Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Zend Framework Blog:
Nested Middleware in Expressive
Mar 16, 2017 @ 11:52:21

On the Zend Framework blog Matthew Weier O'Phinney has posted another tutorial, this time showing you how to use nested middleware in Expressive allowing for the composition of your own workflow in the request/response flow.

A major reason to adopt a middleware architecture is the ability to create custom workflows for your application. Most traditional MVC architectures have a very specific workflow the request follows. While this is often customizable via event listeners, the events and general request lifecycle is the same for each and every resource the application serves.

With middleware, however, you can define your own workflow by composing middleware.

He starts by describing one of the main concepts in the workflow of the application: pipelines. He gives an example of the default pipeline included with the Expressive skeleton application and how the middleware it uses nests to create a custom logic and handling flow. He follows this with an example scenario showing how to add authentication into the pipeline, specifically the use of Digest authentication via a PSR7 middleware package. Code is included for the integration of this package and the end result - all pages requiring authentication. He shows how to modify this and limit it to only certain paths and how to nest them in the route definitions.

Finally he shows another approach - creating a custom middleware pipeline inside of the factory for the requested middleware. He also covers nested applications, using traits for common workflows and the use of "delegator factories".

tagged: expressive tutorial nested middleware pipeline custom authentication example

Link: https://framework.zend.com/blog/2017-03-15-nested-middleware-in-expressive.html

Cloudways Blog:
User Authentication In Yii2 With Email Verification
Mar 13, 2017 @ 13:54:47

The Cloudways blog has a new tutorial posted showing you how to set up a system for user authentication via email in a Yii2-based application. The concepts would be the same in just about any other framework, it's just the code to implement it would be slightly different.

User authentication is an essential component of every web app. Whether it is a simple to-do list or a complex corporate portal, user authentication remains a common factor across all types of PHP applications.

[...] In this tutorial, I will show you how to develop a user authentication component in Yii2 that features a SMTP email verification. If you are new to Yii2, you must first read previous tutorials to get an introduction to Yii2. Next read about form handling in Yii 2 and database management in Yii 2.

The tutorial makes use of this extension for the traditional user handling as a more flexible option than the built-in framework features. They then walk you through the process of creating the new Yii2 project and getting the component installed. It also helps you:

  • run the migrations to create the required tables
  • set up the SMTP mailer
  • update the navigation with the links for logged in/logged out users
  • configuring the email settings

The end result is a signup form that, when submitted will send an email to the user's email address to verify it and allow the user to continue the registration process.

tagged: user authentication yii2 framework tutorial signup package

Link: https://www.cloudways.com/blog/user-authentication-yii2/

SitePoint PHP Blog:
How to Secure Laravel Apps with 2FA via SMS
Mar 01, 2017 @ 11:52:23

On the SitePoint PHP blog there's a new tutorial posted by author Younes Rafie showing you how to secure your Laravel application with 2FA (two-factor authentication) via SMS messages. In this example they make use of the Twilio SMS handling to send the message to the end user's device.

While everyone is concerned about their application’s security, few take it seriously and take the plunge. The first thing you’ll notice when learning about this is that two factor authentication (2FA) is the go-to solution as a first step.

Although there have been some serious problems with using text messages as a second factor, it’s definitely safer than a plain username and password combination, given that many users tend to use popular and easy to guess passwords for critical services such as payments, chat, emails, etc. In this article, we’re going to build two factor authentication into a Laravel application using Twilio SMS as the second factor.

The tutorial then starts by explaining what the end result will look like - a basic username/password login system that will require a code (from the SMS message) to continue into the account. They walk you through the creation of a new Homestead instance and installation/configuration of the new Laravel project. It then shows the updates you'll need to make to migrations and the models to handle the storage of the SMS tokens. It also shows the Blade templates to create the code entry view and error output in case of a code validation failure.

The tutorial then integrates Twilio's PHP SDK via a provider and provides a screencast of the end result.

tagged: laravel application security sms twofactor authentication

Link: https://www.sitepoint.com/secure-laravel-apps-2fa-via-sms/

Alison Gianotto:
Demystifying Custom Auth in Laravel 5
Nov 21, 2016 @ 11:49:17

Alison Gianotto (a.k.a. Snipe) has a new post on her site talking about custom authentication in Laravel-based applications including built-in functionality and how you can override it to your needs.

