[STUCK] Create a Auth class

concept_core · July 17, 2015, 1:03pm

Hello everyone,

I am creating a Auth class for my MVC. ( this is gonna be used by me alone )
Now while I was thinking about how i could make a good auth class for my system I got stuck.

How can I do this the best ?
What functions should I have and how would I do a GOOD check ?

I also made a c9.io page where I am gonna make the Auth class.
I will share the link with you guys so that hopefully somebody can help me.

c9.io auth class

Best regards,
Wouter van Marrum.

ahundiak · July 17, 2015, 1:41pm

Your link requires a sign in. No thanks. Perhaps we could clarify the requirements a bit by explaining what Auth means? Authentication perhaps? Maybe Authorization? Authority?

Maybe I am reading too much into your question. Here is an example of creating an Auth class.

class Auth
{
}
$auth = new Auth();

djsmithme · July 17, 2015, 3:53pm

Use the following:

password_hash, 
password_verify
password_needs_rehash

Then you would just get the username/email + hash from the table and compare with the username/password provided. Return false (logged out by default) or True if there is a match.

if (password_verify($password, $hashfromtable)
{
    return true;
}
return false;

jeffreylees · July 17, 2015, 4:18pm

Presumably you mean “verify” in this case.

Dormilich · July 17, 2015, 4:19pm

[quote=“djsmithme, post:3, topic:196071”]```
if (password_varify($password, $hashfromtable)
{
return true;
}
return false;

[/quote]

    return password_verify($password, $hashfromtable);

would be less verbose in that case.

djsmithme · July 17, 2015, 4:20pm

yep i did :), ill edit that

djsmithme · July 17, 2015, 4:22pm

True but I wasn’t sure that it seemed obviouse that false would be returned as thats kinda the crux.

Dormilich · July 17, 2015, 4:29pm

you could add the boolean typecast. return !!password_verify($password, $hashfromtable);

concept_core · July 17, 2015, 4:40pm

Thanks for your replies,
and for @ahundiak sorry but thats a main website I use to throw small codes up that I am testing.
If you have a other site please send me a link.

As for what I mean with Auth : Authentication class.
I want to make a static class which will hold all the functions that you need to login, register, forgot password. (and all other stuff that is needed)

Now I am running into the problem that I cannot get my head around the “check” function.
This function needs to check if the user exists and if the username/email is active and the password matches.

So my question is, Can somebody help me in the right direction or help me built one together so I know why you do it like that.

Jeff_Mott · July 17, 2015, 6:26pm

That’s probably far more logic than any one class should contain. Implementing those features typically involves sending an HTML form, validating the submission, calling the database, sending emails, and so forth. And as such, those features should be implemented through a combination of controllers, templates, validators, entities, repositories, and a variety of other services such as mailers and password encoders.

concept_core · July 17, 2015, 6:42pm

maybe you are right.
But I am still stuck which makes thinking about this a real pain.

So far I made a small beginning (very small).
Maybe you can check it out and see if I am getting somewhere.

link

djsmithme · July 17, 2015, 6:42pm

looks puzzled and makes note of !!

…several minutes later…

I would argue that thats even more verbose as password_verify will always return bool/int, and I’m not sure it’s any more obviouse that false is returned

ahundiak · July 17, 2015, 7:45pm

Consider making an account on github.com. They have a gist functionality which works well for sharing snippets of code.

As far as your Authentication class goes, the scope of your question is way too broad for me.

concept_core · July 17, 2015, 8:29pm

Thanks I already have a github account.

I can share what I have now so you have a better idea ?
Here is the gist link.

ahundiak · July 17, 2015, 9:20pm

What you have looks like it will work. It’s not static but you don’t really want it to be static anyways. So what is the problem? I am assuming your query is working and that the hash has been set.

concept_core · July 17, 2015, 9:52pm

yeah finally got a break trough in my head.
Now I am looking which function I still need.

I think I would need these :

check
login
logout
register
forgotPassword
activateAccount
setRole

Now is the question is this correct or am I completely wrong ?

SpacePhoenix · July 18, 2015, 5:41am

What version of PHP are you using? 5.5 and newer has got functions built in for dealing with password hashes. For PHP versions older (5.4 and older) there’s a backwards compatible library available (sorry don’t have the link to it to hand)

ahundiak · July 18, 2015, 8:30am

I think you got the basic plan except for item 7, getRoles. Roles are part of Authorization and not Authentication. Really should plan from the start to keep the Authorization code separate from Authentication.

concept_core · July 18, 2015, 8:34am

@SpacePhoenix you mean password_compact library with the password_hash/verify functions.

@ahundiak So getRoles needs to go I suppose.
But I still need to know which user may enter for example the admin area.

So I suposse I need to make a extra class to get that working ?

ahundiak · July 18, 2015, 2:37pm

Get your login stuff going then see if roles really do fit in. As Jeff Mott pointed out in an earlier post, adding too much functionality into a single class can cause problems.

On the other hand, as long as you have a good suite of unit tests then things might work out.