Welcome Guest, Not a member yet? Register   Sign In
CI4 User Authentication System
#1

(This post was last modified: 03-04-2017, 07:25 AM by ajturner. Edit Reason: Updated with repo URL )

Hello All,

Just thought I'd start a thread for a project I am starting for CodeIgniter 4.

I'm going to start working on a user authentication system. The goal is to make one that can easily be adapted to different projects and integrate the API to get needed info to the application.

There are several major objectives as of right now for this project:
  1. To be easily extended and integrated into new CI4 projects
  2. To create an understandable and easy to use end product for users
  3. To eventually become the CI4 standard for user authentication
The reason I want to do this, with a major focus on adaptability and ease of use, is because I've seen various projects for CI3 that were not as easily used. Ultimately, I believe it would be better to have one system with talented developers maintaining vs having a multitude of variations on account of everyone trying to make their own.

This will be treated primarily as a model since it requires MySQL database access. It will have basic templates for controllers and views that for users to start from, if needed.

Here is a current list of goals for initial release:
  • Create a website for communications and discussions
  • User login and registration
  • Password recovery (forgot password, username, etc)
  • Login attempt logs with IP address tracking
  • Lock out users for specfied amount of time after a number of failed attempts
  • Generate email messages that can be insert into the developers email method of choice

Longer Term Goals, to be added after initial reelase is completed and debugged:
  • Optional two-factor authentication
  • IP Address blacklisting/whitelisting within an application
  • Create an API to a centralized database for applications to connect to for IP Address checks
Additional goals will potentially be added and current ones edited based on discussions with contributors and users. 

Since this isn't a small project, I welcome additional developers to get involved in this project if they desire. Everyone who contributes will be properly attributed. Let's come together as a community and make this a reality!

Current GitHub Repo: https://github.com/aj-turner/UserAuth-Ignited

Comments/Questions/Suggestions are always appreciated.
Reply
#2

I think this is a great idea, and one that I was planning on doing something similar with once CI4 launched and I have a little more time, so it's good to see someone start up the mantle. I'm definitely interested in helping out as I can, though my available time is pretty slim at the moment and CI4, the CI4 book, and Vulcan are keeping me plenty busy.

Feel free to borrow whatever you find useful from Sprint if you wish. Though I'd rip out the throttling from there, since that's really much better handled at the server level and CI4 has a bit of a throttler built in already.

Look forward to seeing it progress, and helping out here and there.
Reply
#3

Hello,

I am using CodeIgniter since 3 years and I personally believe it has a potential to compete with other frameworks available in the market.

I have gone through the GitHub repo of CI4 and new frameworks look promising and very well developed though it is under development phase.

I also would like to contribute in the user authentication module which you are planning to develop.

Share repo and other details.
Reply
#4

I think this gets into the realm of a full CMS doesn't it? Not saying it wouldn't be useful though.
Practical guide to IgnitedCMS - Book coming soon, www.ignitedcms.com
Reply
#5

(03-04-2017, 04:53 AM)ignitedcms Wrote: I think this gets into the realm of a full CMS doesn't it? Not saying it wouldn't be useful though.

Not exactly, as this wouldn't implement any kind of content control outside of user management.

A CMS would include managing pages, blog posts, media, etc.
Reply
#6

For the time being, I will also be making a Facebook group as a way to communicate. I just need at least one person to send me a message with their Facebook Email address so I can create it.
Reply
#7

great idea
"Make it idiot proof and someone will make a better idiot."
Reply
#8

This is a great idea as I haven't found anything great out there  during a recent search.  I don't have migrations set up, but have a look at what I've done in Ignition Go for CI3... I'm pasting the SQL table structure below.  This structure has given me many great years of use... I won't take credit for creating it though, it came from CI Bonfire.  In Ignition Go (and/or Bonfire) you will also find roles and permissions tables to go along with these.  

What would be really cool would be to make a multi-framework PSR4 library that would work for either CI4, Laravel5, or Symfony.  


#
# TABLE STRUCTURE FOR: user / login related
#

# login attempt tracking
CREATE TABLE IF NOT EXISTS `igo_login_attempts` (
  `id` bigint(20) NOT NULL AUTO_INCREMENT,
  `ip_address` varchar(45) NOT NULL,
  `login` varchar(255) NOT NULL,
  `time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

# user
CREATE TABLE IF NOT EXISTS `igo_users` (
  `id` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT,
  `role` enum('admin','staff','user','support') NOT NULL DEFAULT 'user',
  `email` varchar(254) NOT NULL,
  `username` varchar(30) NOT NULL DEFAULT '',
  `first_name` varchar(50) DEFAULT NULL,
  `last_name` varchar(50) DEFAULT NULL,
  `password_hash` char(255) DEFAULT NULL,
  `reset_hash` varchar(40) DEFAULT NULL,
  `last_login` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
  `last_ip` varchar(45) NOT NULL DEFAULT '',
  `force_password_reset` tinyint(1) DEFAULT '0',
  `reset_by` int(10) DEFAULT NULL,
  `banned` tinyint(1) NOT NULL DEFAULT '0',
  `ban_message` varchar(255) DEFAULT NULL,
  `display_name` varchar(255) DEFAULT '',
  `display_name_changed` date DEFAULT NULL,
  `timezone` varchar(40) NOT NULL DEFAULT 'UM6',
  `language` varchar(20) NOT NULL DEFAULT 'english',
  `active` tinyint(1) NOT NULL DEFAULT '0',
  `activate_hash` varchar(40) NOT NULL DEFAULT '',
  `created_on` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
  `modified_on` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
  `deleted` tinyint(1) NOT NULL DEFAULT '0',
    PRIMARY KEY (`id`),
  KEY `email` (`email`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;