I’m a big fan of Laravel. I use it in most of my personal and professional projects, and for the most part it really does make coding fun for me again. One of the things Laravel tries to do (similar to Rails) is to build in the most repetitive things a developer would have to do, for example a user registration/login/forgotten password system.

[...] In each of my current Laravel apps, auth works just a tiny bit differently. Add to that the fact that a few of them were pulled forward from Laravel version 4.2, and things can get confusing and messy. [...] Laravel makes this really, really easy – they just don’t document how to do it very well.

She starts by mentioning the "fresh" install version of building out the auth pieces (php artisan make:auth) but points out that, if a more "hybrid" system is needed, a bit more work is required. She shows you the routes that are created in the "make:auth" process and how/where you need to modify things to customize it to your system. She illustrates with some of her own changes including code examples.

tagged: laravel tutorial custom authentication framework

Link: http://snipe.net/2016/11/demystifying-custom-auth-in-laravel-5/

Laravel Social Authentication with Socialite
Nov 17, 2016 @ 12:17:41

The Scotch.io site has posted a tutorial for the Laravel users out there showing you how to use the Socalite package in your application to make authentication handling with external services simpler.

Laravel introduced a built in Authentication module in version 5.2. To set this up, you just have to run php artisan make:auth and everything is generated for you, from the views to the controllers and the routes.

[...] And that is a great thing. However, this command will only make you a traditional login. In most sites nowadays when signing up, users have the option of signing up with a social provider such as Facebook. In this tutorial, I will teach you how to add multiple social providers to a Laravel app using Socialite package. For this tutorial we will add Facebook, Github and Twitter signups.

They start off with a new Laravel application (but, of course, you can use your current one), setting up a new database and creating a custom "users" table that includes "provider" information. The User model is then updated to allow the population of this data and the "make:auth" command is run. The Socialite package is then included and the application is configured to include its service provider. The tutorial then steps you through creating Github, Twitter and Facebook applications, getting the keys needed to drop into your app's configuration. Finally they update the login/registration pages with the social login buttons and how they'll now "magically" work.

tagged: tutorial socalite authentication laravel github twitter facebook

Link: https://scotch.io/tutorials/laravel-social-authentication-with-socialite

SitePoint PHP Blog:
2FA in Laravel with Google Authenticator – Get Secure!
Nov 01, 2016 @ 10:47:02

On the SitePoint PHP blog there's a tutorial posted from Christopher Thomas showing you how to integrate two-factor authentication into your Laravel application with a Google Authenticator-compatible library, helping to secure your site even better than just one level of authentication and authorization.

In this tutorial, we will use Laravel and Google Authenticator to demonstrate how to implement 2FA in a webapp. Google Authenticator is just one implementation of the Time-Based One-Time Password (TOTP) algorithm, RFC 6238. This industry standard is used in a lot of various 2FA solutions.

[...] How the TOTP works is that the server generates a secret key. This secret key is then passed to the user. The secret key is used in combination with the current Unix timestamp to generate a six digit number, using a keyed-hash message authentication code (HMAC) based algorithm. This six digit number is the OTP. It changes every 30 seconds.

They start with a clean slate and build a new Laravel project out and include the libraries needed for the TFA support: pragmarx/google2fa and paragonie/constant_time_encoding. You then add in the provider to Laravel's config, build out the models/tables to hold the two-factor information and add a few routes to handle the validation steps. They also include the details in building out the controllers, updating the AuthController for the new step in the authentication flow and how to handle the code validation. The code for all of this (as well as the views) is included as well as screenshots showing the setup and usage of the two-factor handling in the standard authentication flow.

tagged: tutorial google authenticator security laravel twofactor authentication

Link: https://www.sitepoint.com/2fa-in-laravel-with-google-authenticator-get-secure/

Auth0 Blog:
Creating your first Symfony app and adding authentication
Aug 03, 2016 @ 12:36:21

In this new post to the Auth0 blog Prosper Otemuyiwa shows you how to create a first Symfony framework based application and add in authentication with the included Guard functionality.

Symfony is a PHP framework, made up of a lot of decoupled and reusable components. It's a framework that promotes standardization and professionalism, supports best practices and interoperability of applications. In this tutorial, I'll show you how easy it is to build a web application with Symfony and add authentication to it without banging your head on a wall! Check out the repo to get the code.

