lonnieezell / myth-auth Goto Github PK

Should be use Myth\Auth\Authorization\GroupModel;

Hello Guys !

I will take the weekend to try CI4 and the main thing I needed was a reliable auth library.

Thank god I found this... I am already a Lonnie´s HUGE fan ( just got my patron status ).

What I want to ask/propose is a CORE version of this auth library. A version with only the login, create user, check credentials, etc...

Is it possible ? What do you think about this idea ?

Thank you !

When installing with spark several files are copied to App namespace and a conversion is made dealing with their namespaces.
However, when App view-files are loaded, several path error appear as namespace get converted to Auth\Views\etc... instead of \App\Views\Auth\etc...

<?= view('\App\Views\Auth\_header') ?>

This happens in all of the Auth View files, but _footer, _message_block and _navbar

Scenario:

• Login filter is applied globally (in App\Config\Filters)
• LoginFilter's before($request) method avoids checking for logged in user when route is login, forgot or reset-password
• App is set to send emails with the token code when a user want's to reset his password

So far, everything works as expected. But, when I click on the reset form link (http://whatever.com/reset-password?token=e6290a3d8d156339963092e08228f039) I keep being redirected to login form.
Routes work as expected too. If, for instance, I write the URL like http://whatever.com/reset-password I get the reset-password form OK.
If I write the URL like http://whatever.com/reset-password? works fine too.
And so on...
...until I write http://whatever.com/reset-password?token=
Then, it redirects to login form. Whatever I write after the = sign makes no difference

Now, if I log-in, I am redirected to the reset-password form and the token input field gets populated just fine.

Tried d($request) first thing inside the before() method of LoginFilter and URL is fine.
But when I d($request) after the current_url() check and before the return, d($request) shows /login as the URL

Also, if I get rid of the global login filter, everything works as expected.

Any ideas?

Only by commenting out routes in \Myth\Auth\Config\Routes can App\Config\Routes be taken into consideration

Just adding a second 'where' condition will do:
$user = $users->where('email', $this->request->getPost('email'))->where('reset_hash', $this->request->getPost('token'))->first();

On the other hand, what's the logic you thought for "reset-time" field in DB?
I guess it'd mean that you could put a certain amount of minutes of token validity that could be checked just after the $user = $user->where()...->first() above. Am I right?

Hi,

I get permission error

I try do this

class Test extends Controller {

    use \Myth\Auth\AuthTrait;

    public function __construct() {


    }

    public function index() {

        $this->restrictWithPermissions('price', '/');

    }

}

And I get this error:
Argument 3 passed to Myth\Auth\Config\Services::authorization() must be an instance of CodeIgniter\Model or null, boolean given, called in /Applications/XAMPP/xamppfiles/htdocs/TrackTrace/web.track-trace/system/Config/BaseService.php on line 114

composer.json includes the library path as well as mapping '\Config' to this library's support\Config (https://github.com/lonnieezell/myth-auth/blob/develop/composer.json#L31), which overwrites the namespace for app/Config causing issues with older versions of the config files, for example:
Undefined property: Config\Toolbar::$maxQueries

Is the intent for this library to be added via Composer to existing CodeIgniter projects? And if so, what purpose is autoloading support/Config service?

Refer to docs authorization.md please add some example interface like how to using

• removeUserFromGroup()
• addPermissionToGroup()
• removePermissionFromGroup()
• createGroup()
• deleteGroup()
• updateGroup()
• etc

Don't know if I'm bothering you with these errors, but I'm trying to use it in a project with CI4 and whenever I find what I think is an error I try to report it to you.
If you don't like/want me doing this, please let me know and I'll stop.
Thanks for all your code & work!

I believe this package is stable enough to merit a release (at least a pre-release) that could then be published to Packagist.org to support Composer installs.

It looks like $routes->discoverLocal never made it into beta. I see it in codeigniter4/CodeIgniter4@9a1ffb5 but maybe plans were dropped to include it? Is this still a valid step for configuration, or is it superseded by namespaced route discovery?

Should be use Myth\Auth\Authorization\PermissionModel;

They still follow the CI3 pattern where it would spit out the headers immediately, instead of returning the result. They need to be updated to return redirect().

@lonnieezell I have been trying to update users password but no success. I try to scan through the folk tales of this script. I saw you are using password_hash with base64_encode together so I try using password_verify but no way. Please Can you show me how to do this in order to pass through it. I am trying to verify the current password before changing it.

