PHPAuth is undergoing a complete rewrite to bring the code up to date, the project has been on hold for way to long time now, and I decided to work on it again making sure EVERYONE can use it and not just advanced programmers. My goal is to make an Auth framework that is secure, extendable and usable for everyone. It will take some time, but we have a good amount of users already using this code which are happily to help out.
PHPAuth is a secure user authentication class for PHP websites, using a powerful password hashing system (Thanks to ZxcvbnPhp\Zxcvbn) and attack blocking to keep your website and users secure.
PHPAuth is work in progress, and not meant for people that don’t know how to program, its meant for people that know what they are doing. We cannot help everyone because they don’t understand this class.
IT’S NOT ONLY FOR BEGINNERS!
PHPAuth can now be installed with the following command:
composer require phpauth/phpauth
Then: require '/path/to/vendor/autoload.php';
Installing without composer not recommended.
The database table config
contains multiple parameters allowing you to configure certain functions of the class.
site_name
: the name of the website to display in the activation and password reset emailssite_url
: the URL of the Auth root, where you installed the system, without the trailing slash, used for emails.site_email
: the email address from which to send activation and password reset emailssite_key
: a random string that you should modify used to validate cookies to ensure they are not tampered withsite_timezone
: the timezone for correct DateTime valuessite_activation_page
: the activation page name appended to the site_url
in the activation emailsite_activation_page_append_code
: 1
to append /key to the site_url
in the activation email to simpler UX, a RESTful API should be implemented for this optionsite_password_reset_page
: the password reset page name appended to the site_url
in the password reset emailsite_password_reset_page_append_code
: 1
to append /key to the site_url
in the reset email to simpler UX, a RESTful API should be implemented for this optioncookie_name
: the name of the cookie that contains session information, do not change unless necessarycookie_path
: the path of the session cookie, do not change unless necessarycookie_domain
: the domain of the session cookie, do not change unless necessarycookie_samesite
: the same-site setting of the cookie. It defaults to Strict, do not change unless necessarycookie_secure
: the HTTPS-only setting of the session cookie, by default only allows calls over an HTTPS channel, do not change unless necessarycookie_http
: the HTTP only protocol setting of the session cookie, true by default, do not change unless necessarycookie_remember
: the time that a user will remain logged in for when ticking “remember me” on login. Must respect PHP’s strtotime format.cookie_forget
: the time a user will remain logged in when not ticking “remember me” on login. Must respect PHP’s strtotime format.cookie_renew
: the maximum time difference between session expiration and last page load before allowing the session to be renewed. Must respect PHP’s strtotime format.allow_concurrent_sessions
: Allow a user to have multiple active sessions (boolean). If false (default), logging in will end any existing sessions.bcrypt_cost
: the algorithmic cost of the bcrypt hashing function, can be changed based on hardware capabilitiessmtp
: 0
to use sendmail for emails, 1
to use SMTPsmtp_debug
: 0
to disable SMTP debugging, 1
to enable SMTP debugging, useful when you are having email/SMTP issuessmtp_host
: hostname of the SMTP serversmtp_auth
: 0
if the SMTP server doesn’t require authentication, 1
if authentication is requiredsmtp_username
: the username for the SMTP serversmtp_password
: the password for the SMTP serversmtp_port
: the port for the SMTP serversmtp_security
: NULL
for no encryption, tls
for TLS encryption, ssl
for SSL encryptionverify_password_min_length
: minimum password length, default is 3
verify_email_min_length
: minimum EMail length, default is 5
verify_email_max_length
: maximum EMail length, default is 100
verify_email_use_banlist
: use banlist while checking allowed EMails (see /files/domains.json
), default is 1
(true
)attack_mitigation_time
: time used for rolling attempts timeout, default is +30 minutes
. Must respect PHP’s strtotime format.attempts_before_verify
: maximum amount of attempts to be made within attack_mitigation_time
before requiring captcha. Default is 5
attempt_before_ban
: maximum amount of attempts to be made within attack_mitigation_time
before temporally blocking the IP address. Default is 30
password_min_score
: the minimum score given by zxcvbn that is allowed. Default is 3
translation_source
: source of translation, possible values: ‘sql’ (data from table_translations
: name of the table with translation for all messagestable_attempts
: name of the table with all attempts (default is ‘phpauth_attempts’)table_requests
: name of the table with all requests (default is ‘phpauth_requests’)table_sessions
: name of the table with all sessions (default is ‘phpauth_sessions’)table_users
: name of the table with all users (default is ‘phpauth_users’)table_emails_banned
: name of the table with all banned email domains (default is ‘phpauth_emails_banned’)recaptcha_enabled
: 1 for Google reCaptcha enabled, 0 - disabled (default)recaptcha_site_key
: string, contains public reCaptcha key (for javascripts)recaptcha_secret_key
: string, contains secret reCaptcha keyuses_session
: 1 to use Session, 0 - disabled (default) to use cookiesThe rest of the parameters generally do not need changing.
