Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

SitePoint PHP Blog:
Social Logins with Oauth.io – Log in with Anything, Anywhere
Dec 22, 2016 @ 13:47:46

The SitePoint PHP blog has a tutorial posted from Meni Allaman showing you how to use the OAuth.io SDK for social logins, integrating multiple social network logins in one centralized place.

Users today often like the idea of logging into websites with a single click using one of their social accounts.

Given that, today we will look at OAuth.io, which is a multi-platform SDK for more than 120 social login providers like Facebook, Twitter, and Google+. Working with such an SDK is not a difficult task, but there are some prerequisites for using it.

The tutorial then breaks down the steps to follow for getting the service set up and getting the required package installed. Following this the author shows how to connect your account to the various services and provides the code you'll need to connect to the OAuth.io service. It finishes up with an example of a page you'd need to provide to your users to let them authorize the connection to the OAuth.io service with the service of their choosing.

tagged: social login oauthio oauth tutorial service package

Link: https://www.sitepoint.com/social-logins-with-oauth-io-log-in-with-anything-anywhere/

SitePoint PHP Blog:
Let’s Kill the Password! Magic Login Links to the Rescue!
Dec 15, 2016 @ 12:36:17

On the SitePoint PHP blog there's a new tutorial posted from Christopher Vundi showing you how to create a password-less login system using "magic links". These links allow users to log into a service without requiring a password using a one-time code and a special URL.

Authentication is something that has evolved over the years. We have seen it change from email – password combination to social authentication, and finally password-less authentication. Actually, more like an “email only” authentication. In the case of a password-less login, the app assumes that you will get the login link from your inbox if the email provided is indeed yours.

[...] In this tutorial, we are going to implement such a system in a Laravel app. The complete code can be found here.

The tutorial then walks you through some of the setup of the application environment - creating the Laravel project, building out the database and running the "make:auth" to generate related controllers/views/models. They show you how to change the login link to point to the new "magic link" functionality and the matching controller and view. The tutorial then shows how to generate the tokens, email them to the user with the special URL and validate them once they come back in.

tagged: password magic login link tutorial token email

Link: https://www.sitepoint.com/lets-kill-the-password-magic-login-links-to-the-rescue/

Laravel News:
Learn how to change Laravel’s login validation
Oct 27, 2016 @ 09:42:34

On the Laravel News site there's a quick post looking at Laravel's login validation and how you can make updates to its handling (and where the changes should be made).

Laravel’s included auth system is a great way of scaffolding out a basic flow for authenticating users through a complete registration, login, logout, and forgot password system.

When it’s all setup the login and password reset validation is stored in an AuthenticatesUsers and ResetsPasswords trait. Even though it’s a little hidden away it’s still easy to adjust this to your needs. Let’s take a look at how to adjust this.

The post then breaks each of these down, showing where in the framework source the code lives and how you can update or override the current handling. The login validation lives in the default "AuthenticatesUsers" trait and the password reset verification is in "ResetsPasswords". These can each be overridden in your own controllers as they're just methods included via traits.

tagged: laravel login validation trait tutorial password

Link: https://laravel-news.com/2016/10/login-validation/

Tighten.co:
Creating a password-less, Medium-style, email-only authentication system in Laravel
Mar 14, 2016 @ 09:29:55

On the Tighten.co blog Matt Stauffer shows how to make a password-less authentication system similar to what the popular site Medium uses centered around emails sent to the account for the user.

Recently I was working on a project where one of our major pain points was users' passwords. Users were added to the application by administrators, so they didn't have passwords when they were first added, and forcing them to set and remember passwords was a big hitch on the project's usability.

So, we decided to try out a Medium/Slack-inspired password-less login. If you've never had the chance to work with this, the login system works like this: enter your email address on the login page, get emailed a login link, click the link, and now you're logged in. Access to your email address proves your identity without the need for a password.