Lonnie,
You may want to consider using https://github.com/socialite-manager/socialite instead of hybridauth. It's based off the Laravel component of the same name, and seems to be pretty robust.
Btw, just curious, how does myth-auth compare against php-auth or others?

Core Providers
twitter
github
google
facebook
bitbucket
linkedin

Other Providers
Instagram
Line
VKontakte
Weixin
QQ
Weibo
Twitch
Slack
Discord
Dropbox
Yahoo
Spotify
GitLab
Yandex
Add more...

ErrorException
Object of class CodeIgniter\Email\Email could not be converted to string

APPPATH/Controllers\AuthController.php at line 212

205               ->setSubject(lang('Auth.forgotSubject'))
206               ->setMessage(view($this->config->views['emailForgot'], ['hash' => $user->reset_hash]))
207               ->setMailType('html')
208               ->send();
209 
210         if (! $sent)
211         {
212             log_message('error', "Failed to send forgotten password email to: {$email}");
213             return redirect()->back()->withInput()->with('error', lang('Auth.unknownError'));
214         }
215 
216         return redirect()->route('reset-password')->with('message', lang('Auth.forgotEmailSent'));
217     }
218 
219     /**

• Codeigniter version 4.0.0-rc.1
• myth-auth version dev-develop

When logging out successfully, immediately an error status message appears in login page, though user has not attempted to login.

Using current CodeIgniter version:
https://github.com/codeigniter4/CodeIgniter4

cloned myth-auth to app/ThirdParty/auth

added to Autoload.php $psr4:

'Myth\\Auth' => APPPATH . 'ThirdParty\\auth\\src', // Auth system

added to Validations.php

\Myth\Auth\Authentication\Passwords\ValidationRules::class,

and migrated

php spark migrate:latest -all

when i try
localhost:8080/login

result:

i not checked if is a issue with this system or with CI4

a workaround that worked to me:
CI4\system\Autoloader\FileLocator.php

commented line 135:
//$filename = $folder . '/' . $filename;

result:

Errors that happen in FlatAuthorization are not being set into session('errors)

Hi,
I don't see how I can get validation errors. When eg my group edit was failed I try to get an error from FlatAuthorization::error() but I get nothing. Validation errors we should get from $this->groupModel->errors() but we don't have access for that.

I am talking about this part (and more)

        if (! $this->groupModel->update($id, $data))
        {
            $this->error = $this->groupModel->error();

            return false;
        }

Set these vars to null in case a reset password was asked.
Scenario:
user (one with short memory) requests a
reset-token and then does nothing => asks the
administrator to reset his password.
User would have a new password but still anyone with the
reset-token would be able to change the password.

Codeigniter Version 4.0.0-rc.2.1
Myth\Auth Version dev-develop

ErrorException
Undefined variable: errors

SYSTEMPATH/Validation\Validation.php at line 651

/span>         // If we already have errors, we'll use those.
/span>         // If we don't, check the session to see if any were
/span>         // passed along from a redirect_with_input request.
/span>         if (empty($this->errors) && ! is_cli())
/span>         {
/span>             if (isset($_SESSION) && session('_ci_validation_errors'))
/span>             {
/span>                 $this->errors = unserialize($errors);
/span>             }
/span>         }
/span> 
/span>         return $this->errors ?? [];
/span>     }
/span> 
/span>     //--------------------------------------------------------------------

APPPATH/Controllers\AuthController.php : 156 — CodeIgniter\Model->errors ()

/span>             'email'            => 'required|valid_email|is_unique[users.email]',
/span>             'password'        => 'required|strong_password',
/span>             'pass_confirm'    => 'required|matches[password]',
/span>         ]);
/span> 
/span>         if (! $this->validate($rules))
/span>         {
/span>             return redirect()->back()->withInput()->with('errors', $users->errors());
/span>         }
/span> 
/span>         // Save the user
/span>         $user = new User($this->request->getPost());
/span> 
/span>         if (! $users->save($user))
/span>         {

Redirect is doing nothing here. No companies either.
Don't know exactly why, but changing redirect to header works fine.
I know it's not a solution, but it helps to continue with the rest in the meantime.

         if (empty($uri))
         {
+            header("Location: ".route_to('login'));
+            die();
             redirect( route_to('login') );
         }

However, header will not take into account the redirect_uri passed as a GET parameter

Now that we (sort of) have Email working again in CI4, I tried using the forgot password feature.
All works fine until I click on the email link sent to the user.
Login filter tests the current_url() to see if it's a login page, but doesn't take into account the reset-password url. Therefore, it keeps on redirecting to login. Once logged in, it obviously redirects to reset-password form so you can enter the sent token. No point in this as you might definitely don't know your password.
Easy enough, adding a third 'OR' to the if will make it work fine.

if ( (current_url() == site_url(route_to('login'))) || (current_url() == site_url(route_to('forgot')))
|| (current_url() == site_url(route_to('reset-password')))
) { return; }

It only gets group permissions, but a user may have a permission set independently from the group/s he's in.

