Welcome Guest, Not a member yet? Register   Sign In
Why does CI doesnt include Auth library?
#1

Hi, I'm making a document about different frameworks and I'm wondering if there's some reason why CI is not including Authentication management (user & roles), as it is a basic requirement for almost every app. Thank you in advance.
Reply
#2

That topic has been discussed repeatedly on this forum. Please do a search to find those threads. There is one where it is talked about relative to version 4 but everything said is true for any version of CI.
Reply
#3

(This post was last modified: 01-09-2018, 03:39 PM by skunkbad.)

Perhaps to answer your own question you should research the different kinds of authentication that are used in web applications and APIs. There is no "one size fits all" approach to authentication. Also, even in an attempt to complete such a task, you must assume that an application will use or be able to use such things as sessions, a database, etc. Finally, there is a lot of customization that goes into most authentication for a specific application. It's just not reasonable to expect that something like authentication should be forced upon the entire CodeIgniter user base.

Take Laravel's Auth for example. Have you tried to use it? For me, because I'm used to my own brand of authentication, I find it extremely limited. I had to do a lot of work to make it fully usable, and because of all that extra work, there's really no advantage to having it ... unless of course you're a beginner level developer that can't really do much on your own.

The general consensus is that authentication should not be included, and that majority opinion hasn't changed in the nearly 9 years that I've used CodeIgniter.
Reply
#4

A notable addition to what @skunkbad said:

That doesn't mean you should write the entire thing on your own. Security is hard and it is very likely that you will screw it up. But it is a need better served by third-party packages - you simply pick one that would best serve your use case.

And as a side note, this "Auth" short-hand that everybody uses adds a lot of confusion when you try to dive into this problem, because it can refer to two closely-related, but ultimately different things - authentication and authorization.

Authentication is "are you who you say you are" - credentials verification
Authorization is "are you allowed to to X" - permissions, roles, etc. (what's commonly referred to as ACL)

Authentication methods have a lot of low-level technical implications and each different solution is very different.
Authorization, in this context (it can also mean other things), is almost pure business logic and all strategies for it are very similar, but key details make drastic changes. Just think about user-based vs group-based permissions - sounds and looks almost the same, but if you try to implement both as options in a single package, it's not at all that simple.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB