使用Core PHP对Silverstripe用户进行身份验证

Question

My client has a website and backend made with SilverStripe. Now the client wants a mobile app and for that he wants me to build an API to communicate with the database. Unfortunately he wants me to use some other framework, or even a core PHP implementation with PDO.

My problem:

How does SilverStripe encrypt its password? How do I manually authenticate users using plain PHP. Only the logic to encrypt/hash (like SilverStripe does) the user input will be enough for me.

Answer 1

Unfortunately he wants me to use some other framework, or even a core PHP implementation with PDO

You, as a developer, have the ability to tell your client why he might be wrong about this.

If the website/application is built with SilverStripe then he should have a very good/specific reason not to continue to use it to implement an API over the top of the SilverStripe data - it makes perfect sense to use SilverStripe for this, and little sense to rewrite parts of the SilverStripe framework for the sake of "not using SilverStripe."

It's also important to mention to your client that the underlying encryption/hashing algorithms that SilverStripe implements are not part of its public API, and hence can change without requiring explicit notice given to developers. This could mean that the default algorithm could be changed (for example if a zero-day exploit is found in the blowfish algorithm) and your mobile app would then stop working. Using a SilverStripe API would not have this same problem.

The above also applies to the general data structure of SilverStripe. Let's assume that one day they decide to move away from flat tables into an EAV database storage design - their public API (classes with public methods) will stay the same while their backend classes that separate the accessibility from the processing and data storage will change. You will have to update your API too, if you build it yourself!

How does SilverStripe encrypt its passwords?

It depends - the default method is encryption with the blowfish algorithm , but there are a half dozen or so (in 3.4.1) implementations of the PasswordEncryptor class that could be configured for use.

The algorithm to use is configurable via the Security::$password_encryption_algorithm property, or via YAML config.

Each user could have a different password encryption/hashing algorithm used - take a look at the Member database table under the PasswordEncryption column.

How do I manually authenticate users using plain PHP

Theoretically if you wanted to do this, you'd need to recreate most of the logic in the framework's authenticator. Start by looking at Member::checkPassword - this is the initiation of the logic to check the password against the member - which is what you'll care about.

You'll find yourself assuming that most implementations of SilverStripe will use the default algorithm of blowfish encryption, and follow PasswordEncryptor::create_for_algorithm through to PasswordEncryptor_Blowfish::check . At this point you'll see that you literally will end up replicating an amount of the SilverStripe framework's code to be able to achieve what you want.

---

Summary

• What you want to achieve will involve a lot of duplication
• It will not work for 100% of SilverStripe implementations
• It may work now, but will break at some point when the algorithms change
• Ask your client why, and convince them to change their mind about it (after all, you're the expert, they're the client)
• Use a SilverStripe API module (a couple listed below)

API modules

• silverstripe/silverstripe-restfulserver - Officially supported, and provides a simple and easy way to get started with providing API access to your SilverStripe system. You have basic control over the HTTP request methods, and can limit access and permissions by each DataObject.
• colymba/silverstripe-restfulapi - Community module. Arguably more flexible and powerful. Slightly more work to set up/configure the way you want it to work.