Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Stovepipe Systems:
Symfony Security Roles vs. Voters
Aug 22, 2016 @ 10:08:28

On the Stovepipe Systems blog author Iltar van der Berg has retuned with a continuation of his series on Symfony security basics with this new post covering voters and roles.

In my previous blog post I've explained the basics of authentication, authorization and how this is dealt with in Symfony. Due to the size of the post, I've left out several important topics such as roles and voters; Both an equally important part of authentication and authorization. A common misconception is that roles should be used to check permissions. In fact, they should definitely not be used to check permissions!

He goes on to explain where "roles" come into the process of authentication (not authorization) and how they describe something about the user of the system. With that defined he moves on to the "voters": functionality that "vote" on attributes related to the user/request/resource/etc. and return a pass or fail decision based on their logic. He explains why voters are probably more what most developers are looking for and some reasons to use them over roles. He then ends the post showing how to create your own custom voter and configure it into your application.

tagged: tutorial symfony authorization voter role introduction custom

Link: https://stovepipe.systems/post/symfony-security-roles-vs-voters

Alex Bilbie:
OAuth 2.0 Device Flow Grant
Apr 20, 2016 @ 11:58:50

In a new post to his site Alex Bilbie looks at a good approach to simplifying the OAuth 2 authorization flow for a device and some of the simple PHP that can power it.

When signing into apps and services on devices such as a Playstation or an Apple TV it can be immensely frustrating experience. Generally you will ordeal something similar to one of the following scenarios: The utterly terrible experience whereby you don’t have anything other than an onscreen keyboard [or] A slightly less terrible experience whereby you can pair a bluetooth keyboard to enter your username and that crazy long password.

[...] There are some apps however - such as Youtube for Apple TV - that have a much better end user experience.

He talks more about this better experience involving a simple code presented to the user, a special URL to link the device and the typical OAuth-ish authorization page to link the request to your account. He then explains how it would work with a PHP backend: making the request to the auth server, returning a message with the codes and URL to pass along and the "device code" it responds with. He also includes a few examples of error responses for polling too quickly, pending authorization and a denied request. This is all based on the (currently in draft) OAuth 2.0 Device Flow Grant currently in the works.

tagged: device flow grant oauth2 example draft standard authorization

Link: http://alexbilbie.com/2016/04/oauth-2-device-flow-grant

Lorna Mitchell:
Simple Access Control for CakePHP3
Apr 11, 2016 @ 09:35:01

Lorna Mitchell has a post to her site with some helpful instructions for the CakePHP3 users out there around access control. The framework comes with no built-in functionality for authentication so she shows how to set up your own.

The newest version of CakePHP doesn't ship with built in ACL, which means you need to write your own. Personally I think this is a smart move, having looked at the one-size-fits-all solutions for previous versions of the framework and knowing that every system has different requirements, this version has good hooks and documentation on how to add something that works for your application. I thought I'd share what worked for mine.

She starts with some of the initial setup: creating the relationship between the users and her custom roles table and "baking" the controllers and templates. She then goes through the use of the authorize method and how it can handle the user/request combination to determine access. She includes the code for her auth class, showing both the authorize method and a simplified userHasRole method. She walks you through the code and one downfall the setup has: not being able to validate access in views and templates.

tagged: access control cakephp3 user loggedin authorization tutorial

Link: http://www.lornajane.net/posts/2016/simple-access-control-cakephp3

Mohamed Said:
Building an API for 3rd party applications
Mar 30, 2016 @ 09:30:31

In this post to his site Mohamed Said shows you how to build an API that allows for easier integration with your content/functionality by 3rd party applications. This example uses the Laravel framework but the ideas could be applied in any framework.

APIs are cool, & laravel can handle all the coolness you may desire. Here we talk about building an API for third party applications and allowing them to communicate with your application on behalf of users.