They start with a brief overview of some of the components the framework is made up of (the most commonly used ones) and its concept of "bundles". He then helps you create your first Symfony application, explains its basic structure and starts in setting up controllers. Then comes the authentication and user validation pieces: registration handling, user functionality and creating its related database storage. Next up is setting up the routes for the application applying the authentication handling and finishing out the views for output. They end the post with a look at the profile debug bar, how Symfony compares to other frameworks and how to optionally integrate the Auth0 functionality in if you choose.

tagged: auth0 symfony introduction basics tutorial authentication integration

Link: https://auth0.com/blog/creating-your-first-symfony-app-and-adding-authentication/

Gonzalo Ayuso:
Sharing authentication between socket.io and a PHP frontend (using JSON Web Tokens)
Jun 06, 2016 @ 11:50:29

In a follow up to his previous post about sharing authentication information between socket.io and PHP, Gonzalo Ayuso has posted an updated method using JSON Web Tokens instead.

I’ve written a previous post about Sharing authentication between socket.io and a PHP frontend but after publish the post a colleague (hi @mariotux) told me that I can use JSON Web Tokens (jwt) to do this. I had never used jwt before so I decided to study a little bit.

JWT are pretty straightforward. You only need to create the token and send it to the client. You don’t need to store this token within a database. Client can decode and validate it on its own.

He updates the code from the previous post, showing how to replace the HTTP basic authentication with the JWT functionality. He makes use of some simple JWT library handling to encode/decode the claims when the token is made a part of the request.

tagged: socketio share authentication frontend jwt jsonwebtokens

Link: https://gonzalo123.com/2016/06/06/sharing-authentication-between-socket-io-and-a-php-frontend-using-json-web-tokens/

Gonzalo Ayuso:
Sharing authentication between socket.io and a PHP frontend
May 16, 2016 @ 10:56:30

In a post to his site Gonzalo Ayuso shows you how to combine authentication between Socket.io and a PHP frontend running a simple Silex-based application.

Normally, when I work with websockets, my stack is a socket.io server and a Silex frontend. Protect a PHP frontend with one kind of authentication of another is pretty straightforward. But if we want to use websockets, we need to set up another server and if we protect our frontend we need to protect our websocket server too.

If our frontend is node too (express for example), sharing authentication is more easy but at this time we we want to use two different servers (a node server and a PHP server). I’ve written about it too but today we`ll see another solution.

He sets up a simple Silex application with three routes - the root (/), a login route and a "private" one requiring a user to be logged in. This last route makes the connection to the websocket server in the template. This connection sends the current session ID to the backend where it's verified with a simple Socket.io middleware. Sometimes the session ID cookie will be set as HttpOnly so he provides an alternative for that: a new endpoint just for getting the current session ID for the websocket request.

tagged: socketio websocket server frontend sharing authentication session silex tutorial

Link: https://gonzalo123.com/2016/05/16/sharing-authentication-between-socket-io-and-a-php-frontend/

Paragon Initiative:
Solve All Your Cryptography Problems in 3 Easy Steps
May 12, 2016 @ 11:55:55

On the Paragon Initiative site there's a new post that promises a way to solve all of your cryptography problems in PHP with three simple steps.

Last year, we began developing Halite, a FOSS high-level wrapper for the PHP bindings to libsodium. We use Halite extensively in our own projects (including our upcoming CMS which has quite a few of its own innovative cryptography features baked-in).

As of version 2.1.0, we are confident that Halite solves all of the application-layer cryptography problems that most PHP developers face; and it does so in three easy steps. (For transport-layer cryptography, you should still use TLS, of course.)

Their three steps to effectively using Halite and libsodium in your application are:

  • Step One: Managing Cryptography Keys
  • Step Two: Encrypting or Authenticating with Halite
  • Step Three: Decrypt or Verify

Each step comes with example code showing how to use the tool to accomplish it. There's also a few other problems that are solved by using the library including generating encrypted password hashes and whole file cryptography.

tagged: cryptography problem halite libsodium steps keys authentication encrypt decrypt

Link: https://paragonie.com/blog/2016/05/solve-all-your-cryptography-problems-in-three-easy-steps-with-halite