atk4 / login Goto Github PK

here is example of SQL server handling https://docs.microsoft.com/en-us/sql/master-data-services/overlapping-model-and-member-permissions-master-data-services?view=sql-server-ver15

Calling atk4 login in atk4 2.2 via
$app->auth = $app->add([new \atk4\login\Auth()]);

results in "atk4\core\Exception: Seed class is not a subtype of static class "

Calling it via
$app->auth = $app->add(new \atk4\login\Auth()); // (without brackets - like we did it in previous version)

results in "atk4\core\Exception: Object is not an instance of static class "

Solutions?

A fresh install on 2.2 or develop branch has the following issue - the user preference pane is not working. Javascript has the error "Can't find variable: $".

Admin:

• We want to have admin panel. Should consist of user CRUD
• + change password panel
• + view user details (extensible)

Pages:

• Login component (for a separate page)
• Login controller (puts login component in virtual page)
• Register component (can add text)
• Forgot password component

Login Controller

• authenticate user
• logout user
• session holding
• force login as
• verify password only
• virtual page for login

Models:

• User (includes basic field a user should have)
• Admin (extends user)

Extras:

• Password field (with encryption)

Tried this demo and from my understanding the user "user" should not be allowed to change his own user role according to the ACL entry that Role model is not editable. In fact, he can edit his own rule.

After update today, this error occurs - I changed the addHook to onHook. Are there other refactoring implications that I missed?

Critical Error
TypeError : Argument 2 passed to atk4\data\Persistence::onHook() must be an instance of Closure or null, array given, called in /ATK4/crm/vendor/atk4/login/src/Auth.php on line 201

Currently you need to create login page, password reminder page etc.

This needs to be consolidated into virtual pages and displayed by the check method similar to ATK4.3.

$auth = $app->add(['Auth', 'reminder'=>true, 'register'=>true]);
$auth->setModel(new User($app->db));
$auth->check();

It appears that if you setup your DB with field names different from the example User model, that is, initialize authentication like follows:

$app->add(new \atk4\login\Auth([
  'fieldLogin'=> 'user_name',
  'fieldPassword'=>'user_password',
  ]))
  ->setModel(new \atk4\login\Model\User($app->db));

Then it will fail in \atk4\login\Feature\setupUserModel() where field names are hardcoded to "name", "email', etc.

There does not seem to be any documentation regarding ACL and how to use it. The respective md file in docs folder is empty.

Now we have a basic "is_admin" boolean condition but I think it's better to extend it in order to support multiple user levels with a vertical hierarchy (Admin, Moderator, Normal user) or separate groups (Admin, Customer, Supplier)

Steps to reproduce:

• User opens a specific link unauthorized, e.g. customer.php?id=1234
• Since unauthorized, login form is shown, and user authenticates
• stickyGet parameters are lost then, resulting in a URL called customer.php

Desired behaviour:

• stickyGet parameters survive authentication

Checked to be still an issue in most recent develop and 3.0 releases

Is it possible that Composer doesn‘t have the most actual version of atk4/login?
I have cleared the cache several times, deleted the repository manually etc.
I‘m using the dev-developer version of all repositories of atk4 (+add-ons).
I have seen all the recent changes when I inspected the closed PRs on Github.
But they seem to be missing when I download atk4/login through Composer.

That‘s really strange!

How do you manage your packages?
Is your Composer repo always the same as on Github?
Is the Git Hook to Packagist active?

Btw: I‘m on Mac OS 10.13.6

This poses a serious security risk because if the Preferences form inherits all fields of the User model without any way to hide them... every normal user can become an admin

Steps to reproduce:

• Have an application with more complex model structure (multiple hasOnes, hasManys)
• Set-up just one rule and activate ACL by setACL();

Issue:

• Database traffic is MASSIVE due to the login_access_rule queries
• Even if you index the related Atk4/login tables properly, it makes a difference between 0.2 sec to 4 sec. in loading time for comparably simple scripts.

• I created a custom User model (with additional fields) and initialized authentication and ACL in a project
• I setup the automatic Preference page, so users can edit their data
• Upon saving, I always end up in the login screen?

Why? When the User model is being saved, also a $model->reload(); is initiated in https://github.com/atk4/data/blob/e6c0cf59e190bc0093d20719f380c781742cfde0/src/Persistence/Sql.php#L608

A reload means, that the current entity is first unloaded. This then leads upon the next verification of the Role model in GetRules in ACL to force a login:

I assume we can skip to force login here?

Need a demo (and docs) explaining how to provide user with a custom message, for example if his account was blocked.

Add ldap login support or custom bind password.

I have an $app->stickyGet parameter and also authenticate using atk4/login. However, if the autentication is done and user logged in, the stickyGet is missing.

TypeError: Atk4\Ui\JsCallback::_getProperAction(): Return value must be of type Atk4\Ui\Js\JsExpressionable, array returned

The uncovered files https://app.codecov.io/gh/atk4/login/tree/develop/src should be covered and the problem fixed.

Field password store the hash in property $passwordHash

in 2.4 - after load is still present in the field :

in 3.0 - after load is not present in the field :

I think it comes from here: https://github.com/atk4/data/blob/54cd831430139a2b6f8db72630272398abe301d8/src/Model.php#L1248

We copy only the data, the fields are reset losing any internal variables.

Conceptually is perfect, this is hot code and we must avoid any complex operations, but I think someone with a deeper knowledge of the recent @atk4/data development must take a look (@DarkSide666 @mvorisek @georgehristov) and decide to rewrite Password Field or Model load flow.

