Ion Auth - Lightweight Auth System based on Redux Auth 2

[eluser]joytopia[/eluser]
owls,
did you use the latest version?
I thought, that Ben would have pushed that fix already.

Ben,
what about my code from May 13?
Could you find the time to have a look on it?

Best regards
Bernd

[eluser]Ben Edmunds[/eluser]
Hey Bernd,

Sorry man, been swamped. I'm hoping to get to it Monday since I have the day off


Thanks,

[eluser]2think[/eluser]
goldorak,

Through almost 40 pages of forum posts, I haven't seen the behavior you talk about and then when you stated that "Apache.exe" on windows crashes/terminates after sending login credentials, it makes me wonder if there isn't something happening specific to your setup?

As for:

"and $config[‘encryption_key’] set to something 32 chars long as suggested (should be in the README)." - it is in the Codeigniter Userguide. Ben including that in the README would be just duplicating something that is already mentioned as a standard.

A lot of Ignited Code developers assume that users have read and understood a fair amount of the Userguide before using third-party libraries.

Glad you like the community and do check out your setup, in the event it is a problem located there, it could save you a lot of time.

[eluser]2think[/eluser]
[quote author="patie" date="1274876754"]Hi,

i use your excellent ion_auth library but i want increase security of my application.

1. Encryption_key in config file (sufficient to set up this key ? nothing more?)
2. Session database

any more ideas ?

THANKS so much[/quote]

Pastie,

You can find some good points in the Codeigniter Userguide under the Security section here.

There is a very good guide on security from php.net itself which can often help when going through code here

[eluser]goldorak[/eluser]
2think: my specific setup was right locally, I followed Ben's suggestion and setup public function email_check($email) at controllers/auth.php and then callback_email_check at the function create_user() verifications. The errors disappeared and the check is working fine!

Now I have another challenge: I need the users to create an account by themselves, activate it by email and add the ability to the admin to "validate" that account or reject it (by email). The user is creating the account fine but How can I set the message to be viewable at the auth/login view? Right now it redirects to that page since the user cannot enter the site as validated nor activated.

I understand it is hard to document and supporting that effort would be helpfull to set in the readme URLs to where everything is explained. Since it is only a text archive, the space taken would be minimal. I solved that issue too.

[eluser]ladooboy[/eluser]
Hi !

May I ask if there is an advantage having a meta table with just last name and first name and a user table with the rest of the details.

Wouldn't it be easier to have just one user table and put all the user details in there ?

[eluser]2think[/eluser]
ladooboy,

I think the reason that Ben used a meta table is to allow flexibility for developers who may wish to alter the details they capture of users.

[eluser]2think[/eluser]
[quote author="goldorak" date="1275238098"]2think: my specific setup was right locally, I followed Ben's suggestion and setup public function email_check($email) at controllers/auth.php and then callback_email_check at the function create_user() verifications. The errors disappeared and the check is working fine!

Now I have another challenge: I need the users to create an account by themselves, activate it by email and add the ability to the admin to "validate" that account or reject it (by email). The user is creating the account fine but How can I set the message to be viewable at the auth/login view? Right now it redirects to that page since the user cannot enter the site as validated nor activated.

I understand it is hard to document and supporting that effort would be helpfull to set in the readme URLs to where everything is explained. Since it is only a text archive, the space taken would be minimal. I solved that issue too.[/quote]

Goldorak, good to hear you got the code working.

I never said that the basic Encryption material would be "...hard to document..." but I did say that it may be a common assumption of Ignited Code developers that users have read a fair amount of the CodeIgniter user guide.

I definitely agree that it is only a text archive (I'm guessing that you mean the README file) and the space would be minimal but so too would be the case if Ben (or anyone else) had to give URLs for MySql setup, CI Active Record, etc.

In your post above, you mention "How can I set the message to be viewable at the auth/login view?" but don't say what message? Is this the message from the admin and what message is this? Since this is a fairly basic and common problem we face as developers - thinking through processes - and since these processes are often unique for our different projects, it may be hard to get the best answer from others.

[eluser]joytopia[/eluser]
Ben,

for some purposes I need a function to let the users enter their identity and password again without updating the session and remember_me.

Therefore I put an additional parameter $update in the login-methode:

library:

Code:

/**
     * login
     *
     * @return void
     * @author Mathew
     **/
    public function login($identity, $password, $remember=false, $update = TRUE) // Bernd Hueckstaedt: $update = FALSE only checks identity and Password
    {
        if ($this->ci->ion_auth_model->login($identity, $password, $remember, $update)) // Bernd Hueckstaedt: $update = FALSE only checks identity and Password
        {
            $this->set_message('login_successful');
            return TRUE;
        }

        $this->set_error('login_unsuccessful');
        return FALSE;
    }

model:

Code:

/**
     * login
     *
     * @return bool
     * @author Mathew
     **/
    public function login($identity, $password, $remember=FALSE, $update = TRUE) // Bernd Hueckstaedt: $update = FALSE only checks identity and Password
    {
        if (empty($identity) || empty($password) || !$this->identity_check($identity))
        {
            return FALSE;
        }

        $this->db->select($this->identity_column.', id, password, group_id')
            ->where($this->identity_column, $identity);

        if (isset($this->ion_auth->_extra_where))
        {
            $this->db->where($this->ion_auth->_extra_where);
        }

                $query = $this->db->where('active', 1)
                                      ->limit(1)
                               ->get($this->tables['users']);

        $result = $query->row();

        if ($query->num_rows() == 1)
        {
            $password = $this->hash_password_db($identity, $password);

            if ($result->password === $password)
            {
            
                if ($update) // Bernd Hueckstaedt: $update = FALSE only checks identity and Password
                {
                    $this->update_last_login($result->id);
    
                    $this->session->set_userdata($this->identity_column,  $result->{$this->identity_column});
                    $this->session->set_userdata('id',  $result->id); //kept for backwards compatibility
                    $this->session->set_userdata('user_id',  $result->id); //everyone likes to overwrite id so we'll use user_id
                    $this->session->set_userdata('group_id',  $result->group_id);
    
                    $group_row = $this->db->select('name')->where('id', $result->group_id)->get($this->tables['groups'])->row();
    
                    $this->session->set_userdata('group',  $group_row->name);
    
                    if ($remember && $this->config->item('remember_users', 'ion_auth'))
                    {
                        $this->remember_user($result->id);
                    }
                }

                return TRUE;
            }
        }

        return FALSE;
    }

Or is there a better way to do it?

Best regards
Bernd

[eluser]dhaulagiri[/eluser]
what is the purpose of 'meta' table ?