ACL but I think these two can go into one library with no problem as they kinda belong together, atleast that's what I think. And those out there, that don't need ACL should just not use the ACL features of the libray.

@Storage:
You mean like using a cookie, php session, db session, file, or whatever other type of storage there might be? Sure, that could be implemented as easily as interchangable adapters for authentification.

[eluser]jpi[/eluser]

What does adding/deleting of users have to do with authentication?

You are right. But still, it seems do me that it could be considered as a part of authentication (in a way...)

And those out there, that don’t need ACL should just not use the ACL features of the libray.

It seems ok but if you mix a bit ACL and auth, your script will be more complex to understand, correct (if there are bugs), and extends. Plus, I doubt you will be able to implements ACL with other storage than databases. I truly believe "weak coupling" (i dont know if that makes sens in english..) is a good point.

@Storage : exactly what you said.

Finally, I support you with your intention to make another auth lib, but I believe that in the end, it will look very similar to Zend_Auth, so why don't you just use it ?

[eluser]davidbehler[/eluser]

Finally, I support you with your intention to make another auth lib, but I believe that in the end, it will look very similar to Zend_Auth, so why don’t you just use it ?

It propably will be similar to Zend_Auth, but the reason for not using it is very simple: I like doing stuff on my own Especially if the alternative but be to copy an existing library from another framework and alter it in many ways to work together with CodeIgniter. I haven't looked into it in detail to be able to tell all parts that need editing, but aren't there quite some interfaces and other classes from Zend that are being used?

Plus, I doubt you will be able to implements ACL with other storage than databases.

Look at my existing auth library (link can be found in my signature), it allows you to use either database based acl, hard-coded acl or none at all. I think we/I/who ever wants to work on this can easily implement a similar feature in this library.

[eluser]jpi[/eluser]

but aren’t there quite some interfaces and other classes from Zend that are being used?

Not really, just Zend_DB in one or two method of Zend_Auth_Adapter_DbTable and Zend_Session in Zend_Auth_Storage_Session.

Before writing your own Auth lib from scratch, dive a bit into Zend_Auth code, i really think it is worth.