I am working on a module to access certain information via REST for an expression engine backend (control panel).
I have worked out the REST function and delivery of the information, that works and tested.
Currently one of my module control panels has several functions that return a set of information while I am logged in and I pass in the session ID along with the request.
However, outside the session I cannot access the API because it redirects me to login instead. I am seeking to bypass the classic authentication for certain controller functions and replace it with a API token based authentication which would be passed with the web request.
I've tried searching how to disable authentication for certain pages in the backend, but haven't been able to find anything. If anyone can point in the right direction it would be very helpful.
Take a look at module actions. These are the URLs that look like /?ACT=123 where 123 refers to a specific module and method in that module. These URLs don't have any authentication required to be hit. You control what authentication you want for the methods.
Stephen Lewis has a nice article about this on his blog (the EE dev docs don't explain actions well, if at all). http://experienceinternet.co.uk/blog/a-brief-introduction-to-expressionengine-actions/
I can personally vouch for this approach with using APIs because our team built a CRUD Rest API for ExpressionEngine that uses these "action" URLs.
Related
I'm currently working on a project, where the developer before me implemented the login into an intern tool via google Oauth 2.0
He does that, by just grabbing the user domain, after authenticating with google and checks if it is "ourCompany.com".
If yes, he renders the page, if not, he redirects the user to the login.
(So basically he does one oauth request per page view.)
I'm pretty new to Oauth 2.0 but as far as I understand it, this is not, how it should be used?
He wants to use Oauth, because his idea is to organize all our employees over google groups/organizations and thus have a central place to give and take permissions. (Which I have to implement now.)
He said I should "just also get the groups on each request" and that's it.
(Which I tried btw. as a "quick win" but couldn't manage to get them from google yet, not sure If it is even intended)
My understanding of how this should work is the following:
The user is redirected to the google Oauth 2.0 service with a scope to get his groups/organizations.
We get back an access Token, which I then would use to ask the google API for the users groups/organizations.
Based on these informations I would then set the users rights in our application itself. (For example The user is in a google group "author", then I would give him the author role in our application)
The user then gets logged in via a "normal" PHP session, which takes over for the rest of the application, instead of always asking the Oauth service.
Does this approach make sense or is my colleague right with his implementation? The only benefits I see in his solution is, that we get "real time" information, if the user still is in a group or not.
But from what I've read about Oauth 2.0 so far, his implementation does not feel right for me, on the other hand I don't feel secure enough at this topic to say it's wrong.
So any explanations/opinions would be very welcome.
Additional informations about the project:
We use Laravel 5.4
I thought about using the "socialite" plugin (https://github.com/laravel/socialite) and for permissions (https://github.com/spatie/laravel-permission)
If the intended user groups in your application are the same as the Google groups configured for your domain, then I think it's OK to use the Google domain groups. If not, you could use new groups (possibly with some prefix like myApp-group1), but you could end up with many groups if multiple applications does it.
There is also a question who can modify the Google domain groups. Is it the same person/role who would have the right to modify permissions in your application?
I would consider creating a separate access management for the application if:
There is a chance of people outside of your company using the application.
You needed to modify existing Google groups (if there are some) just to make them fit your application.
It looks like you can read user's groups by Google Directory API with an access token containing scope https://www.googleapis.com/auth/admin.directory.group.member.readonly. But I have no experience with it.
I think it's common to use LDAP (or MS Active Directory) as an access management for in-company applications, so the idea of using Google groups is not strange.
The auth sequence you described looks correct.
We have eZPublish 5. The authentication is handled by User kernel module kernel/user/login.php. This PHP script is called when trying to access a siteaccess which requires authentication.
Example scenario:
When trying to access http://example.com/marketing
it redirects me (when not logged in) to http://example.com/marketing/user/login
Which is expected behaviour.
What I would like to achieve is to rewrite the kernel/user/login.php file and preferably keep the url the same (this is not mandatory).
I need to do this because I need to integrate Duo Security Multifactor Authentication, so I need to handle the logging in in a custom way.
So on the first page I need to display the login form, then when it is submitted I need to verify if credentials are correct (but not log in the user at this phase) then I need to return another view where an iframe is present for the second authentication, and when the second authentication is successful only after that I can login the user and redirect him/her to the desired page.
Is there any way how to do this? I tried to create an extension with a module user and view login.php but it doesn't worked - the User kernel login.php is executed always when http://example.com/marketing/user/login is hit.
I am trying to do this for several days now but no luck and I'm out of ideas.
Thanks in advance for any help.
Welcome to the eZ Community!
What you want / need is both possible and quite simple to implement :)
First based on your description I recommend the following:
https://github.com/brookinsconsulting/bckernelmoduleoverride
Note: We forgot to package and release this extension some time ago but have been using it as part of our open source ezpedia.org code base. We thank you for reminding us and prompting us to package the code for individual usage.