He starts where any good project should: planning for what features need to be included and the flow of the request/response process. He then walks you through the whole process for setting up the API:

  • Updating the routes for the API request endpoints
  • Creating the new Auth and Home controllers
  • Setting up the migration for the "applications" table
  • Using the firebase/php-jwt library for authentication/authorization handling
  • Registering a token and validating it on the incoming request

He wraps up the post talking about user authentication via a simplified OAuth-ish process flow, making requests using the resulting token and logging the user out (expiring the token).

tagged: api tutorial laravel application integration jwt token authentication authorization

Link: http://themsaid.github.io/laravel-api-3rd-party-20160327/

SitePoint PHP Blog:
Removing the Pain of User Authorization with Sentinel
Sep 21, 2015 @ 14:23:10

The SitePoint PHP blog has posted a tutorial showing you how to "take the pain out of user authorization" with the help of Sentinel, a package from Cartalyst that already includes functionality for both user authorization and authentication.

Most non-basic multi-user applications need some roles and permission levels. If you ever used WordPress, you must have noticed that they have a super admin, admin, editor, author, etc. Simplifying the development and integration of a permission system is what Cartalyst’s Sentinel package is trying to accomplish. The package provides an API for dealing with users, groups, permissions, etc. In this article, we’ll use it to create a small demo app.

They walk through the creation of a simple Slim framework application, installing it, Sentinel and other suggested packages via Composer. They then help you execute the migrations to create the necessary tables and set up a basic front controller file. From there they configure Twig templating, the Illuminate database connection and finally adding a Sentinel instance to the application's DI container. They include code to help you create roles for "user" and "admin". From there the tutorial shows how to create a login & registration form, send a registration email, create permissions and activating users. Finally they build a simple administration page that allows you to hide functionality from normal users.

tagged: tutorial authentication authorization sentinel cartalyst slim illuminate

Link: http://www.sitepoint.com/removing-the-pain-of-user-authorization-with-sentinel/

Matt Stauffer:
ACL (Access Control List) Authorization in Laravel 5.1
Sep 10, 2015 @ 09:41:45

Matt Stauffer has continued his series looking at Laravel 5.1 with a new post covering the ACL functionality recently added in 5.1.1. This functionality adds on to the pre-existing authentication handling that has been a part of the framework for a while.

The authentication that Laravel provides out-of-the-box makes it simple to get user signup, login, logout, and password resets up and running quickly and easily.

But if you needed to control access to certain sections of the site, or turn on or off particular pieces of a page for non-admins, or ensure someone can only edit their own contacts, you needed to bring in a tool like BeatSwitch Lock or hand-roll the functionality, which would be something called ACL: Access Control Lists, or basically the ability to define someone's ability to do and see certain things based on attributes of their user record. Thankfully, Taylor and Adam Wathan wrote an ACL layer in Laravel 5.1.11 that provides this functionality without any added work.

He talks about the main interface to the ACL system, the Gate class/facade, and gives a simple example of it in use. He then gets into how it works in defining abilities and checking access levels with both the facade and on the model level. He also shows how to use the checks in Blade templates and how to intercept the evaluations for custom evaluation. He ends the post talking about the concept of policies and controller authorization to allow for additional checking.

tagged: acl accesscontrol authorization laravel5 tutorial series part12 gate

Link: https://mattstauffer.co/blog/acl-access-control-list-authorization-in-laravel-5-1

Community News:
Laravel 5 Now Includes Authorization
Sep 01, 2015 @ 10:50:41

In the latest release of the Laravel framework (v5.1.1) they've introduced authorization handling to the native framework. This allows you to integrate permissions checks and perform policy validation both on the backend and in the templates.

In addition to providing authentication services out of the box, Laravel also provides a simple way to organize authorization logic and control access to resources. There are a variety of methods and helpers to assist you in organizing your authorization logic.

The functionality includes the concepts of "abilities" (permissions, essentially) and validate the allow/deny status based on object properties, such as Users. The documentation shows how to perform the evaluations in the controllers, user model, form requests and even in the Blade templates. There's also a section on creating policies for more complex evaluations than just one-off permission checks.

