I started implementing Opauth for CakePHP. It's awesome that it's easy to login via Facebook, Twitter...
Question is once Opauth returns login data what would be an efficient way to login the user to CakePHP?
Opauth doesn't login the user to CakePHP. I think I'm supposed to create a user and save the facebook or other auth info to the db. Is there a plugin that allows me to do this easily?
One thing I love about CakePHP 2.0 was the way the Auth Plugins work, you can really customize one ore more Authentication methods. At the same time this leaves it to the developer to 'hook in' custom Auth Plugins to integrate the solution.
The plugin page has your answer, almost
Goto https://github.com/uzyn/cakephp-opauth#how-to-use
check step #6 "After validation, user will be redirected to Router::url('/opauth-complete') with validated auth response data retrievable available at $this->data"
after this is complete and you have code like their example public function opauth_complete() {...
in this function you will use the $this->data to find your User that was authenticated
a method I use at times is to find the user by 2 pieces of information that is provided by Opauth example: username and email
you can use something like $loginUser = $this->User->find('first', array('fields'=>array('User.*'), 'conditions'=>array('User.username'=>$this->data['username'], 'User.email'=>$this->data['email']));
once you have the user in $loginUser you can just call the $this->Auth->login($loginUser) and you will now have an AuthSession with that user!
Let me know if you have any questions.
Related
Currently, Firebase offers the option to send an email to a users email who wishes to change their password. Unfortunately, Firebase does not allow you to edit their password requirements which I believe is locked at requiring only 6 characters.
For many people this is inadequate and insecure.
I recently made an application that allows users to create quizzes either for themselves or for others. In this application, I stores personal information of my users and I wanted to make sure that their accounts were secure so I required more from my passwords. Unfortunately, when a user wishes to change their email, the default Firebase function does not keep my security which leads to confusion as a user can change their passwords according to Firebase's lax constraints but then they still couldn't log in because they used an invalid password. (I blocked invalid passwords from the text box before even checking with Firebase).
After I encountered this error, I came to StackOverflow for help to see if anyone else had this issue and came up with a solution. Unfortunately, I was met with harsh criticism and harassment by users who claim to be Firebase officials and Administrators who did not care about my question.
Then, I after a week of research and testing, I found the solution using React and 3rd party libraries to handle this.
Please, see my answer below and if you have a more creative solution, I would be interested in seeing that as well.
To solve this problem, the only answer is to create your own mailer service with your own basic mailer service, host website, and API.
What you need:
An application which uses Firebase.
A hosted API which uses Firebase and a 3rd party Mailer such as Node with NodeMailer - hosted on Heroku
A React app which can communicate with the API
What I did:
First, I created my API which accepts calls from my specified IP addresses. This API can receive requests to reset a password when the password is known or unknown. When the password is known, I send an email to the user using NodeMailer and I send a special HTML file so the email looks official. It is quite easy to copy the layout of Firebase's emails if you wish.
More Info can be found here: https://nodemailer.com/message/
Then, I created a React App that is hosted on Heroku. When the user clicks a link in the email, it will send them to this website with the required information in the query. This app, much like when the Firebase link is clicked is just a simple text box and submit button. However, now you can customize it to require password confirmation with a second text box. You can also add a company logo and custom colors so it isn't so HTML 1 looking like the link you see from Firebase. Most importantly, you can now control the password that the user enters to add your unique requirements.
On submit, the app will send the new password, username and old password if available to the API.
If you do not know how to create a React App or a Node API, you can see a detailed tutorial here: https://www.techandstartup.com/tutorials/build-api-with-node-express-and-mongodb
Finally, the API can log into the users account if a password is present and then change the password. Detailed steps can be seen from: https://www.codegrepper.com/code-examples/javascript/firebase+user+change+password
If a current password is not present, then the API can delete the user and recreate it with the desired password. Deleting a user can be seen: https://www.codegrepper.com/code-examples/javascript/firebase+delete+user Then you simply recreate a user. Example code: https://www.codegrepper.com/search.php?q=firebase%20createUserWithEmailAndPassword
With these steps, you can now send a password reset email to a user. The email will be completely unique as you will be designing it yourself. The password will be to your exact specifications as your React App will control the data on submit. And the page itself will look much more user friendly as it's not the default Firebase page.