INSERT INTO `igo_users` (`id`, `role`, `email`, `username`, `password_hash`, `reset_hash`, `last_login`, `last_ip`, `created_on`, `deleted`, `reset_by`, `banned`, `ban_message`, `display_name`, `display_name_changed`, `timezone`, `language`, `active`, `activate_hash`, `force_password_reset`) VALUES
(1, 'admin', '[email protected]', 'admin', '$2a$08$T/79zwGVEtodc2Sop8XPReTrv0WviLcFt1Zp3d3ywlAuVCrmsTszi', NULL, '0000-00-00 00:00:00', '', now(), 0, NULL, 0, NULL, 'admin', NULL, 'UM6', 'english', 1, '', 0);

# cookies
CREATE TABLE IF NOT EXISTS `igo_user_cookies` (
  `user_id` bigint(20) UNSIGNED NOT NULL,
  `token` varchar(128) NOT NULL,
  `created_on` datetime NOT NULL,
  KEY `token` (`token`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

# user meta data
CREATE TABLE IF NOT EXISTS `igo_user_meta` (
  `meta_id` bigint(20) UNSIGNED NOT NULL AUTO_INCREMENT,
  `user_id` bigint(20) UNSIGNED NOT NULL DEFAULT '0',
  `meta_key` varchar(255) NOT NULL DEFAULT '',
  `meta_value` text,
  PRIMARY KEY (`meta_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;


I recently also ran across an interesting library called Gatekeeper:

https://github.com/psecio/gatekeeper

What I like is this is just the backend pieces, separate from the screens.  I was actually going to build some screens to go with it.

Hope this all helps, 

Bob
Join Codeigniter Slack Chat
Reply
#9

(This post was last modified: 03-04-2017, 06:41 PM by skunkbad.)

From you issues:


Quote:Need to determine what packages to include in final release.

   Password hasher
   Any Security packages
   Emailer

Should also determine if these packages should be included in the UserAuth namespace or within their own namespace in the CodeIgniter application.

This is partially why there's never been an official CI authentication. You haven't even got started yet, and I could already start wondering why you would do this or that, and if I really want this or that.

Password hasher? What's wrong with PHP's native password functions?

Emailer? Wouldn't CI4 have its own?

Your long term goals ... is all stuff that is very app specific, and likely to bloat that authentication, or at best clutter it up.

Requires MySQL ... surely a good percentage will bitch about that.

"It will have basic templates for controllers and views that for users to start from" ... Probably the biggest mistake in your planning so far. It'd be better to just have good documentation, otherwise you end up having a bunch of people that think your example is their app.

"To eventually become the CI4 standard for user authentication" ... If there's going to be a CI4 standard, then why wouldn't CI4 just have it built in? There are reasons. Look them up.

I don't want to discourage you, but rather hope that you don't make mistakes thinking that what you want is even remotely ideal. You should definitely carry on with your project, and plan to spend 100s of hours on it. It happened to me. Great learning experience. I started my authentication project about 10 years ago. I thought that people would be excited, and that there would be a community that wanted it, and would want to help with it. Heck, I even named my authentication "Community" Auth. My advice is, plan to do most of the work on your own, or you might be disappointed.
Reply
#10

I agree with skunkbad entirely. I already grimaced at some of the earlier 'requirements' but look at the bloat being suggested now. So whatever you do it will either be 'too bloated' for half the people and 'not powerful enough' for the other half.

Take 'forgotten password' for instance. There are so many ways to do just that alone. Secret questions, emailing reset links, emailing codes to reset, sending temp passwords, second one time use passwords, sending random passwords, human moderation of password resets etc etc. And then what about lost access to email accounts, 2 step verifications, enforcing change passwords, password complexity demands etc. And that is just one tiny thing most users experience as a standard 'forgot password', but what actually happens in the background can be done in so many different ways.

There is no best way, there is secure or not secure, user friendly or not user friendly, simple and not simple. But how secure, user friendly or simple you want to be depends on the site you are building. You cannot win with a single solution that supposedly fits all. And that is just for 'forgotten password'. Even just the way you store a password will cause issues. Let alone more complex user related things like sign up and account creation.

I think this is really good advice so I am going to quote it again.  
(03-04-2017, 06:40 PM)skunkbad Wrote: I don't want to discourage you, but rather hope that you don't make mistakes thinking that what you want is even remotely ideal. You should definitely carry on with your project, and plan to spend 100s of hours on it. It happened to me. Great learning experience. I started my authentication project about 10 years ago. I thought that people would be excited, and that there would be a community that wanted it, and would want to help with it. Heck, I even named my authentication "Community" Auth. My advice is, plan to do most of the work on your own, or you might be disappointed.

Anyway, having said all that, when you have an alpha version I will happily test it for you. Look forward to trying it out.

Best wishes,

Paul.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB