GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Saeven → zf3-circlical-user

Saeven / zf3-circlical-user

Licence: MPL-2.0 license
Turnkey Authentication, Identity, and RBAC for Laminas and Zend Framework 3. Supports Doctrine and Middleware.

Programming Languages

PHP
23972 projects - #3 most used programming language
Twig
543 projects

Labels

authenticationaclrbacuserlaminaslaminas-mvc

Projects that are alternatives of or similar to zf3-circlical-user

flask-authz
Use Casbin in Flask, Casbin is a powerful and efficient open-source access control library.
Stars: ✭ 100 (+185.71%)
Mutual labels:  acl, rbac
Rbac
Hierarchical Role-Based Access Control for Node.js
Stars: ✭ 254 (+625.71%)
Mutual labels:  acl, rbac
Casbin Server
Casbin as a Service (CaaS)
Stars: ✭ 171 (+388.57%)
Mutual labels:  acl, rbac
actix-casbin-auth
Casbin Actix-web access control middleware
Stars: ✭ 40 (+14.29%)
Mutual labels:  acl, rbac
WendzelNNTPd
A usable and IPv6-ready Usenet-server (NNTP daemon). It is portable (Linux/*BSD/*nix), supports AUTHINFO authentication, contains ACL as well as role based ACL and provides "invisible" newsgroups. It can run on MySQL and SQLite backends.
Stars: ✭ 43 (+22.86%)
Mutual labels:  acl, rbac
Negroni Authz
negroni-authz is an authorization middleware for Negroni
Stars: ✭ 152 (+334.29%)
Mutual labels:  acl, rbac
Chi Authz
chi-authz is an authorization middleware for Chi
Stars: ✭ 248 (+608.57%)
Mutual labels:  acl, rbac
Node Casbin
An authorization library that supports access control models like ACL, RBAC, ABAC in Node.js and Browser
Stars: ✭ 1,757 (+4920%)
Mutual labels:  acl, rbac
express-objection-starter
an opinionated, production-ready, isomorphic express/knex/objection starter with centralized configuration
Stars: ✭ 19 (-45.71%)
Mutual labels:  acl, rbac
rbac-tool
Rapid7 | insightCloudSec | Kubernetes RBAC Power Toys - Visualize, Analyze, Generate & Query
Stars: ✭ 546 (+1460%)
Mutual labels:  acl, rbac
Think Casbin
专为ThinkPHP定制的Casbin的扩展包,Casbin是一个功能强大,高效的开源访问控制库。
Stars: ✭ 138 (+294.29%)
Mutual labels:  acl, rbac
dart-casbin
An authorization library that supports access control models like ACL, RBAC, ABAC in Dart/Flutter
Stars: ✭ 30 (-14.29%)
Mutual labels:  acl, rbac
Laratrust
Handle roles and permissions in your Laravel application
Stars: ✭ 1,799 (+5040%)
Mutual labels:  acl, rbac
Think Authz
An authorization library that supports access control models like ACL, RBAC, ABAC in ThinkPHP 6.0 .
Stars: ✭ 155 (+342.86%)
Mutual labels:  acl, rbac
Accesscontrol
Role and Attribute based Access Control for Node.js
Stars: ✭ 1,723 (+4822.86%)
Mutual labels:  acl, rbac
Caddy Authz
Caddy-authz is a middleware for Caddy that blocks or allows requests based on access control policies.
Stars: ✭ 221 (+531.43%)
Mutual labels:  acl, rbac
Jcasbin
An authorization library that supports access control models like ACL, RBAC, ABAC in Java
Stars: ✭ 1,335 (+3714.29%)
Mutual labels:  acl, rbac
Casbin Cpp
An authorization library that supports access control models like ACL, RBAC, ABAC in C/C++
Stars: ✭ 113 (+222.86%)
Mutual labels:  acl, rbac
rbac
Simple RBAC/ACL for Laravel 8 caching and permission groups.
Stars: ✭ 43 (+22.86%)
Mutual labels:  acl, rbac
lua-casbin
An authorization library that supports access control models like ACL, RBAC, ABAC in Lua (OpenResty)
Stars: ✭ 43 (+22.86%)
Mutual labels:  acl, rbac
View All Similar Projects ➔

Authentication, Identity, and RBAC for the Laminas Framework

Codacy Badge Codacy Badge Latest Stable Version Total Downloads Quality Gate Status Gitter

Plug and play authentication, roles, resource, and action control for Laminas.

