PHPAuth

PHPAuth banner

All Contributors Build Status PHP version from Travis config Discord server Lines of code GitHub code size in bytes GitHub All Releases GitHub issues GitHub closed issues GitHub pull requests GitHub closed pull requests GitHub forks GitHub Repo stars GitHub watchers GitHub release (latest by date) GitHub contributors GitHub last commit MIT license Open Source? Yes!

PHPAuth

Notice! (pr 1/10/2020)

PHPAuth is undergoing a complete rewrite to bring the code up to date, the project has been on hold for way to long time now, and I decided to work on it again making sure EVERYONE can use it and not just advanced programmers. My goal is to make an Auth framework that is secure, extendable and usable for everyone. It will take some time, but we have a good amount of users already using this code which are happily to help out.

Goals:

What is it

PHPAuth is a secure user authentication class for PHP websites, using a powerful password hashing system (Thanks to ZxcvbnPhp\Zxcvbn) and attack blocking to keep your website and users secure.

PHPAuth is work in progress, and not meant for people that don’t know how to program, its meant for people that know what they are doing. We cannot help everyone because they don’t understand this class.

IT’S NOT ONLY FOR BEGINNERS!

Features

User actions

Requirements

Composer Support

PHPAuth can now be installed with the following command:

composer require phpauth/phpauth

Then: require '/path/to/vendor/autoload.php';

Installing without composer not recommended.

Configuration

The database table config contains multiple parameters allowing you to configure certain functions of the class.

The rest of the parameters generally do not need changing.

CAPTCHA Implementation

If isBlocked() returns verify, then a CAPTCHA code should be displayed. The method checkCaptcha($captcha) is called to verify a CAPTCHA code. By default, this method returns true but should be overridden to verify a CAPTCHA.

For example, if you are using Google’s ReCaptcha NoCaptcha, use the following code:

    private function checkCaptcha($captcha)
    {
 try {

        $url = 'https://www.google.com/recaptcha/api/siteverify';
        $data = ['secret'   => 'your_secret_here',
            'response' => $captcha,
            'remoteip' => $this->getIp()];

        $options = [
            'http' => [
                'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
                'method'  => 'POST',
                'content' => http_build_query($data)
            ]
        ];

        $context  = stream_context_create($options);
        $result = file_get_contents($url, false, $context);
        return json_decode($result)->success;
    }
    catch (\Exception $e) {
        return false;
    }
}

If a CAPTCHA is not to be used, please ensure to set attempt_before_block to the same value as attempts_before_verify.

Also, Auth::checkReCaptcha() method can be called.

How to secure a page

Making a page accessible only to authenticated users is quick and easy, requiring only a few lines of code at the top of the page:

<?php

require_once __DIR__ . '/vendor/autoload.php';

$dbh = new PDO("mysql:host=localhost;dbname=phpauth", "username", "password");

$config = new \PHPAuth\Config($dbh);
$auth   = new \PHPAuth\Auth($dbh, $config);

if (!$auth->isLogged()) {
    header('HTTP/1.0 403 Forbidden');
    echo "Forbidden";

    exit();
}

NB: required package installed via composer: composer require phpauth/phpauth!!!

Validate user password in front-end

PHPAuth evaluates the strength of a password on user registration and manually added Users via addUser() function. The minimum score of accepted passwords is controlled via the password_min_score config-parameter.

In this example, the front-end is based on html, generated via php. The score is passed as a javascript variable like

<?php echo 'let minimum_score =' . $config->password_min_score; ?>

A full example can be found in the source: /examples/html-frontend-password-strength-gui-feedback/index.php

NB: requires a database with phpauth tables from database_defs

Custom config sources

By default, config defined at phpauth_config data table.

It is possible to define custom config from other sources: ini-file, other SQL-table or php-array:

Config($dbh, $config_source, $config_type, $config_language)

Examples:

new Config($dbh); // load config from SQL table 'phpauth_config', language is 'en_GB'

new Config($dbh, 'my_config'); // load config from SQL table 'my_config', language is 'en_GB'

new Config($dbh, '$/config/phpauth.ini', 'ini'); // configuration will be loaded from INI file, '$' means Application basedir

new Config($dbh, $CONFIG_ARRAY, 'array'); // configuration must be defined in $CONFIG_ARRAY value

new Config($dbh, null, '', 'ru_RU'); // load configuration from default SQL table and use ru_RU locale

Message languages

The language for error and success messages returned by PHPAuth can be configured by passing in one of the available languages as the third parameter to the Auth constructor. If no language parameter is provided then the default en_GBlanguage is used.

Example:

$config = new \PHPAuth\Config($dbh, null, 'sql', 'fr_FR');
$auth   = new \PHPAuth\Auth($dbh, $config);

Available languages:

NB: Since 1.3.5 the recommended way to connect another language is this: composer require phpauth/phpauth.l10n, then call before Auth instantiation:

$config = new \PHPAuth\Config($dbh, null, \PHPAuth\Config::CONFIG_TYPE_SQL);
$config = $config->setLocalization( (new \PHPAuth\PHPAuthLocalization('fr_FR'))->use() );
$auth   = new \PHPAuth\Auth($dbh, $config);

Documentation

All class methods are documented in the Wiki System error codes are listed and explained here

Contributing

Anyone can contribute to improve or fix PHPAuth, to do so you can either report an issue (a bug, an idea…) or fork the repository, perform modifications to your fork then request a merge.

Credits

Donation

You can help with a donation, so we can rent servers to test on, we can tip our contributors as thank for their help.

Bitcoin: 1PrXRMb9R8GkSRB8wSJ2MWhF9cc6YXCS8w

Contributors ✨

Thanks goes to these wonderful people (emoji key):


Nico

💻

Hajrudin

🌍

conver

💻

louis123562

📖

ANDRES TELLO

💻

张成林

💻

This project follows the all-contributors specification. Contributions of any kind welcome!