To get a feel for what the community things of this new functionality, be sure to check out this Reddit thread with feedback, both positive and negative, on how it was implemented.

tagged: laravel framework authorization functionality permission policy allow deny

Link: http://laravel.com/docs/5.1/authorization

SitePoint PHP Blog:
PHP Authorization with JWT (JSON Web Tokens)
Jun 04, 2015 @ 09:51:17

On the SitePoint PHP blog today there's a tutorial posted showing you how to handle authorization with JWTs, JSON Web Tokens. These tokens provide a bit more context around the current session including things like when the token was issued and when it should time out.

If you like computer security topics, you will know that one of the most discussed and controversial topics is user authentication. Within its context, you will find a broad range of study areas, from new mechanisms to usability. It is, thus, to my surprise that JSON Web Tokens is a topic not often talked about, and I think it deserves to be in the spotlight today. We will see how easy it is to integrate it in an API authentication mechanism.

He starts with a comparison of JWTs and sessions, pointing out both similarities and differences between the two. He then gets into the official JWT specification (an approved RFC) that defines the structure and what a resulting JWT string looks like. He then moves on and shows how to integrate them with a current application via the php-jwt library. He helps you get the dependencies installed and sets up both the encoding and decoding methods. He integrates this with a simple frontend Javascript request to fetch content and push it into the page. This request verifies the JWT on receipt and returns 400 HTTP error codes if this fails.

tagged: tutorial jwt jsonwebtoken phpjwt authorization example resource

Link: http://www.sitepoint.com/php-authorization-jwt-json-web-tokens/

SitePoint PHP Blog:
Symfony2 Pre-registration and Invite System
May 07, 2015 @ 08:25:48

The SitePoint PHP blog has kicked off a new series of posts today with part one of a set of tutorials showing you how to create a registration and invitation system with Symfony2. While they've talked about general Symfony2 development before, this series will focus more on the security side, on authentication and authorization.

In this article series of two parts, we are going to talk about a very important area of web application development: Authentication and Authorization. Symfony2 has a very detailed elaboration of these two topics in its official documentation. Anyone who is seriously looking into this is encouraged to read through that official document after absorbing the essentials from this tutorial.

The author starts with a brief list of common user management tasks including registration via a form, sending confirmation emails and verifying the user's login. He helps you create the underlying "user" table (complete with the SQL) and talks a bit about the contents of a few of the columns. He includes the settings you'll need to put into your "security.yml" configuration file and a bit of detail on what each section and its settings mean. He then moves on to the "User" entity and class file, adding some functionality to the standard generated class. He also includes the code needed to create the invite and registration actions.

tagged: registration invite system symfony2 tutorial user management authentication authorization

Link: http://www.sitepoint.com/symfony2-pre-registration-invite-system/

Ralph Schindler:
Authentication & Authorization in Apigility
Mar 27, 2014 @ 11:04:21

Those interested in the Apigility project from Zend might want to check out this new post from Ralph Schindler on how it handles authentication and authorization for all of the requests.

Apigility takes a lightweight, layered, yet extensible approach to solving both problems of authentication and authorization. The infrastructure is already in place and ready to be configured to use, or for more advanced use cases: to be extended. Many of these feature can be easily explored through the Apigility user interface.

He gets into authentication first, defining it briefly before getting into the Apigility-specific implementation. He talks about the three methods (HTTP basic, HTTP digest and OAuth2) and mentions where it falls in the execution as well as some screenshots of its setup. Following this he talks about the other half of the equation, authorization. He covers the "Authentication" header, the identity types and where you can find the configuration settings. He finishes off the post with an in-depth look at the different components, events and services/models that make up the authentication and authorization system and make it work.

tagged: authentication authorization apigility introduction configuration

Link: http://ralphschindler.com/2014/03/26/authentication-authorization-in-apigility