Thread

Hey folks,

I would like to announce the release of ‘flexi auth’, a user authentication (login) library.

The flexi auth library initially started out as a modified version of the popular Ion Auth library.
As the original library was tweaked with feature after feature being added, the original code base had transformed into a new library all of its own.

For those that have used the Ion Auth library, the general structure of the library may be familiar, but to help anyone wanting to get a running start with using flexi auth, there is an comprehensive user guide and demo covering every function within the library.

The flexi auth library includes the following core features:

Core Functions
+ User registration, with options to send an activation email, auto activate or suspend an account pending review by an admin.
+ Login function including a ‘Remember me’ option.
+ Logout function, with the option to log a user out of all computers they are logged into, or just the current computer.
+ User permission validation functions to check a users user group, privileges and login status.
+ Functions to reset forgotten passwords.
+ Functions to validate a users change of email address.
+ Password validation helper functions.
+ Many functions for obtaining user data stored within the database.
+ Admin CRUD functions to manage records within the libraries database tables.

Security
+ Passwords are hashed using the popular PHPASS library.
+ Login sessions are managed via a hashed session token technique as described by Barry Jaspan.
+ Users making multiple failed login attempts can be set to have any further login attempts throttled by preventing them from making any further attempts for a short definable time period.
+ Googles reCAPTCHA or a custom math based question and answer CAPTCHA can be deployed to login and registration forms.

Miscellaneous
+ The library includes fully customisable email templates for account activation, forgotten password, new password and validate updated email.
+ Multilingual and customisable status and error messages.

Highly Customisable
+ A highly configurable config file allows you to customise how features within the library behave, ranging from password validation to login session expiry settings.
+ All database tables and column names are renamable via just one config file setting to match whatever name coding convention you prefer.
+ The library consists of only 5 tables to provide every feature within flexi auth.
+ Unlimited additional custom tables can be added and related to the core library tables, allowing you to capture whatever data you require.
+ The 5 core library tables can be modified with the addition of new columns that can then be managed via library functions.

The purpose of the flexi auth library is to offer modularised user authentication features, that allow a developer to pick and choose which features they require, without having to include features that are surplus to the clients requirements.

The library, documentation, and a comprehensive live online demo are available from the flexi auth site.
http://haseydesign.com/flexi-auth

The work on the library started well over a year ago and has been used for some of my own client sites.
I would now like to release the code to the public so that others can also make use of it.

Enjoy =)

P.s. If anyone particularly likes the style of this library, I have also built a comprehensive shopping cart library called ‘flexi cart’. Like the flexi auth library, it is highly customisable including features like shipping, taxes, discounts, reward points, multiple currencies, localisation plus much much more.
The flexi cart library is available from http://haseydesign.com/flexi-cart

I…. Hate…. You….

You just released a library that has a lot of features that I spent this week adding to or fixing in A3M.

Now I’ve got to go check yours out and see if I need to jump ship to a better auth library.

Thanks a lot.

😉

If you’ll add it to Git you’ll probably attract a large number of contributors.  I’m saying that without looking at the code but the lib sounds good.

Silly me.  It is on Git.  Cool.

At the risk of spamming the thread without having looked at the code….

Do you do a simple hash of the email address?  That’s something I added to a3m so that even if the database is jacked the email addresses won’t be in cleartext.

The library doesn’t hash or encrypt email addresses within the database, but you could potentially use CI’s encryption library to encypt them and then decrypt them when passing them to and from functions. However, you would need to test this. I’d be interested to hear how you get on with it.

My Community Auth application has an example of encrypting and decrypting data going to/from the database. The field is named `license_number`. The problem with encrypting and decrypting an email addresses is going to be that if you are using email addresses to login, depending on the specific query(ies) used to login, you may need to modify the query(ies) so that the email address is encrypted. This is slightly more complex that just encrypting data as it goes in and out of your database. Also, remember that encrypting always makes a string longer. CI’s default encryption creates strings that are roughly 10 times the size of the original. You may need to adjust the length of the field holding the email address in the database table.

Have said all that, you might consider that an email address is not usually considered sensitive data. Yes, it would be inconvenient, or perhaps annoying if somebody started emailing your users, but an email address is not by itself going to lead to identity theft. We generally encrypt birth dates, bank account numbers, social security numbers, and driver’s license numbers.

The reason I encrypted the email address was not for fear of spamming. I never reveal email addresses to my users, if they message another user, all they see is the user name and the messages are sent by my server.

The reason I did it is that if the DB is ever compromised, the attackers will have a harder time correlating my users with other DB leaks.  Many (most?) users use the same password on multiple systems and having the email address makes it that much easier for the crackers to start guessing passwords.

Of course, this assumes that the attacker didn’t also gain access to the php source and hence the salt.

Where I went initially wrong is in using CI’s encryption for the email.  CI apparently rotates the key which means I can’t do a simple result comparison when checking to see if an email address has already been used when a user is signing up.

Soon I’ll be converting that to use an hash with salt which will take care of that issue.

I think that if you can add social options (fb and twitter) for authentication purposes this would be a very good library. Any plans to do so?

Hey Procode,
For the time being I want to see the library tested by the community in its current form so that I can establish whether its on a good base that users are happy with.

If the library does prove popular, then I may well go down the road of including Facebook and Twitter authentication as I’m fully aware a lot of users will want this kind of functionality.

