In my system the registrations will not be allowed for any users. They must be invited by email.
I need to validate that the user is active on the system. To make this the users will receive an email with an certain url that validate your account.
This url (route) could contain user identification and your validation code saved on the database after "pre-registration".
hostname/accountConfirm?user=token&cod=userCodeSavedOnTheDatabase
The token must be generated from user email.
How i can generate the token and check it to identify user?
I'd recommend using something like this for generating the code
$code = bin2hex(openssl_random_pseudo_bytes(40));
Store this in the database with any other info you might need to identify the user. Validate the code during registration, and either remove it afterwards or invalidate it somehow (e.g. set a "used" flag)
Generate a random String like this and use the user email as a cipher that is one option or you use any built php functions to generate a token.
$pool ='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$token= '';
for ($i = 0; $i < 8; $i++){
$token.= substr($pool, mt_rand(0, strlen($pool) -1), 1);
}
$cipher = new McryptCipher($user_email);
$encrypted_token= $cipher ->encrypt($token);
As far as the validation goes, you can choose to save the token and some user data into a table, maybe add expire time to the token and clean up function to delete expired registration and spam registration.
an other option would be to save the temporary registration into file.
$epxire_time = timestamp() + 1800; // 30 min
$pending_registration = json_encode['token' => $encrypted_token, 'user' => $user_email,'epxire' => $epire_time];
file_put_contents($path/to/file/,$pending_registrations);
Send an email confirmation to user with link to validation.
Validation process, you would normally retrieve parameters from the url;
$token = $_GET['token'];
// additional param
// decrypt the token
$token = $cipher->decrypt($token );
$file = file_get_contents($path/to/file);
and validate the token, validate token expiration , user_email like you would normally do....
if($valid_token){
// save user, redirect to login
}else{
// return response invalid token
return json_encode['statusCode' => 400, 'errorMessage' => 'Invalid ...','urltorequestnewotken' => 'http://...'];
}
Saving pending registration into a temporary file it is just an other way to minimize spams and bots cluttering your database just like you would use a captcha.
Hope this help.
Related
I have hosted two domains on the same server, domain A and domain B.
Domain A will generate the unique access token to the content of domain B.
Domain A
<?php
//http://php.net/manual/en/function.phpversion.php
//echo 'Version of PHP: ' . phpversion();
session_start();
//$expiry_timestamp = time() + $expiry;
//https://davidwalsh.name/random_bytes //https://secure.php.net/random_bytes
//$token = bin2hex(random_bytes(64));
$token = bin2hex(openssl_random_pseudo_bytes(64));
//$time_token = 12000;
//$time_token = srand(floor(time() / $time_token));
//echo $token;
$_SESSION['token']=$token;
?>
<html>
<head>
</head>
<body>
Content 1
</body>
</html>
The process of generating a token seems to be the right one, it has been easy to generate it.
Now comes my problem, how can I validate the generated token from domain A to domain B ?. The generated token must only be valid for the content that generated the token, the token must not be valid for other content, the token must be unique so that user can not share access to another user if it is not from his or her computer, the token must be valid only for 4 hrs of access after 4 hrs the token will no longer be valid to display the content must generate a new token to access again.
Can this process be done using a cookie without using a database?
Maybe identifying both domains A and B using a key, something like that
$APP_SECRET_KEY = "key code secret";
Using a shared secret key is a good approach here.
I tend to use HMAC when I need to generate and validate a token (e.g.: E-Mail verification) and don't want to store it in a DB. Plus, HMAC is built in to PHP, so no library is needed here.
The idea is, on top of your data, you add a signature to verify that this token was created by your application on Domain A. You generate the token the same way again on Domain B to verify it.
Example:
Shared function to generate the token:
function buildVerificationToken($expires, $content)
{
// Same function on both domains
$APP_SECRET_KEY = 'key code secret'; // Maybe move that out of source code
$tokenData = [
'expires' => $expires, // Include it in signatur generation to prevent user from changing it in URL
'content' => $content, // Create different token for different content
'ip' => $_SERVER['REMOTE_ADDR'], // Identify the browser to make it not shareable. Best approach I could think of for this part.
];
$serialized = json_encode($tokenData);
return hash_hmac('sha256', $serialized, $APP_SECRET_KEY);
}
Generate the token on Domain A:
<?php
$expires = time() + (4 * 3600); // +4h
?>
Content 1
Verify it on domain B:
$providedExpires = (int) $_GET['expires'];
$providedToken = $_GET['token'];
$verificationToken = buildVerificationToken($providedExpires, 'content1'); // Build token the same way
if (!hash_equals($verificationToken, $providedToken)) { // hash_equals instead of string comparison to prevent timing attacks
// User provided forged token, token for another content, or another IP
die('Bad token'); // However you want to handle this
}
if (time() > $providedExpires) { // Check expiry time. We can trust the user did not modify it as we checked the HMAC hash
die('Token expired'); // However you want to handle this
}
// User is allowed to see content1
Json Web Token (JWT) seems to fit your requirements. Both applications use one secret key to exchange tokens with encrypted data one another.
