Login

glennm · 10-22-2018, 12:42 AM

Hi,

I first posted this question on Github but it was closed and I was directed to the forum so here I am. (Link)
I am also not sure if this is the correct place to post it, I wanted to make a thread in CodeIgniter 4 DeDevelopment first but wasn't able to make a thread there.

So here is the feature I am thinking about that I would like to make in CodeIgniter:
I want to make a "Have I Been Pwned" form validation rule. As you may know this could contain a lot of logic (more than the average current validation rule), so I was wondering does it all have to be in 1 function or is it okay to split it up in multiple functions in the validation file? Or should I maybe make a seperate file for it? (Kinda like the CC validation)

I really think having this new rule available in CodeIgniter is a good step forward to a modern framework in today's state of the internet.
Any feedback is welcome!

***ciadmin*** · 10-22-2018, 01:23 AM

It sounds like it could be a good idea. If this is complicated, it could make more sense as a separate class, like Validation/CreditCardRules, or Honeypot - that one is intended to be used as a filter, detecting bot access without needed a form validation rule.

The CodeIgniter4 Feature Requests would be the "most proper" subforum, but this one will work too.
I closed your "issue" on github because it wasn't a bug or approved work package, which is what we use github issues for.

You also provided no details about what you had in mind, other than a "new form validation rule" that might be complicated. Form validation rules may not be the only or even best way to handle what you have in mind.

More details about what you have in mind, and how you see it working, are likely to evince some community comments, and to help determine if it is a good fit for CodeIgniter4 and how best to implement it. Submitting an unsolicited PR to the repo is another way to go, but you run the risk of a tougher audience (maintainers) and of not having used the most appropriate approach.

glennm · 10-22-2018, 01:31 AM

(10-22-2018, 01:23 AM)ciadmin Wrote: It sounds like it could be a good idea. If this is complicated, it could make more sense as a separate class, like Validation/CreditCardRules, or Honeypot - that one is intended to be used as a filter, detecting bot access without needed a form validation rule.

The CodeIgniter4 Feature Requests would be the "most proper" subforum, but this one will work too.
I closed your "issue" on github because it wasn't a bug or approved work package, which is what we use github issues for.

You also provided no details about what you had in mind, other than a "new form validation rule" that might be complicated. Form validation rules may not be the only or even best way to handle what you have in mind.

More details about what you have in mind, and how you see it working, are likely to evince some community comments, and to help determine if it is a good fit for CodeIgniter4 and how best to implement it. Submitting an unsolicited PR to the repo is another way to go, but you run the risk of a tougher audience (maintainers) and of not having used the most appropriate approach.

Hey ciadmin,

Thanks for you response!
I was actually thinking about porting this Laravel package to CodeIgniter (Link).

First phase without the "min" param, also because I am not sure if it is possible to have optional params in CodeIgniter form validation.
And also without the caching part, unless I am sure I can add it without requiring any configuration from the user.

As you can see there are multiple parts for the validation and I wanted to make it in a similar way to keep it easier to maintain.

***ciadmin*** · 10-22-2018, 02:35 AM

Given the external HIBP service, this feels more like an addin than something that would be part of the CI4 core.
That appears to be the way the original package you link to has been built.
I am curious to see what others think.

visualsol · 10-22-2018, 06:23 AM

Glenn,
Looking at this package, it seems like while it is labelled Laravel, it is almost framework agnostic, that is you should be able to make an agnostic variation of it and use it in Codeigniter 4 with only minor adjustment. For example, once you removed the Laravel references, if you were using the CI4 Starter I recently built, you could put the call in the Secure Controller.

Steps:
1) composer require valorin/pwned-validator (replace this with your version of it)
2) use the Valorin\Pwned\Pwned Validation Rule Object
a) in controller Secure.php add after line 3: use \Valorin\Pwned\Pwned
b) at line 48 add the call:
$pwnedvalidtn = new \Valorin\Pwned\Pwned(100);
$valid = $pwnedvalidtn->validate('password', $password);
if (!valid) {return error message}

Or you could make use of the good ole fashion validation rules in a similar manner.