In https://github.com/atk4/login/blob/develop/src/Auth.php#L177 , tryLogin method creates new instance of a user model. Unfortunately that won't copy the conditions.

The reason why newInstance is here is because we don't want to log user out if he is already logged in, at least that was the original intent, however perhaps it can work without newInstance also.

Feature request:
Allow rules to include certain conditions to be applicable, notably for example: make rule applicable if mode entity's field user_id is or is not identical to logged in user_id, pr entity carries a reference to a user group (which is allowed to edit only for example.

Currently commented out.

catchRunawayCallbacks throws error in
https://github.com/atk4/login/blob/b5e6a4ad5b96975ab1e31408ee636132e2155482/src/Auth.php#L307C40-L307C40

Scenario: Extended User model added in login demo project (file App.php) by
class UserNew extends \atk4\login\Model\User { function init(): void { parent::init(); $this->hasOne('team_id', [Team::class])->addTitle(); } }

where Team::class is a atk4\data\Model. The model is linked to Auth with the following code :
`` public function authenticate()
{
$this->auth = new \atk4\login\Auth(['check'=>true]);
$this->auth->app = $this;

    $m = new \atk4\login\demo\UserNew($this->db);

}`

If you open the user Preference page, then change a value and click Save, a Modal opens with the login form.
If you remove the line $this->hasOne('team_id', .... the form saves correctly.

The Team model added in App.php was
`class Team extends \atk4\data\Model {
public $table = 'team';

function init(): void
{
    parent::init();
    
    $this->addFields([
        'name','sort'
    ]);

}

}`

Using any other model than the provided Model\User will make the Login fail, as the function tryLogin always uses a Model\User Object:

    function tryLogin($email, $password) {
        $user = new Model\User($this->app->db);  //dont want to reset it

The workflow release-drafter.yml is referencing action toolmantim/release-drafter using references v5.6.1. However this reference is missing the commit 70eb821099dbcd875c2cba75dad4332d3cf5544d which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.

dev-develop branch should always point to other dev-develop branch or it get conflicts while developing on nightly build system

example:
Let's assume I am creating an application and since right-now a lot in development is going on in ui/data develop branches and these branches are my best option to include in my composer requirements.

Now, with dev-develop requirement of ui /schema and login, composer gets conflicts in minimum stability requirements.

So my requirements as follows

"minimum-stability": "dev",
"require": {
        "myapp/namespace":"dev-master",
        "atk4/ui": "dev-develop",
        "atk4/login": "dev-develop"
    },
    "require-dev": {
        "atk4/schema": "^1.1.1",   <= or even dev-develop both giving errors
        "phpunit/phpunit": "<6",
        "phpunit/phpcov": "^3.0",
        "codeclimate/php-test-reporter": "*",
        "behat/behat": "^3.4",
        "behat/mink-extension": "^2.2",
        "fzaninotto/faker": "*"
    }

never gets installed/updated with composer

revert bc2102c

once atk4/data#784 is fixed

I can't for the life of me get atk4/login 3.1.0 installed with atk4/ui 5.0.0. It shows last commits were to update to latest atk4/ui version, but 3.1.0 refuses to allow ui/5. Am I missing something?

https://packagist.org/packages/atk4/login shows this as still requiring atk4/ui 3.1.0. Is this not up to date?

I'm working on Auth0 integration and i have some clue about integration in atk4/login.

IMHO the actual atk4\login\Auth::check() method do too many things, not only check but even add UI elements and return an formatted error,

Did you think that can be space to extract an interface for login/logout/check? and use in place of the default one in case is injected in constructor?

What is Auth0 (https://auth0.com)

Auth0 can be used in API, Web Application and Mobile with a SSO, Single sign on, from multiple authentication provider like social or mail service.

Practically you call a login app url of Auth0, you login on an Auth0 customizable login page, and you get a response back like this :

$user_data =[
        'given_name' => null,
        'family_name' => null,
        'nickname' => null,
        'picture' => null,
        'locale' => null,
        'updated_at' => null,
        'email' => null,
        'email_verified' => null,
    ];

Email will be used as identifier for the user, other fields can be used to enrich user model without compiling again a form.

I used a Auth0ToModelMapper to map fields from $user_data to atk4\data\UserModel

In a classic Auth Interface i think the methods are usually :

• check
• login
• getUser
• logout

In Auth0 you can manage even roles and webhook.

Practically, you can delegate all the user process : authentication, creation, confirmation and recover to the Auth0 service.

Auth0 ha a free subscription which gives you 7000 active user and unlimited login per month.

You can integrate multiple App with the same Auth0 login.

Conclusion

here the gist of the working implementation : https://gist.github.com/abbadon1334/050260d1b117a86a8dcdfd0cbf4e3bcd

Sorry for the gist in place of a github repo, but Github Support still not answering me after 5 days.

It works, but i want to see when the ACL here will be finished and actions will be integrated from 2.0 release.

What do you think?

Hi !

I try this addon using standard installation with 1.7.1 release atk/ui
using composer require atk/login
demos fail -> file ConfigTrait.php used in demos is not present in atk/core 1.7.1....

I also test this addon in standalone mode
composer could not resolve during update
"atk4/data": "dev-feature/action-fields as dev-develop"

action-fields not found in packages

I replace by dev-develop to resolve dependencies but finally ig get this error
admin-roles.php
atk4\core\Exception Unable to set property for the object
object:atk4\ui\CRUD ()
property:"formDefault"
value:{"0":"Form","layout":"Columns"}
9 | 64\www\login\vendor\atk4\ui\src\View.php: 274 | atk4\core\Exception | __construct

How to get a correct environnement using this addon ?

Thanks