Hopefully this helps you or your company with working around the Firebase reset password with email function. I am still holding out hope that another user may have a more elegant or basic solution than this as creating an API and hosting a website just for 1 function is not appealing in many cases.
I am using email/password authentication via Firebase, so currently I only have authenticated user and non-authenticated user. But for the app, I would like to have admin, moderator, user and guest four different kinds of role.
I did some research, but could not find any existing example or logic to do so. Here are my initial thoughs, but not sure if it is feasible. Basically two steps:
Create a table in firebase called User, while Firebase record the email/password, I also push the data(email/password), and role information to the table.
In the route, check if the user has the appropriate role to access the certain page
Any other better way to do it? Any idea would be appreciated!
I had similar issue while working with role based authorization. I followed same pattern of saving users role and then retriving it when needed. If you are using ui-router for routes then probably you can use angular-permission module which works on the same concept and is easy to use.
You can find that module here: https://github.com/Narzerus/angular-permission
I'm in the process of creating a XML-RPC that interacts with Vbulletin from Cakephp. I currently have the functionality to hit the end point, log a user in, and retrieve the data set, as well as the cookies, etc.
Now, the calls come from Cakephp, I have a users table, which I only store, the usersname from vbulletin, the vbulletin users ID, and their avatar. I'd like to implement some type of auth. I'm not entirely sure if this is possible or not. The only reason I have a users table is to store a minimal set of information. When the user logs in on the Cakephp side, it's actually sending a xml-rpc client call to the vbulletin api, and logging the user in using the api.
So, with all of this known, is it possible to restrict access to various views, etc within cake? I'd like to use some of the basic auth components, such as:
public function beforeFilter() {
parent::beforeFilter();
$this->Auth->allow('add');
}
I'm guessing, if this is not possible, I'll have to manually write the session cookies received from Vbulletin in Cake, but how would I restrict access to the various views and methods within the controllers in doing so?
Update: I ended up using the below to accomplish this.
Since I am storing the vbulletin users id in the users table, I was able to:
$user = $this->User->findByVbulletinid($userid);
$user = $user['User'];
$this->Auth->login($user);
Link to Cakephp manual login not initiating session
Update1: We'll, I thought this was working, until I removed the Debug Kit. Now, after I login, I'm automatically logged out, Really odd.
If I want to call $this->Auth->login($loginData), shouldn't I be able to supply $loginData, which in my case, would look like this:
Array
(
[User] => Array
(
[username] => testuser
[password] => hashedpasswordhere
)
)
Basically, the login method in the Users controller, I cannot simply call $this->Auth->login() because I need to first, take the credentials from the form, and log the user in via the API for vbulletin.
Any thoughts here?
You will have to implement a custom Authentication Handler that is connected to the "Vbulletin". Then when you log a user in $this->Auth->allow('add'); should work just fine.
Also consider additional means of logging a user in. what will happen if that external service is down? Your users will not be able to log in at all?
I have integrated the Auth component and the Acl component (and behavior) and it all works fine with the User model etc.
Now I would like to have the admin to be completely independent from the User model and the access control lists. Why? Well, because I'm trying to build a CMS which should also work if the client doesn't want a user community in his website.
So I would like the admin to be able to log in without having a user model and once the admin is logged in he should have access to everything, regardless what Acl says...
How do I do that?
You will have to pass an option 'userModel' while declaring AuthComponent in your AppController. Hope this link will help you. Kindly ask if it not worked for you.
I am using cakephp 1.3.14 to develop a website. I need to create separate login section/screen for admin and normal website user. I don't want to use same login section for all the users as per my requirements. Admin should have a separate login screen. I need some help with this. How can I implement it in cakephp. Thanks in advance.
You should use prefix routing so that regular users will see /controller/action and admins get their own prefix like /admin/controller/action.
Simply create an admin action and internally "redirect" the controller to use the regular login action. No need to duplicate code. See http://api20.cakephp.org/class/controller#method-ControllersetAction
public function admin_login() {
$this->layout = 'admin_login';
$this->setAction('login');
}
To get another layout for the admin you can check in the beforeFilter() if the prefix is "admin" and set a different layout based on it. Or simply set it in the action as shown above if just needed there.