Filters can take parameters?? Anywhere this is documented? I dug through the CI4 Router code but there’s a lot of different pieces there...

Revisiting #30, the auth filters don't seem to be working. Tracking it down, it looks like $params is empty no matter what is passed. If I'm understanding system/Filters/Filters.php correctly, it looks like only the request object is passed in and no additional parameters:
https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/Filters/Filters.php#L150

Is this something still coming down the pipe? or incorrectly missing? or am I misunderstanding?

Can not install the myth auth with composer please can you make it compatible.

composer require myth/auth

[InvalidArgumentException]
Could not find a version of package myth/auth matching your minimum-stabili
ty (stable). Require it with an explicit version constraint allowing its de
sired stability.

require [--dev] [--prefer-source] [--prefer-dist] [--no-progress] [--no-suggest]
 [--no-update] [--no-scripts] [--update-no-dev] [--update-with-dependencies] [--
update-with-all-dependencies] [--ignore-platform-reqs] [--prefer-stable] [--pref
er-lowest] [--sort-packages] [-o|--optimize-autoloader] [-a|--classmap-authorita
tive] [--apcu-autoloader] [--] [<packages>]...

Please check this issue

Authentication fails with an exception when a user that doesn't exist tries to log in with a username instead of email.
This is because when it tries to log the failed attempt, it forcefully uses $credentials['email'] only

DictionaryValidator uses the following to check for personal information in the password

if ($user !== null)
{
    $names = [
        strtolower($user->name),
        strtolower(str_replace(' ', '', $user->name)),
        strtolower(str_replace(' ', '.', $user->name)),
        strtolower(str_replace(' ', '-', $user->name)),
    ];

The problem is that, as far as I can determine, the Entity used in myth/auth does not have a name property. Should they all be $user->username?

I have been thinking of offering a PR on this functionality anyway and, if $user->name needs fixing I can fix it there.

Hi,
I try to add permissions to the user and I found an error because method addPermissionToUser working with User entity and add permission as a column of user table. Checking user permissions (method doesUserHavePermission) working with auth_users_permissions table so here we have some differences.

Even if I want to add permission to User entity then I get another error as below:

TypeError

Argument 1 passed to Myth\Auth\Entities\User::setPermissions() must be of the type array or null, string given

I pass an array of permission but here Entities/User.php:175
should be (or use Entity JSON casting)

$this->attributes['permissions'] = json_encode($permissions);

not

$this->permissions = json_encode($permissions);

becouse array converted into json is again converter to json but now it isn't array but string.

After installation appears this error:
Error shows at any routes URLs (register, login, forgot)

Undefined property: Config\App::$CSRFHeaderName
SYSTEMPATH/Security\Security.php at line 183

php spark auth:publish
Publish Views? [y, n]: y

An uncaught Exception was encountered

Type:        ErrorException
Message:     mkdir(): No such file or directory
Filename:    C:\xampp\htdocs\codeigniter4-admin\vendor\myth\auth\src\Commands\Publish.php
Line Number: 273

        Backtrace:
           -273 - C:\xampp\htdocs\codeigniter4-admin\vendor\myth\auth\src\Commands\Publish.php::mkdir
           -182 - C:\xampp\htdocs\codeigniter4-admin\vendor\myth\auth\src\Commands\Publish.php::writeFile
           -162 - C:\xampp\htdocs\codeigniter4-admin\vendor\myth\auth\src\Commands\Publish.php::publishView
            -97 - C:\xampp\htdocs\codeigniter4-admin\vendor\myth\auth\src\Commands\Publish.php::publishViews
           -136 - C:\xampp\htdocs\codeigniter4-admin\vendor\codeigniter4\framework\system\CLI\CommandRunner.php::run
           -109 - C:\xampp\htdocs\codeigniter4-admin\vendor\codeigniter4\framework\system\CLI\CommandRunner.php::runCommand
            -85 - C:\xampp\htdocs\codeigniter4-admin\vendor\codeigniter4\framework\system\CLI\CommandRunner.php::index
           -840 - C:\xampp\htdocs\codeigniter4-admin\vendor\codeigniter4\framework\system\CodeIgniter.php::_remap
           -335 - C:\xampp\htdocs\codeigniter4-admin\vendor\codeigniter4\framework\system\CodeIgniter.php::runController
           -245 - C:\xampp\htdocs\codeigniter4-admin\vendor\codeigniter4\framework\system\CodeIgniter.php::handleRequest
            -85 - C:\xampp\htdocs\codeigniter4-admin\vendor\codeigniter4\framework\system\CLI\Console.php::run
            -57 - C:\xampp\htdocs\codeigniter4-admin\spark::run

