Login

08-14-2009, 04:56 AM

[eluser]thody[/eluser]
[quote author="jpi" date="1250258195"]Hi,

A few feedback regarding you auth library :

create method :
what if $user['password'] isn't set ? You should trigger an error or a warning
You should check that each key in array $user is a valid field in the DB table user

get_user_id method : it should return an int not a string
delete method : if identifier is username, as your DB scheme is not UNIQUE for the field username, this method could delete several users...
login method : $username could possibly be NULL but the first line of this method is a call _test_user_credentials where $username shouldn't be NULL. That's not consistent.
_set_persistent_session : you use a custom cookie. It does not store the IP adresse or at least the user agent. Cookies can be stolen.

Regarding your SQL table. Why is `id` an int(11) ? Do you expect billions of users ? It should also be unsigned. password whould be a varchar(40) because dohash use sha1.

A lot to correct, but you really should think when you are coding "what I want this method to do but also what i dont want it to do and what could someone use it to do something unexpected". Also keep writing a lot of unit test, that's cool Smile

[/quote]

Hey jpi, really appreciate the feedback, you're right on with your observations. What you're seeing there is really just a couple hours of work, more or less a proof of concept, and has a long way to go obviously. At this point the goal has essentially been "make it work", and now that the core functionality is there, I'll be going back and tidying things up.

Feel free to fork the project and contribute, or keep posting issues here or on the issues tab in GitHub. Any help is appreciated.

Cheers,
Adam