Example use-case:
Let the secret key $secret="secret"
The raw data tells us the Unix timestamp when the token is generated (the iat field), the user id (the sub field) and the content id (the content field)
$data = [
"sub" => "1234567890",
"iat" => 1516239022,
"content" => 1
];
Application A encodes the raw data with the secret key using HS256 algorithm ($token = jwt_encode($raw, 'HS256', $secret)). The output $token will be:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaWF0IjoxNTE2MjM5MDIyLCJjb250ZW50IjoxfQ.idM7d2fgmJVk3WjANwG-Gt6sY0lyE3eTvpKRpwITHRs
You can parse the token to see its content in the JWT home page.
The token is send to the application B. This application decodes the token with the same algorithm and shared secret key ($raw = jwt_decode($token, 'HS256', $secret)). The raw data will be available in the application B. This data can be used to validate the token:
Read the user id from sub field and check if it is correct
Read the content id from content field and check if it is correct
Read the timestamp when the token is generated from the iat field and check if it is in the last 4 hours.
There are several PHP libraries implement JWT for you.
I'm creating a sort of 'social network'. Now I'm creating the authentication part. Today I learned about JSON Web Tokens.
1) I read that JWT's are safe to use, because the are signed with a secret key. But then I found some tools online like https://jwt.io. I tried to build some JWT tokens with PHP using firebase/php-jwt. The tools like jwt.io can extract the data I put in the JWT (like user ID). How can this be safe? Can't someone just create a new JWT using the old one but with a different user ID?
An example: I created the following token:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJNeUFQIiwiaWF0IjoxNTE2NTYzMTM0LCJleHAiOjE1MTY1NjQzNDAsImF1ZCI6Ind3dy5leGFtcGxlLmNvbSIsInN1YiI6ImFkbWluQGV4YW1wbGUuY29tIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOiJmYWxzZSJ9.dCtYVpFXhoQmzOdX_dW1yFHEcZ9aZ1I9MC33lJGapvY
If you paste this token in jwt.io, you'll see the payload is "name: John Doe" and "admin: false". Isn't this unsafe? Or is it safe because you NEED the secret key to recreate a JWT.
Off the record: You cannot store senstive information in a JWT I guess...
2) How to "login" a user using PHP and JWT's? I created a quick demo, I'm not sure the code "works" but I guess you'll see what I mean.
if (isset($_POST['submit'])) {
$user = $_POST['user'];
$pass = $_POST['pass'];
if($user = 'my_username' && $password == 'my_password') {
// user is logged in
// create a JWT here
} else {
// wrong credentials!
}
}
Now, the question/problem is: how to store this token? In a cookie? In a session? Using HTML5's localStorage? What is the safest way to do this?
And secondly: how to authenticate the user? I would do it like this:
// my secret key
$secret = 'MY_SECRET_KEY';
// decode the token
$token = JWT::decode($token, $secret, array('HS256'));
// what to do here?
Can you match this token with some data in a database or something?
1) The JWT token is not encrypted, so the data inside it can be easily read. However, it contains a signature that can be validated only with the secret key you have set when creating the token. You can check the signature to see that the token has not been tampered with.
2) The token can be stored anywhere, since it's so small. Just remember that the token can be easily read, but not altered. Don't store any sensitive data in the tokens.
When checking the token, the important things to check are the signature and the exp time to see that the token is still valid. A well-constructed token doesn't need full database validation, but rather just check that the user's privileges haven't been changed since issuing the token, and if they have, recreate the token with the updated data or force the user to log in again.
I want to use methods and resources from the code of a website which is developed in PHPFox.
Basically, I'll receive request from iPhone/Android, I'll get the request and pass to the respective function from the PHPFox code, take the response from that function and return it back to the device.
For this purpose I've developed REST APIs using Slim framework.
But the major blocker I'm facing currently is in accessing the resources(i.e. functions and data) of PHPFox website.
I'm not understanding how should I authenticate the user using 'Token Based Authentication' in order to access the website's resources.
If someone could guide me in proper direction with some useful working example it would be really helpful for me.
N.B. : The proposed implementation of 'Token Based Authentication' should be very secure and fast in speed. The security should not be compromised in any way.
Following is the code I tried on my own but I don't know whether it's right or wrong. Is my approach correct or wrong. Please someone analyse it and let me know your feedback on it.
