I'm working on a project rebuild using CakePHP, and following the new Authentication documentation here:
http://book.cakephp.org/3.0/en/controllers/components/authentication.html
From what I'm reading, Cake3 uses the userModel='User' by default, but it has the option to set it to whatever you want. In my case, I have all the auth data in the 'Account' model (i.e. userModel => 'Account').
So, in my Account Entity, I added the following code:
protected function _setPassword($password)
{
return (new DefaultPasswordHasher)->hash($password);
}
Additionally, in my accounts table, my 'passwd' field is set to varchar(255) [I've read that's required for some reason].
When I use my default baked 'add' and 'edit' methods, the password is stored in plain text, and not hashed. The ONLY way I've found to get around this is to create a custom method in the AccountsTable class then call it using this kludge:
$this->request->data['passwd'] = $this->Accounts->hashPassword($this->request->data['passwd']);
My Auth component looks like this...
$this->loadComponent('Auth', [
'loginAction' => [
'controller' => 'Accounts',
'action' => 'login'
],
'authError' => 'Unauthorized Access',
'authenticate' => [
'Form' => [
'fields' => [
'username' => 'username',
'password' => 'passwd'
],
'userModel'=>'Accounts'
]
]
]);
Is there a way to do this without dinking around with the raw request data?
Your mutator is named wrongly, the convention for mutators is _set followed by the camel cased field/property name. So since your field name is passwd, not password, it has to be named _setPasswd instead.
protected function _setPasswd($password)
{
return (new DefaultPasswordHasher)->hash($password);
}
See also Cookbook > Entities > Accessors & Mutators
Related
Building a lightweight app using basic installation of Yii2.
I need to assign a role for a user but don't want to have users and user roles stored in database.
How can I set a role for users defined in User->users class?
Default User model and default user definition look like this:
class User extends \yii\base\BaseObject implements \yii\web\IdentityInterface
{
public $id;
public $username;
public $password;
public $authKey;
public $accessToken;
private static $users = [
'100' => [
'id' => '100',
'username' => 'admin',
'password' => 'admin',
'authKey' => 'test100key',
'accessToken' => '100-token',
],
You can use RBAC PhpManager for that that will store all roles info in files instead.
First configure your AuthManager component in config/web.php:
// ...
'components' => [
// ...
'authManager' => [
'class' => 'yii\rbac\PhpManager',
],
// ...
],
By default it uses 3 files to keep the data:
#app/rbac/items.php
#app/rbac/assignments.php
#app/rbac/rules.php
So make sure there is folder rbac in your application's root and that it's write-able by the www process. If you want to place the files somewhere else (or rename them) you can provide the new path in the configuration like:
'authManager' => [
'class' => 'yii\rbac\PhpManager',
'itemFile' => // new path here for items,
'assignmentFile' => // new path here for assignments,
'ruleFile' => // new path here for rules,
],
The rest now is just like in the Authorization Guide.
Prepare roles and permissions (example in console command - by running this command once you set all roles; remember that if you want to run it in console you need also configure console.php with the same component).
Assign role to a user (example - here it's done during the signup but you can do it also in the above command).
Now you can control access with direct check or behavior configuration.
I use this function for get client ip:
$client = #$_SERVER['HTTP_CLIENT_IP'];
You can see it here.
http://city.ru.xsph.ru/web/
But this address does not match the IP that use other hosts (the correct IP). For example:
https://hidemyna.me/en/ip/
You can use the Yii2 default method available in YI2
Yii::$app->getRequest()->getUserIP()
or if you are looking to save the current user ip into the database table i would recommend you to use the IPbehavior within the model like
public function behaviors() {
return [
...
'ip' => [
'class' => IpBehavior::className(),
'attributes' => [
ActiveRecord::EVENT_BEFORE_INSERT => ['created_ip', 'updated_ip'],
ActiveRecord::EVENT_BEFORE_UPDATE => 'updated_ip',
],
]
...
];
}
Or like this. where value can be a string or an anonymous function that will return a string.
public function behaviors() {
return [
...
'ip' => [
'class' => IpBehavior::className(),
'createdIpAttribute' => 'created_ip',
'updatedIpAttribute' => 'updated_ip',
'value' => '127.0.0.1',
]
...
];
}
I think to get client IP address you have to use this code:
Yii::$app->request->userIP
The prefered way of getting client ip is with Yii::$app->request-remoteIp
This method uses either $_SERVER['REMOTE_ADDR'] or ip headers (like X-Forwarded-For) that can be added by load balencers or proxy services.
there are however still situations where your public ip (https://hidemyna.me/en/ip/) and the ip that your appication is showing (http://city.ru.xsph.ru/web/) will be different - if you're on the same network as your app for example
Can I statically define roles in authManager (in defaultRoles array in config) and assign them to users so behavior rules define access to actions?
As i have certain roles, I don't want to use auth_assignment and auth_item and ...
Assuming I create column in user table for role and every user has one role and roles are define in config file.
In fact I want to build access rules like 'admin' for users who are admin (Where yii says '#' for authenticated user and '?' for guest).
First create your roles somewhere like params then behaviors function can manage authentication easily
public function behaviors()
{
return [
'access' => [
'class' => AccessControl::className(),
'except' => [''],//or only
'rules' => [
[
'allow' => true,
'actions' => ['deletepic', 'regenerate'],
'matchCallback' => function ($rule, $action) {
return (myAuth(['root','admin']));
}
],
],
],
];
}
myAuth() will check current user role and return true if they role match requested action.
My application use many databases, they are in same structure, but data has no relation between different databases. I need to change database via request params.
In the config can only setup dsn, but I want to change database dynamically.
How can I do that.
I got myself:
$mongo = Yii::$app->get('mongodb');
$mongo->options['db'] = 'foo';
The simplest solution is to defined multiple connections in the configuration:
'components' =>
[
...
'mongodb' =>
[
'class' => '\yii\mongodb\Connection',
'dsn' => 'mongodb://localhost:27017/database1',
],
'othermongodb' =>
[
'class' => '\yii\mongodb\Connection',
'dsn' => 'mongodb://localhost:27017/database2',
],
...
]
You can then access your connections with Yii::$app->mongodb and Yii::$app->othermongodb (or using the get()-method if you prefer). This also allows you to specify the correct database for the ActiveRecord classes that come from a different database:
class MyOtherDBMongo extends \yii\mongodb\ActiveRecord
{
public static function getDb()
{
return \Yii::$app->get('othermongodb');
}
}
I want to make a request to resource/index.json, but since I index is not allowed without authentication it redirects me to login page. That's the behavior I want when no username:password has been sent
The thing is how do I set AuthComponent to work with both Form and Basic and only check for basic when the request goes through api prefix.
Also, does it automatically authenticate when found username and password in the header or do I have to do it manually?
in respective controller add few lines
class NameController extends AppController {
public function beforeFilter() {
parent::beforeFilter();
$this->Auth->allow("index");
}
}
This will allow index without authentication.
I decided to use Friend's of Cake TokenAuthenticate, and yes, it works along with FormAuthenticate so I am able to use both.
As a matter of fact, it automatically chooses the component it's going to use based on if there is an existing _token param or a X-MyApiTokenHeader header.
public $components = array(
'Auth' => array(
'authenticate' => array(
'Form',
'Authenticate.Token' => array(
'parameter' => '_token',
'header' => 'X-MyApiTokenHeader',
'userModel' => 'User',
'scope' => array('User.active' => 1),
'fields' => array(
'username' => 'username',
'password' => 'password',
'token' => 'public_key',
),
'continue' => true
)
)
)
);