He walks you through the process of disabling the current password-based flow by creating and modifying the default "make:auth" results. When the user comes to the site, they're asked to log in via sending an email. This email contains a unique token attached to a link that matches one on the server side related to the user. He shows how to build out this relation table, the matching model and the endpoint used to verify the hash once the user clicks on the link.

tagged: laravel password email login medium link random hash tutorial

Link: http://blog.tighten.co/creating-a-password-less-medium-style-email-only-authentication-system-in-laravel

Paragon Initiative:
One Login To Rule them All - Seamless and Secure Cross-Domain Authentication
Feb 24, 2016 @ 11:48:28

On the Paragon Initiative site they've posted a new tutorial sharing a method for creating "one login to rule them all" for your PHP-based applications. The goal is to make one system that can provides a single authentication point and secure credential storage.

Problem: You want to create a system whereby when a user authenticates to example.com, they're also automatically logged in at foo.com, bar.com, baz.com, and any other domains that you decide to add to the list at a later date. Okay, great, that seems straightforward, except there's a complication: The Same Origin Policy prevents you from getting/setting cookies on domains other than the one you control.

[...] Let's narrow it down a little bit further: Unlike a situation where e.g. "Login with Facebook" would be appropriate, you control all of the domains. They just happen to be different, so the Same Origin Policy kicks in. For simplicity, feel free to assume they're on the same server and application codebase, but you have a multi-site architecture in place where some of the sites have a different domain name.

Let's work around this limitation with as few moving parts as possible.

He then shoes how to use libsodium (via the Halite wrapper) to secure your credentials (passwords) and hooking it into a custom API endpoint that takes in a hex-encoded JSON string and a signature for the payload. He then expands this to provide "automatic login" handling making use of another endpoint to fetch an image to and log in the user by passing it the payload and signature values. He ends the post with a few security concerns around using this method and some things that it assumes are correct (and robust enough).

tagged: login single seamless crossdomain payload signature libsodium tutorial api

Link: https://paragonie.com/blog/2016/02/one-login-rule-them-all-seamless-and-secure-cross-domain-authentication

SitePoint PHP Blog:
How to Consume Laravel API with AngularJS
Feb 22, 2016 @ 11:23:10

The SitePoint PHP blog has posted a new tutorial from author Francesco Malatesta that continues their series looking at combining AngularJS and PHP, more specifically Laravel, to create a basic application. In this part of series he builds on the server-side code created in part one and creates the Angular frontend.

In part 1, we built our server part. Now we can build our client. We are going to use AngularJS to make a Single Page Application. We will use a very basic bootstrap template, built on the fly.

The application is simple enough and will consist of three "screens" (not "pages" since it's a single page application): a login, a signup and a main screen. He walks you through the setup of a standard frontend development environment including tools and software you'll need to get started. He makes the simple route and Blade template for the single-page app and defines some AngularJS routes for each of the screens. He then includes the code to set up both the signup and login controllers and how to detect if the user is successfully logged in. From there he gets into the functional part of the application: managing the books and the user's wishlist with the standard CRUD (create, read, update and delete) operations. Screenshots are also included at some spots so you can ensure your progress matches the tutorial.

tagged: tutorial angularjs laravel part2 screen login signup book wishlist

Link: http://www.sitepoint.com/how-to-consume-laravel-api-with-angularjs/

Alejandro Celaya:
How to properly implement persistent login
Feb 10, 2016 @ 10:55:37

In his latest post to his site Alejandro Celaya shares some suggestions about how to make a good, safe persistent login feature for your application. This is usually referred to as the "remember me" handling and is widely used to help improve the overall user experience.

I'm sure you are familiar with those "remember me" checkboxes in login forms. They are a common way to allow a user to keep his/her session in a web application for an extended period of time when he is in a trusted computer.

One could think that it is a small and easy-to-implement feature, but it has indeed a lot of considerations. [...] In this article I’m not going to show you how to implement a persistent login in one or another programming language, but what are the good practices that should be followed when you implement it in the way you want.