Concerning double authentication we did something similar but actually quite different with this solution:
https://github.com/brookinsconsulting/bcconfirmpassword
Now code sharing aside. You may want to first study the login handler system which provides for many forms of custom user authentication system. https://en.ezpedia.org/en/ez/login_handler
Yet from your description and some intuition on our part it truly sounds like without more information that you very well do need to both override the default user/login module view (what we call a kernel module view copy override; copy the default module and customize the code within an extension module). We have done this -a lot- for special customer use cases and it's not very hard.
Most of the time the hard part is getting all the module and module view identifiers to not conflict once within an module extension and we think that will be less of a problem for you if you simply use / leverage the bckernelmoduleoverride extension which provides for using default kernel modules and module views customized within a module view extension.
Please feel free to ask further questions or share more information about your custom authentication system your trying to integrate. Frames in this day and age sounds like a painful system to be required to implement for a secondary authentication system.
We hope this helps!
Note: This thread is cross posted from: http://share.ez.no/forums/ez-publish-5-platform/ezpublish-5-custom-user-authentication-multifactor
I have a new WordPress project and I am using only two plugins, WP REST API and WP REST API - OAuth 1.0a Server. For default, only some routes are protected by authentication and I want to protect some specific routes. For example, the GET route http://localhost:8080/wp-json/wp/v2/posts should be protected and require the authentication, but it is not.
How do I protect it using these two plugins? I have read the entire documentation but I did not found it.
I have also been looking into this, using same plugins as well. Only solution I have so far found is through using the 'iThemes Security' plugin and setting WordPress Tweaks > REST API select field to 'Restricted Access'.
Then only OAuth 1 authenticated GET requests will return data, any un-authenicated GET requests will not return data. A 500 internal server error status code is the response.
You can use Capability Manager Enhanced Plugin(https://wordpress.org/plugins/capability-manager-enhanced/) and create a user and give them the access to specific post type using CME plugin . If you want to give different access to different post type then you need to set the "capability" field to a different name other than the "post" which is default value.
Now only that user can access the rest api.
My api has this routes defined:
GET test.com/api/v1/users
POST test.com/api/v1/users
PUT test.com/api/v1/users/{id}
GET test.com/api/v1/users/{id}
DELETE test.com/api/v1/users/{id}
Also, i'm using OAuth2 Password authentication so these resources are only available once authenticated.
My point is.. keeping RESTFULL API principles, how should I aproach limiting PUT AND DELETE methods to the actual resource owner?
Basically I don't want anybody except the owner to be able to edit his information.
You have implemented the authentication part of your system, meaning your application knows who the users are. Now you need to devise an authorization sub-system, meaning what your users have access to.
As your question is tagged PHP and Laravel, a quick Google search for laravel authorization brings results such as this:
https://github.com/machuga/authority-l4
or
http://laravel.io/forum/02-03-2014-authority-controller-authorization-library-cancan-port
This should be a good starting point.
This is usually solved by appending a custom header, with a secret message, identifying the request as valid. I do not have any source on this I'm afraid.
Usually headers beginning with an X - discarding them from being parsed by other parties. X-Your-Secret for example.
While building my SPA with angularJS, i came to the point where i want to implement user authentication in my angularJS website. However, i have no idea where to start and what the best practices are.
Basically i have a sure that can have one or more roles. I've looked for examples so i could get a basic understanding of how to handle this properly, but so far i've only came across examples that are very simple or are not so secure (like this).
So my question is, how to I implement a authentication service using REST (or custom API urls) to authenticate a user, and then display the user information on the page using angularJS, while also ensuring best security coverage by using (for example) the csrf token from Laravel?
Thanks in advance,
Nick van der Meij
I'm making an AngularJS app and an API RESTful made with Laravel 5 for the backend, and my approach for the authentication was:
Installed jwt-auth. Basically extends the Auth model of Laravel adding authorization with tokens.
Added simple role package to laravel. I used permiso. Has multiple roles/user and permissions/role. Very simple.
Added jStorage to frontend. (you can use AngularJS module instead).
So the steps are:
Frontend send user credentials (email and pass).
Server checks, jwt-auth makes a token to that user and send it backs.
Frontend save the token on the browser storage (no csrf needed with this approach).
All next calls to the API are made with Authorization: Bearer header (or with ?token=... )
I like the same approach that #neoroger takes using JSON Web Tokens with jwt-auth. I used the Satellizer package for storing the token on the front end and to send it along with each request to the API afterwards.
I put together a couple tutorials that show how to implement the two packages if you are interested:
https://scotch.io/tutorials/token-based-authentication-for-angularjs-and-laravel-apps
http://ryanchenkie.com/token-based-authentication-for-angularjs-and-laravel-apps/