To create a token i use this function which takes as parameters, the user's data
define('SECRET_KEY', "fakesecretkey");
function createToken($data)
{
/* Create a part of token using secretKey and other stuff */
$tokenGeneric = SECRET_KEY.$_SERVER["SERVER_NAME"]; // It can be 'stronger' of course
/* Encoding token */
$token = hash('sha256', $tokenGeneric.$data);
return array('token' => $token, 'userData' => $data);
}
So a user can authentified himself and receive an array which contains a token (genericPart + his data, encoded), and hisData not encoded :
function auth($login, $password)
{
// we check user. For instance, it's ok, and we get his ID and his role.
$userID = 1;
$userRole = "admin";
// Concatenating data with TIME
$data = time()."_".$userID."-".$userRole;
$token = createToken($data);
echo json_encode($token);
}
Then the user can send me his token + his un-encoded data in order to check :
define('VALIDITY_TIME', 3600);
function checkToken($receivedToken, $receivedData)
{
/* Recreate the generic part of token using secretKey and other stuff */
$tokenGeneric = SECRET_KEY.$_SERVER["SERVER_NAME"];
// We create a token which should match
$token = hash('sha256', $tokenGeneric.$receivedData);
// We check if token is ok !
if ($receivedToken != $token)
{
echo 'wrong Token !';
return false;
}
list($tokenDate, $userData) = explode("_", $receivedData);
// here we compare tokenDate with current time using VALIDITY_TIME to check if the token is expired
// if token expired we return false
// otherwise it's ok and we return a new token
return createToken(time()."#".$userData);
}
$check = checkToken($_GET['token'], $_GET['data']);
if ($check !== false)
echo json_encode(array("secureData" => "Oo")); // And we add the new token for the next request
Am I right?
Thanks.
1st you should understand what's token based authentication. It could be explained as below.
The general concept behind a token-based authentication system is
simple. Allow users to enter their username and password in order to
obtain a token which allows them to fetch a specific resource -
without using their username and password. Once their token has been
obtained, the user can offer the token - which offers access to a
specific resource for a time period - to the remote site.
Read more
Now let's see what are the steps of implementing it in your REST web service.
It will use the following flow of control:
The user provides a username and password in the login form and clicks Log In.
After a request is made, validate the user on the backend by querying in the database. If the request is valid, create a token by
using the user information fetched from the database, and then return
that information in the response header so that we can store the token
browser in local storage.
Provide token information in every request header for accessing restricted endpoints in the application.
If the token fetched from the request header information is valid, let the user access the specified end point, and respond with JSON or
XML.
See the image below for the flow of control
You might be wondering what's a JWT
JWT stands for JSON Web Token and is a token format used in
authorization headers. This token helps you to design communication
between two systems in a secure way. Let's rephrase JWT as the "bearer
token" for the purposes of this tutorial. A bearer token consists of
three parts: header, payload, and signature.
The header is the part of the token that keeps the token type and encryption method, encoded in base64.
The payload includes the information. You can put any kind of data like user info, product info and so on, all of which is also stored in
base64 encoding.
The signature consists of combinations of the header, payload, and secret key. The secret key must be kept securely on the server-side.
You can see the JWT schema and an example token below;
You do not need to implement the bearer token generator as you can use php-jwt.
Hope the above explains your confusion. if you come across any issues implementing token based authentication let me know. I can help you.
I'm using PHP Zend framework for my web application. When users register, I send them an email to verify their email address and when they click on that link - the account is activated.
My problem - when users click on the activate link - I also want to automatically log them in - rather than asking them to login in again. I'm not sure how to do that.
This is my login action in Zend which requires email address and password. So what should I send as part of the activation link so that when the user clicks on it, they are automatically logged in.
$db = Zend_Db_Table::getDefaultAdapter();
//create the auth adapter
$authAdapter = new Zend_Auth_Adapter_DbTable($db, 'user','email', 'password');
//set the username and password
$authAdapter->setIdentity($this->_getParam('email'));
$authAdapter->setCredential(md5($this->_getParam('password')));
//authenticate
$result = $authAdapter->authenticate();
if ($result->isValid()) {
$auth = Zend_Auth::getInstance();
$storage = $auth->getStorage();
$row = $authAdapter->getResultRowObject(array('user_id'));
$userModel = new Model_User();
$user = $userModel->loadUserProfile($row->user_id);
$storage->write($user);
}
Thanks for your help
You have an if statement to authenticate a username and password. In the case of someone validating their email you are mimicking this process and enabling a user to authenticate their account via an email and verification key.
All you need to do is verify the email and verification are correct and place this conditional underneath:
.
.
.
$verified = $emailVerification->isValid( $email, $key );
if ( $verified )
{
$auth = Zend_Auth::getInstance();
$storage = $auth->getStorage();
$row = $authAdapter->getResultRowObject(array('user_id'));
$userModel = new Model_User();
$user = $userModel->loadUserProfile($row->user_id);
$storage->write($user);
}
The user will then be logged in as you have saved their User details to the Zend_Auth storage engine.