Quickly Installs:

  • cookie based authentication (using halite and its authenticated encryption)
  • role-based access control (RBAC) with guards at the controller and action level
  • user-based access control to complement RBAC
  • resource-based permissions, giving you 'resource' and 'verb' control at the role and user level, e.g. (all administrators can 'add' a server, only Pete can 'delete')

You can see it in action, in this ready-to-use skeleton.

Missive

Sure - there are other Authentication, ACL, and User modules out there. This one comes with out-of-the-box support for Doctrine - just plug in your user entity and go.

Authentication is persisted using cookies, meaning no session usage at all. This was done because I develop for circumstances where this is preferable, removing any need for complex or error-prone solutions for session management on an EC2 auto-scale group for example.

Lastly, authenticated encryption is handled using the well-trusted Halite, and password hashing is properly done with PHP's new password functions. Feedback always solicited on r/php.. If you are a paranoid fellow like me, this library should serve well!

This library works on a deny-first basis. Everything defined by its parts below, are 'allow' grants.

User Authentication

The module provides full identity/auth management, starting at the user-level. A design goal was to connect this to registration or login processes with little more than one-liners.

Login

Validate your submitted Login form, and then execute this to get your user through the door:

$user = $this->auth()->authenticate( $emailOrUsername, $password );

Successful authentication, will drop cookies that satisfy subsequent identity retrieval.

Logout

Trash cookies and regenerate the session key for that user, using this command:

 $this->auth()->clearIdentity();

Pluggable Deny Strategy

Someone trying to do something they shouldn't? It's easy to control what happens with a pluggable DenyStrategy. Create a class that implements DenyStrategyInterface and plug it into your config. This module comes with a default RedirectStrategy that will send users to a login page, if the problem was that there was no auth, and it wasn't an XHTTP request. Easy to use, you'd configure it like so:

'deny_strategy' => [

    'class' => \CirclicalUser\Strategy\RedirectStrategy::class,

    'options' => [
        'controller' => \Application\Controller\LoginController::class,
        'action' => 'index',
    ],
],

Writing your own should be very simple, see provided tests.

Pluggable Password Strength Checker

You can use the built-in support for paragonie/passwdqc by uncommenting the password_strength_checker config key. You can also roll your own if you have more complex needs; uncomment the key and specify your own implementation of PasswordCheckerInterface. This will cause the password input routines to throw WeakPasswordExceptions when weak input is received.

Configuration of the password checker can be done two ways:

Class without options

'password_strength_checker' => \CirclicalUser\Service\PasswordChecker\Passwdqc::class,

Class with options

'password_strength_checker' => [
    'implementation' => \CirclicalUser\Service\PasswordChecker\Zxcvbn::class,
    'config' => [
        'required_strength' => 3,
    ],
],

Creating Access For Your Users

Your app needs to be modified to create a distinct auth record for each user. It's very simple.

create & authenticate

During user registration routines, you probably want to create the records and also log them in. To accomplish this, you can use the helper or the 'create' method on AccessService.

From a Controller, you can use the auth plugin:

 $this->auth()->create(User $user, string $usernameOrEmail, string $password); // controller helper

or, the AuthenticationService:

$container->get(AuthenticationService::class)->create($user, $usernameOrEmail, $password);

create only

Otherwise, if you simply want to create a user auth record but not log them in, use:

$container->get(AuthenticationService::class)->registerAuthenticationRecord(User $user, string $username, string $password)

Roles

Your users belong to hierarchical roles that are configured in the database. The default guest user, is group-less.
Roles are used to restrict access to controllers, actions, or resources.

Guards

Guards are conditions on controllers & actions -- or middleware -- that examine group or user privileges to permit/decline attempted access. It works very similarly to BjyAuthorize (a great module I used for years).