Bob

PS I found this https://gitlab.com/ExeQue/PHP-HIBP generic package just after I wrote this.

Sign up for Codeigniter Slack Chat

glennm · 10-22-2018, 12:42 PM

(10-22-2018, 02:35 AM)ciadmin Wrote: Given the external HIBP service, this feels more like an addin than something that would be part of the CI4 core.
That appears to be the way the original package you link to has been built.
I am curious to see what others think.

I feel that Laravel users are more used to using packages, and well I don't feel the same for CodeIgniter (just my opinion).
Still open for feedback, I will wait a little longer before I start on the PR.

(10-22-2018, 06:23 AM)visualsol Wrote: Glenn,
Looking at this package, it seems like while it is labelled Laravel, it is almost framework agnostic, that is you should be able to make an agnostic variation of it and use it in Codeigniter 4 with only minor adjustment. For example, once you removed the Laravel references, if you were using the CI4 Starter I recently built, you could put the call in the Secure Controller.

Steps:
1) composer require valorin/pwned-validator (replace this with your version of it)
2) use the Valorin\Pwned\Pwned Validation Rule Object
a) in controller Secure.php add after line 3: use \Valorin\Pwned\Pwned
b) at line 48 add the call:
$pwnedvalidtn = new \Valorin\Pwned\Pwned(100);
$valid = $pwnedvalidtn->validate('password', $password);
if (!valid) {return error message}

Or you could make use of the good ole fashion validation rules in a similar manner.

Bob

PS I found this https://gitlab.com/ExeQue/PHP-HIBP generic package just after I wrote this.

First the package you linked only contains search breaches and search email in breaches, what I am suggesting is a password check.
Second I am suggesting a new form validation rule so that a user can easily implement it in their controller and when failed the framework will handle the error flow. No custom implementation needed in their code.

What I have in mind is easy usability for users, they add the param to their rules and it will check without any extra code needed.

***kilishan*** · 10-22-2018, 12:56 PM

Looking at this, I think it would be great to have - but as a third-party addin, rather than in core. Part being that it relies on a third-party service and also, while they've done a good job a trying to minimize the security risk, there is still some that a developer/company would need to evaluate for their own uses.

That said, I think the concept of adding a wrapper to that and making it a validation rule is awesome, and something I'd definitely considering using. I've already got a similar password check built into the auth library that I'm working on, though the dataset is much smaller (only 600,000 passwords) and not kept up to date.

Support Development • CodeIgniter 4 Foundations • Practical CodeIgniter 3 • CodeIgniter Tutorials

glennm · 10-22-2018, 02:00 PM

(10-22-2018, 12:56 PM)kilishan Wrote: Looking at this, I think it would be great to have - but as a third-party addin, rather than in core. Part being that it relies on a third-party service and also, while they've done a good job a trying to minimize the security risk, there is still some that a developer/company would need to evaluate for their own uses.

That said, I think the concept of adding a wrapper to that and making it a validation rule is awesome, and something I'd definitely considering using. I've already got a similar password check built into the auth library that I'm working on, though the dataset is much smaller (only 600,000 passwords) and not kept up to date.

I understand your argument that because it is a third-party service building it in the core might not be the right location for it.
2nd part of it I wouldn't 100% agree with "there is still some that a developer/company would need to evaluate for their own uses", because they still have the option to use it or not by adding the validation rule or not. If they don't add the validation rule I don't see how this would be a possible security risk (You could also add a warning in docs that it uses a third-party service).

Currently seems mixed, making a PR for core or not. Not sure what to do yet.

glennm · 10-23-2018, 11:05 AM

I think I am going to try to make a package. Just need to figure out how I can easily include the package into the core files, I think this will help me: https://bcit-ci.github.io/CodeIgniter4/l...stom-rules

Btw will you guys make a section for community packages? I think this will help improve interest for third-party development and create a larger community base for this framework.