I'd advise after using this method remove the verification key from the user record to ensure they cannot login via this process again, unless they forget their password, in whcih case you assign a new verification key.
Hope this helps!
I am not familiar with zend so I did not look your code properly but here is an idea:
Send a validation mail
Create a session after you've sent the mail
Wait for it...
Once the user clicked the mail, if the session is still active (normally this time limit is something like 20 minutes), just login him.
For security, you may create even two sessions. The first one will store the id and the second one will store a guid. The guid will also be sent to the user in the validation link. So when he/she clicks the link and returns back, you will compare whether the guid and the id matches or not. If it matches just log them in as you would do in a login script.
I'm using https://github.com/abraham/twitteroauth library. I already created my app on Twitter, the callbacks are working fine (even on localhost), but one thing that is bugging me is HOW the auto-login happens? I know there's "user_id" that is stored in the MYSQL database, along with oauth_token and oauth_token_secret, but how do I obtain user_id as soon as the user enters the site, so I can query the database to see if it already exists and what not, without having to popup the authorize twitter popup then reaching the callback, over and over again?
I've seen a lot of questions like this one, but no one ever answered it in a satisfying way.
The ones that should be saved to be used in verifying the user automatically are the oauth_access_token and oauth_access_secrete . Have you managed to get them from twitter?
The Oauth steos are:
Acquiring a request token
Sending the user to authorization
Exchanging a request token for an access token
Using out-of-band/PIN code mode for desktop & mobile applications
please refer to :
http://dev.twitter.com/pages/auth
actually, it needs to be a mix of PHP own $_SESSION with OAuth callbacks. After the callback, set the current user ID you inserted on the database or query for "user_id" from Twitter OAuth response (that you should ALSO store on the database, along with the username), then use that for future reference, and using $_SESSION containing the registered user data on your own database.
So, for a quick example
function action_login()
{
if ( ! $this->user->is_logged())
{
// Create TwitterOAuth object with our Twitter provided keys
$tOAuth = new TwitterOAuth($this->config->get('consumer_key'), $this->config->get('consumer_secret'));
// Generate request tokens
$requestToken = $tOAuth->getRequestToken(url::site('auth/twitter','http'));
$_SESSION["oauth_token"] = $requestToken["oauth_token"];
$_SESSION["oauth_token_secret"] = $requestToken["oauth_token_secret"];
// Display Twitter log in button with encoded link
$this->view->set('url', $tOAuth->getAuthorizeURL($requestToken["oauth_token"]));
$_SESSION['current_url'] = Request::detect_uri();
}
echo $this->view->render();
}
public function action_twitter()
{
if ( empty($_GET["denied"]) && isset($_GET["oauth_token"]))
{
if ($_GET["oauth_token"] == #$_SESSION["oauth_token"])
{
// Use generated request tokens (from session) to construct object
$tOAuth = new TwitterOAuth($this->config->get('consumer_key'), $this->config->get('consumer_secret'), $_SESSION["oauth_token"], $_SESSION["oauth_token_secret"]);
// Retrieve access token from Twitter
$accessToken = $tOAuth->getAccessToken();
// Check we have valid response
if(is_numeric($accessToken["user_id"])) {
// Remove request token session variables
if ($this->user->loaded() || $this->user->where('user_id', '=', $accessToken['user_id'])->find()->loaded())
{
$this->user->values(array(
'oauth_token' => $accessToken['oauth_token'],
'oauth_token_secret' => $accessToken['oauth_token_secret'],
'screen_name' => $accessToken['screen_name'],
))->update();
}
else
{
$this->user->values(array(
'user_id' => $accessToken['user_id'],
'oauth_token' => $accessToken['oauth_token'],
'oauth_token_secret' => $accessToken['oauth_token_secret'],
'screen_name' => $accessToken['screen_name'],
))->create();
}
unset($_SESSION["oauth_token"]);
unset($_SESSION["oauth_token_secret"]);
echo $this->view->render();
// Redirect to main page
}
}
}
$this->request->redirect($_SESSION['current_url']);
}
so basically, the AUTO LOGIN (like the user is already logged to twitter, and already registered to your website) can't be done without him clicking the LOGIN WITH TWITTER button, unless you set the lifetime of your $_SESSION pretty high (like it happens with twitpic for example).
$this->user->is_logged() is checking for $_SESSION['id'] (auto increment on MYSQL) and $_SESSION['twitter']['user_id'] from twitter info
EDIT: Also, the quickest and cleanest way to do it, is to make an AJAX call on the page load with the Twitter credentials using the Javascript SDK, then set the $_SESSION variables with the info the SDK provided.