He starts off with some thoughts about the wrong way to handle the persistent login (like just making a long-life cookie) and what some of the consequences could be. Instead he suggests using a cookie (with a random generated token) that's long running, maybe 2 weeks. The difference here is that this token is then refreshed once the token is validated and reset. This reduces the risk of an older token being used on another source too. He also shares some other security concerns to think about in this setup including the use of one-time tokens, potential multiple persistent sessions and when it might be good to re-prompt for the password.

tagged: persistent login security rememberme implementation advice options

Link: http://blog.alejandrocelaya.com/2016/02/09/how-to-properly-implement-persistent-login/

Matt Stauffer:
The auth scaffold in Laravel 5.2
Jan 11, 2016 @ 10:06:29

Matt Stauffer has continued his series about some of the new features in the latest release of the Laravel framework (v5.2) with this post looking at the new auth scaffolding it makes available.

If you're like me, many of the applications you build in Laravel have a similar Saas-type framework: user signup, user login, password reset, public sales page, logged-in dashboard, logout route, and a base Bootstrap style for when you're just getting started.

Laravel used to have a scaffold for this out of the box. It disappeared recently, to my great chagrin, but it's now back as an Artisan command: make:auth.

He talks about what all the scaffolding builds out including templates, routes and controllers. He provides examples of some of the generated code and what the output of these simple templates looks like (including a basic Bootstrap layout).

tagged: laravel framework auth scaffold tutorial example login user template controller route

Link: https://mattstauffer.co/blog/the-auth-scaffold-in-laravel-5-2

Matt Stauffer:
Login Throttling in Laravel 5.1
Aug 03, 2015 @ 08:35:57

Matt Stauffer has posted the eleventh part in his series looking at new features of the latest release of the Laravel framework (well, version 5.1). In this tutorial he shows you how to setup and configure the login throttling for your Laravel-based application with the help of the Laravel Throttle package.

Whether or not you know it, any login forms are likely to get a lot of automated login attempts. Most login forms don't stop an automated attack trying email after email, password after password, and since those aren't being logged, you might not even know it's happening.

The best solution to something like this is to halt a user from attempting logins after a certain number of failed attempts. This is called login throttling, or rate limiting. Graham Campbell wrote a great package called Laravel Throttle to address this in previous versions of Laravel, but in Laravel 5.1 Login throttling comes right out of the box.

He shows how to use the ThrottleTrait in your AuthController to have some of the "behind the scenes" work done for you. He shows you how to update your view to relay the possible error message back to the user (and includes a quick screencast of the result). He ends the post with a quick look at what the throttling functionality is doing under the covers: creating a temporary cache item based on username+IP address as a "lock" indicator. Finally, he points out two properties you can find on the auth controller to give a bit more detail on the current configuration: lockout time and max login attempts.

tagged: laravel login throttle tutorial authcontroller laravelthrottle package cache username ipaddress

Link: https://mattstauffer.co/blog/login-throttling-in-laravel-5.1

Matt Stauffer:
Using Github authentication for login with Laravel Socialite
Jul 17, 2015 @ 10:17:25

In a tutorial posted to his site Matt Stauffer shows you how to integrate Laravel with GitHub's authentication to link a user's profile to your application, made possible through the Socialite package.

Laravel's Socialite package makes it simple to authenticate your users to Facebook, Twitter, Google, LinkedIn, GitHub and Bitbucket. You can authenticate them for the purpose of connecting their pre-existing user account to a third-party service, but you can also use it as your primary login mechanism, which we'll be talking about here. I'm working on a new little micro-SaaS that is purely dependent on GitHub in order to operate, so there's no reason to set up any user flow other than just GitHub.

He starts with just a bit of insight into the overall flow of an OAuth connection with an application (which this is) and the pieces involved. Next he helps you get Socalite installed and working with your Laravel application. With this in place he shows you how to create a simple GitHub application and configure your Laravel instance with the provided client ID/secret and redirect URL. He adds in some routes to handle the two page requests and the controller methods to process the input. He makes a simple "users" migration to hold user information and a model to match. Finally he shows the result, stepping through the authorization flow, complete with screenshots.

tagged: laravel github social authentication login socalite package tutorial

Link: https://mattstauffer.co/blog/using-github-authentication-for-login-with-laravel-socialite