In the meantime, if anyone out there is interested in contributing to adding/improving features like this, then I’m more than willing to lend a hand to get it included into the library.
All contributions will of course be credited within the library.

Hi,

I am very interested in this library, we have just begin our first greate CodeIgniter project with the need of a flexible and scalable user registration and adminsitration system.
I have installed the full demo version but until now it fails running correctly.
Opening the demosite on my local machine, using the URL:
http://adsite.localhost  (this is the development domain of our project)
the homepage shows but in the upper part of the screen the following error is shown:

A PHP Error was encountered
Severity: Notice
Message: Undefined index: custom
Filename: models/flexi_auth_lite_model.php
Line Number: 86

And this particular line looks like:
$this->auth->tbl_custom_data = $this->auth->auth_database[‘custom’];

Also I notice some strange thingd in the DB script:
-Some fields labeled _fk but no actual FK constraints are defined
-Some Primary Key fields are also defined as UNIQUE which is redundant IMHO

I willpost more details as I encounter them, I see that the code is very new and I am willing to use it, but we must get on track pretty soon, or my boss will demand for falling back to Ion Auth…
Any suggestions are welcome 😊

I fixed the error, I had forgotten to copy the config file for the demosite…
THere is one other issue, the documentation mentions:

“Upon registration, new user accounts can be either automatically activated, sent an account activation email or suspended pending review by an admin.”

But how can this be configured? I do not see a configuration option for this on the config file. Because I have no mail server running on my home server, I cannot test new accounts which require email validation…
So I would like to use, at least temporary, the option of automatical activation, i.e. without email confirmation. Is this possible?

Hey Klausch,

What you need to do to automatically activate user accounts is set the ‘activate’ argument as ‘true’ when inserting the user via the ‘insert_user()’ function.
You can read up on this function at http://haseydesign.com/flexi-auth/user_guide/user_account_set_data#insert_user

By setting the account activation to ‘true’, users will instantly be able to use their account. However, if you were wishing to just by-pass the activation email, and still have an admin review the account, then there is a setting in the config file to suspend all new accounts.

$config['settings']['suspend_new_accounts'] = true;

You can read up on this setting at http://haseydesign.com/flexi-auth/user_guide/user_account_config#behaviour_config_settings

—————————————————————————————-

A little off topic regarding not sending emails from the dev environment.
If the reason you’ve not got this running is the associated hassle setting it up (Setting up Mercury via Xampp was a nightmare for me), may I recommend try installing hmailserver, you can even associate the SMTP with a GMail account just for testing.

Another mail server I saw just yesterday was Mailcatcher, but I haven’t personally tried this yet.

—————————————————————————————-

I’m interested in your comments regarding the database keys.
You’re right that the foreign key constraints should be defined, I’ll add this with my next round of tweaks.
Regarding some of primary keys being redundant, could you elaborate a little more on which fields you are referring to?

What I do for localhost email is just write the contents of the email to a log file, one for each email. It works well because you get to check for php errors.

Thank you guys for your quick reactions!
For now I have found a solution for the mail problem: I installed ssmtp on my Ubuntu server machine and configured it to send mail using the SMTP server of my provider.
And this works, though I have no been able to deploy the demo version from my local machine to the server machine. The URL (***.localhost) is hardcoded in all controllers and I just had to change it each time when testing on my local machine or on the test server, which is a different machine on the local network.
Even in the comment is written that is os no good practice and I see really no reason to hard code a URL or directory in all controller classes while the base url is already defined in the config file.

I am struggling with the rest of the code, too. I do not understand the separation between the normal and lite versions of the code, a very basic function as login() is defined in the Flexi_auth library class, so what is the point in defining a _lite superclass which has no login functionality defined so is hardly usable by itself?
Or is the lite version meant to be used only by the controller methods for already logged in users?

To make my confusion worse, when installing the non-demo version, the two model classes (flexi_auth_lite_model and flexi_auth_model) do not define a login() method. So do I need to copy the code from the demo model classes?

SO right now I am utterly confused by this code and the distinction between lite/not-lite as well as between demo/nondemo versions.
I will give it one more day before deciding to go on with it or get back to the original IonAuth.

i am getting PHP errors while trying to login while opening auth/index

A PHP Error was encountered
Severity: Notice
Message: Undefined property: stdClass::$session_name
Filename: libraries/Flexi_auth_lite.php
Line Number: 172

A PHP Error was encountered
Severity: Notice
Message: Undefined property: stdClass::$session_data
Filename: libraries/Flexi_auth_lite.php
Line Number: 172

A PHP Error was encountered
Severity: Notice
Message: Undefined property: stdClass::$tbl_col_user_account
Filename: models/flexi_auth_model.php
Line Number: 1940

A PHP Error was encountered
Severity: Notice
Message: Undefined property: stdClass::$tbl_col_user_account
Filename: models/flexi_auth_model.php
Line Number: 1941

A PHP Error was encountered
Severity: Notice
Message: Undefined property: stdClass::$auth_security
Filename: models/flexi_auth_model.php
Line Number: 1941

A PHP Error was encountered
Severity: Notice
Message: Undefined property: stdClass::$tbl_user_account
Filename: models/flexi_auth_model.php
Line Number: 1945

This makes

$this->auth->tbl_user_account NULL in function ip_login_attempts_exceeded()

thereby giving database error in the end.

Weird thing is checking value in its constructor gives the right value. I have checked this with a new installation of CI and Flexi

what am i doing wrong?