Configuring guards is very simple. Your module's config would look like so:

 return [
    'circlical' => [
        'user' => [
            'guards' => [
                'ModuleName' => [
                    "controllers" => [
                        \Application\Controller\IndexController::class => [
                            'default' => [], // anyone can access
                        ],
                        \Application\Controller\MemberController::class => [
                            'default' => ['user'], // specific role access
                        ],
                        \Application\Controller\AdminController::class => [
                            'default' => ['admin'],
                            'actions' => [  // action-level guards
                                'list' => [ 'user' ], // role 'user' can access 'listAction' on AdminController
                            ],
                        ],
                    ],
                ],
            ],
        ],
    ],
 ];

If you are defining access for middleware route definitions, then you don't need to configure the 'actions' section above. Further, the Module is then ignored, so you can place your middleware handler's class in any module; example:

 return [
    'circlical' => [
        'user' => [
            'guards' => [
                'Middleware' => [
                    "controllers" => [
                        \Application\Middleware\MiddlewareHandler::class => [
                            'default' => [], // anyone can access
                        ],
                    ],
                ],
            ],
        ],
    ],
 ];

Resources & Permissions

Resources can be:

Both these usages are valid from a controller:

$this->auth()->isAllowed('door','open');

or if an object:

// server implements ResourceInterface
$server = $serverMapper->get(142);
$this->auth()->isAllowed($server,'shutdown');

The AccessService is also similarly usable. See AccessService tests for more usage examples.

Granting a role a permission is done through the AccessService

User Permissions

You can also give individual users, access to specific actions on resources as well. This library provides Doctrine entities and a mapper to make this happen -- but you could wire your own UserPermissionProviderInterface very easily. In short, this lets the AccessService use the authenticated user to determine whether or not the logged-in individual can perform an action that supersedes what his role permissions otherwise grant. User Permissions are meant to be more permissive, not restrictive.

User API Tokens

This module also provides a utility with which to generate UserApiToken objects. See tests for usage.

Adding the mapping for this entity to your User entity is very trivial

/**
 * @ORM\OneToMany(targetEntity="CirclicalUser\Entity\UserApiToken", mappedBy="user");
 */
private $api_tokens;

Pulling a token to perform your own logic with it, is done with UserApiTokenMapper, e.g.

$token = $this->userApiTokenMapper->get('d0cad39b-f269-405e-b3f9-d45b349c0587');

When it is used/consumed, you can tag it:

$token->tagUse();

Scope (as defined by your application) is defined with bit flags

$token->addScope(FooApi::SCOPE_QUERY);

Cookie Security

You can configure whether or not your cookies should have the secure flag set to 'true' by adjusting the auth/secure_cookies configuration value. This value accepts a boolean or closure if you need to run a discovery method on your server, perhaps, for example, to check if the current request is coming through SSL.

Installation

Composer Tune-Ups

This package's dependency chain depends on doctrine/doctrine-module, which in turn depends on laminas/laminas-cache.

Laminas cache is wired in a strange way, and might attempt to install a ton of problematic adapters (depending on your PHP version). It is recommended that you use composer's replace to keep that mess out of your application, like so:

  "replace": {    
    "laminas/laminas-cache-storage-adapter-apc": "*",
    "laminas/laminas-cache-storage-adapter-apcu": "*",
    "laminas/laminas-cache-storage-adapter-blackhole": "*",
    "laminas/laminas-cache-storage-adapter-dba": "*",
    "laminas/laminas-cache-storage-adapter-ext-mongodb": "*",
    "laminas/laminas-cache-storage-adapter-filesystem": "*",
    "laminas/laminas-cache-storage-adapter-memcache": "*",
    "laminas/laminas-cache-storage-adapter-memcached": "*",
    "laminas/laminas-cache-storage-adapter-mongodb": "*",
    "laminas/laminas-cache-storage-adapter-redis": "*",
    "laminas/laminas-cache-storage-adapter-session": "*",
    "laminas/laminas-cache-storage-adapter-wincache": "*",
    "laminas/laminas-cache-storage-adapter-xcache": "*",
    "laminas/laminas-cache-storage-adapter-zend-server": "*",
  },

What's more, since you are using this library, you probably aren't using laminas/laminas-authentication, which is also installed by doctrine-module. You can go ahead and throw this line into your replace block as well:

"laminas/laminas-authentication": "*",
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].