• Codeigniter version 4.0.0-rc.1
• Myth-auth version dev-develop

In the last commit, you changed the line (along with namespacing issues)

return $this->select('auth_groups_users.*, auth_groups.name, auth_groups.description') 

to

return $this->builder()->select('auth_groups_users.*, auth_groups.name, auth_groups.description') 

Now it complains about not finding toArray() method.
I took ->builder() out from the statement and it started working again.

Should be

$this->authorize = Services::authorization();

Hi,

I try use this Auth package with cPanel and I noticed when I refresh 4-7 fast page CPU up to 100% in cPanel

And this happening when I try setup Auth Classes

Example:

public function __construct() {
        $this->setupAuthClasses();
}

And I am thinking in this place
session('logged_in')

When trying to restrict a method or controller with
$this->restrictWithPermissions('informes.en_sector.create', site_url('dashboard') )
it always redirects as if no permission exited or user is not allowed

@lonnieezell , I know you now focused to CI4 RC but please, change migration commands to newer version. People and me also want to test package out.
New Migration commands running without error but not creating table(s)

php spark migrate:latest -all

And as I understood we don't need do anything about set discoverLocal to true. Because it is enabled by default?

It’s a problem after the publish command

TypeError
Argument 1 passed to Myth\Auth\Authentication\Passwords\PasswordValidator::__construct() must be an instance of Myth\Auth\Config\Auth, instance of App\Config\Auth given, called in C:\xampp\htdocs\codeigniter4-admin\vendor\myth\auth\src\Config\Services.php on line 90

• Codeigniter version 4.0.0-rc.1
• myth-auth version dev-develop

Although routes are correctly set in App\Config\Routes.php, somehow routes are being loaded from Myth\Auth\Config\Routes.php.

I got to notice this while trying to only allow access to Admin for registering new users.

Maybe better with an example:

$user= 'dog';
$role= 'doberman';

Routes set:

$routes->get('changepass', 'Admin::changePassword', ['filter' => 'role:doberman,german_sheppard', 'as' => 'change-password']);

Then, analyzing step by step:

$result = true;
// Check each requested permission
foreach (['doberman','german_sheppard'] as $group)
{
	$result = $result && $authorize->inGroup($group, $authenticate->id());
}

$result would be true on first iteration, but would become false on second.
Therefore, final result is FALSE, though $user belongs to role "doberman".

Proposed solution:

$result = false;
// Check each requested permission
foreach ($params as $group)
{
	if (!$result)
	{
		$result = $authorize->inGroup($group, $authenticate->id());
	}
}

I added the missing id() function to AuthenticationBase.
I'll look into "pulling requests" shortly so I can propose changes there

• /**

• * Returns the User ID for the current logged in user.
  

• *
  

• * @return int|null
  

• */
  

• public function id()
• {

•    return $this->user->id;
  

• }
• /**

Hi,
I am trying to log a user via username + password and if these credentials are wrong I get a error as below:

ErrorException
Undefined index: email
vendor/myth/auth/src/Authentication/LocalAuthenticator.php at line 25

$this->recordLoginAttempt($credentials['email'], $ipAddress, $this->user->id ?? null, false);

I allow to credential via (Config/Auth.php)

    public $validFields = [
        'email', 'username'
    ];

#68 introduced alternate hashing algorithms, but the constant PASSWORD_ARGON2ID is only available if PHP has been compiled with Argon2 support, not a current requirement for Myth:Auth or CodeIgniter4. This causes syntax errors when trying to load the config file or using the User entity or LocalAuthenticator.

Either backing out the changes for Argon2 or adding some conditional constant definition?

There is spanish text hardcoded in the register view.