If isBlocked()
returns verify
, then a CAPTCHA code should be displayed.
The method checkCaptcha($captcha)
is called to verify a CAPTCHA code. By default, this method returns true
but should be overridden to verify a CAPTCHA.
For example, if you are using Google’s ReCaptcha NoCaptcha, use the following code:
private function checkCaptcha($captcha)
{
try {
$url = 'https://www.google.com/recaptcha/api/siteverify';
$data = ['secret' => 'your_secret_here',
'response' => $captcha,
'remoteip' => $this->getIp()];
$options = [
'http' => [
'header' => "Content-type: application/x-www-form-urlencoded\r\n",
'method' => 'POST',
'content' => http_build_query($data)
]
];
$context = stream_context_create($options);
$result = file_get_contents($url, false, $context);
return json_decode($result)->success;
}
catch (\Exception $e) {
return false;
}
}
If a CAPTCHA is not to be used, please ensure to set attempt_before_block
to the same value as attempts_before_verify
.
Also, Auth::checkReCaptcha()
method can be called.
Making a page accessible only to authenticated users is quick and easy, requiring only a few lines of code at the top of the page:
<?php
require_once __DIR__ . '/vendor/autoload.php';
$dbh = new PDO("mysql:host=localhost;dbname=phpauth", "username", "password");
$config = new \PHPAuth\Config($dbh);
$auth = new \PHPAuth\Auth($dbh, $config);
if (!$auth->isLogged()) {
header('HTTP/1.0 403 Forbidden');
echo "Forbidden";
exit();
}
NB: required package installed via composer: composer require phpauth/phpauth
!!!
PHPAuth evaluates the strength of a password on user registration and manually added Users via addUser()
function. The minimum score of accepted passwords is controlled via the password_min_score
config-parameter.
In this example, the front-end is based on html, generated via php. The score is passed as a javascript variable like
<?php echo 'let minimum_score =' . $config->password_min_score; ?>
A full example can be found in the source: /examples/html-frontend-password-strength-gui-feedback/index.php
NB: requires a database with phpauth tables from database_defs
By default, config defined at phpauth_config
data table.
It is possible to define custom config from other sources: ini-file, other SQL-table or php-array:
Config($dbh, $config_source, $config_type, $config_language)
config_source
-
config_type
:
config_language
- custom language for site as locale value (default is ‘en_GB’)Examples:
new Config($dbh); // load config from SQL table 'phpauth_config', language is 'en_GB'
new Config($dbh, 'my_config'); // load config from SQL table 'my_config', language is 'en_GB'
new Config($dbh, '$/config/phpauth.ini', 'ini'); // configuration will be loaded from INI file, '$' means Application basedir
new Config($dbh, $CONFIG_ARRAY, 'array'); // configuration must be defined in $CONFIG_ARRAY value
new Config($dbh, null, '', 'ru_RU'); // load configuration from default SQL table and use ru_RU locale
The language for error and success messages returned by PHPAuth can be configured by passing in one of
the available languages as the third parameter to the Auth constructor. If no language parameter is provided
then the default en_GB
language is used.
Example:
$config = new \PHPAuth\Config($dbh, null, 'sql', 'fr_FR');
$auth = new \PHPAuth\Auth($dbh, $config);
Available languages:
ar-TN
bs-BA
cs_CZ
da_DK
de_DE
en_GB
(Default)es_MX
fa_IR
fr_FR
gr_GR
hu_HU
id_ID
it_IT
ja_JP
nl_BE
nl_NL
no_NB
pl_PL
ps_AF
pt_BR
ro_RO
ru_RU
se_SE
sk_SK
sl_SI
sr_RS
th_TH
tr_TR
uk_UA
vi_VN
zh_CN
zh_TW
NB: Since 1.3.5 the recommended way to connect another language is this:
composer require phpauth/phpauth.l10n
, then call before Auth instantiation:
$config = new \PHPAuth\Config($dbh, null, \PHPAuth\Config::CONFIG_TYPE_SQL);
$config = $config->setLocalization( (new \PHPAuth\PHPAuthLocalization('fr_FR'))->use() );
$auth = new \PHPAuth\Auth($dbh, $config);
All class methods are documented in the Wiki System error codes are listed and explained here
Anyone can contribute to improve or fix PHPAuth, to do so you can either report an issue (a bug, an idea…) or fork the repository, perform modifications to your fork then request a merge.
You can help with a donation, so we can rent servers to test on, we can tip our contributors as thank for their help.
Bitcoin: 1PrXRMb9R8GkSRB8wSJ2MWhF9cc6YXCS8w
Thanks goes to these wonderful people (emoji key):
Nico 💻 |
Hajrudin 🌍 |
conver 💻 |
louis123562 📖 |
ANDRES TELLO 💻 |
张成林 💻 |
This project follows the all-contributors specification. Contributions of any kind welcome!