Best way to handle authentication in Zend Framework 2
Question
I'm new to Zend Framework 2 and I was wondering what is the best way to handle authentication. My current (working) login code is :
public function loginAction()
{
$message = '';
$message_type = '';
$form = new UserForm();
$form->get('submit')->setValue('login');
$request = $this->getRequest();
if($request->isPost())
{
$data = $request->getPost();
$user = $this->getUserTable()->getUser($data['username']);
$bcrypt = new Bcrypt();
if($bcrypt->verify($data['password'], $user->password))
{
$message = 'successfully logged in as ' . $user->username;
$message_type = 'success';
}
else
{
$message = 'invalid password or username';
$message_type = 'danger';
}
}
return new ViewModel(array(
'form' => $form,
'message' => $message,
'message_type' => $message_type,
));
}
Now I know I'm not using the ZF2 Authentication module but I can't get it to work with Bcrypt. Is my method safe enough or should I use Zend\\Authentication ?
EDIT
Alright I managed to get it to work somehow, here's the new code :
public function loginAction()
{
$message = '';
$message_type = '';
$form = new UserForm();
$form->get('submit')->setValue('login');
$request = $this->getRequest();
if($request->isPost())
{
$user = new User();
$form->setInputFilter($user->getInputFilter());
$form->setValidationGroup('username', 'password');
$form->setData($request->getPost());
if($form->isValid())
{
$user->exchangeArray($form->getData());
$data = $this->getUserTable()->getUser($user->username);
$bcrypt = new Bcrypt();
if($bcrypt->verify($user->password, $data->password))
{
$dbAdapter = $this->getServiceLocator()->get('Zend\Db\Adapter\Adapter');
$authService = new CredentialTreatmentAdapter($dbAdapter, 'user', 'username', 'password');
$authService->setIdentity($user->username);
$authService->setCredential($data->password);
if($authService->authenticate()->isValid())
{
$message = 'successfully logged in as ' . $user->username;
$message_type = 'success';
}
else
{
$message = 'invalid password or username';
$message_type = 'danger';
}
}
}
}
It uses BCrypt and Zend\\Authentication and it seems to work fine.
2 answers
solution1
1 2014-06-10 14:26:35
" but I can't get it to work with Bcrypt "
- Store password already bcrypted
- Parametrize the auth adapter with the username and the bcrypted password
(It will simply compare the strings.)
" Is my method safe enough or should I use Zend\\Authentication " If you store your password crypted (as you do), I do not see any problem with your code.
Nevertheless, I would use Zend Authentication: Zend\\Authentication , as it gives much more.
solution2
0 2014-08-06 09:59:12
It is working for me with out session storage
public function login($credential)
{
$bcrypt = new Bcrypt();
$user = new User();
$user->exchangeArray($credential);
$password = $user->password;
$data = $this->getUserTable()->selectUser($user->username);
if (!$data)
{
$message = 'Username or password not correct!';
} else {
if ($bcrypt->verify($password, $data->password)) {
$sm = $this->getServiceLocator();
$dbAdapter = $sm->get('Zend\Db\Adapter\Adapter');
$authAdapter = new AuthAdapter(
$dbAdapter,
'user',
'username',
'password'
);
$authAdapter -> setIdentity($user->username) -> setCredential($data->password);
$auth = new AuthenticationService();
$result = $auth->authenticate($authAdapter);
//success
switch ($result->getCode()) {
case Result::FAILURE_IDENTITY_NOT_FOUND:
// do stuff for nonexistent identity
$message = "FAILURE_IDENTITY_NOT_FOUND";
break;
case Result::FAILURE_CREDENTIAL_INVALID:
// do stuff for invalid credential
$message = "FAILURE_CREDENTIAL_INVALID";
break;
case Result::SUCCESS:
$message = "you are logged in succesfully";
break;
default:
// do stuff for other failure
//$message = "you are logged in succesfully";
break;
//$message = "Login succesfull.Welcome ".$auth->getIdentity();
}
} else {
$message = 'Username or password not correct';
}
}
return new ViewModel(array("message" =>$message));
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.