Leveraging Zend_Auth for building your authentication

Tom — Thu, 07 May 2009 21:06:09 +0000

In a series of posts, I will address the issue of authentication and authorization of users into your application. When you build a website with any form of back office, you will need to grant users access to the back office (authentication), and determine what actions they are allowed to take (authorization). The Zend Framework has two tools just for that job: Zend_Auth and Zend_ACL. In this first part, I will build a custom User class, that will allow the programmer to perform a simple authentication of a user. This User class will be integrated into a so called “code base” or “framework” that you can use for your own applications. As of this moment, that framework doesn’t exist yet. I will gradually build it as my blog posts are added. Please look for the tag “codebase” if you want all of these posts.

First things first: if you have read my previous posts about securing your Flex – PHP services, you will have seen that I have wrapped the bootstrapping process of that application in a class named “CB_Application”. That class is still under very heavy development. Since the release of Zend Framework 1.8, they have introduced Zend_Application, just for that purpose. So it is very likely that in the future, I will replace my CB_Application class with something that makes use of Zend_Application. For now, I will focus on the other functionality, and leave CB_Application as it is, without bothering you with the details. But full disclosure will come, somewhere in the future.

Structure

I haven’t decided on some kind of structure for this framework yet. I think it will evolve as I add more classes and functionality to it. Below is a screenshot of how it currently looks like.

Codebase Structure

As you can see, quite empty. What we will be constructing during this blog post, is the CB_User class, the CB_Table_Users class and the CB_Auth_Adapter_Chap class. Once that is complete, you should include the Code Base folder into your include paths in your bootstrap. If that is done, you can just simple use your framework anywhere in your models or controllers.

Database tables for the User class

I’m going to concentrate on the authentication of the users, so I will keep the amount of data small. It will be the base for the User class, and will be extended with functionality and other data as the framework evolves. Right now, the only properties for a user we need, are: a username, a password, an e-mail address, and a flag to indicate if the user is active or not.

CREATE TABLE IF NOT EXISTS `cb_users` (
  `id` int(5) NOT NULL AUTO_INCREMENT,
  `username` varchar(30) NOT NULL,
  `password` varchar(255) NOT NULL,
  `email` varchar(255) NOT NULL,
  `active` tinyint(1) NOT NULL DEFAULT '1',
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8;

Small remark:All passwords are encrypted via the AES encryption method. I won’t use a hashing algorithm, because during the authentication process, I would like to know the exact password. In case I want to build PHP services for Flex, I will need that password, and I can’t come from the client directly. But that’s nothing to worry about now; just remember that the password will be encrypted via AES.

For testing purposes, we will add a dummy user via SQL now. Normally this will be done during some sort of registration process, but that’s for the future. Let’s add the user “test” with password “password” into the database. As key for the AES encryption, I have used “c0d3ba53″. You know, l33t speak as they say You should remember that key. I will hard code it into the code, as this is just a demonstration. In my real code, I have this key in a configuration file, and it is fetched by CB_Application. (I know, it’s irritating, but it will come up here an there during this blog post. Sorry!)

1	INSERT INTO cb_users (username,password,email,active) VALUES ('test','S í‹ôÚ×ýfÕ‘ˆ? ','test@example.com',1);

Building the authentication

Authenticating a user will be very straightforward. There is only 1 condition: I want to be able to use CHAP and regular authentication. CHAP requires 3 parameters (username, challenge, signature) and regular authentication requires only 2 (username, password). I will incorporate that into 1 authentication function that will dynamically decide which authentication we will be doing, via the amount of parameters.

As I said before, the authentication process will make use of the Zend_Auth component of the Zend Framework. There are many different ways you could authenticate a user. Most commonly is against a database. Zend_Auth can accommodate to all these different ways, by making use of adapters. An auth adapter basically does the authentication, and Zend_Auth uses it. There are already some predefined adapters, but for the CHAP authentication, we will have to create our own.

To access all the data from the cb_users table in the database, We extend the regular Zend_Db_Table class with our own information:

class CB_Table_Users extends Zend_Db_Table_Abstract {
	protected $_name = 'cb_users';
	protected $_primary = "id";
}

Nothing fancy, we just specify our table name, and the primary key, and then we’re good to go.

Before we can do the authentication, we first need to create our custom CHAP authentication adapter. The Zend Framework is designed to be extensible, and there is in interface for creating your own authentication adapters. The only method you need to implement is the authenticate() method. But you can add other methods if you deem that necessary. I will implement some setters for the credentials, and then a method that mimics the behaviour of the getResultRowObject() method from Zend_Auth_Adapter_DbTable. I added this extra functionality, because that will make it easier to process everything in the CB_User class. I have overdone myself documenting all the code, so I won’t explain it in depth anymore. If you are considering using this code, please replace all references to CB_application with your own code.

/**
 * CB_Auth_Adapter_Chap class
 *
 * @author Tom Van Herreweghe
 */
 
class CB_Auth_Adapter_Chap implements Zend_Auth_Adapter_Interface {
    private $_username = '';
    private $_signature = '';
    private $_challenge = '';
 
    private $_data = null;
 
    /**
     * Set the username
     *
     * @param string $username
     */
    public function setUsername($username){
        $this->_username = $username;
        return $this;
    }
 
    /**
     * Set the challenge, used to calculate the signature
     *
     * @param string $challenge
     */
    public function setChallenge($challenge){
        $this->_challenge = $challenge;
        return $this;
    }
 
    /**
     * Set the client-side calculated signature
     *
     * @param string $signature
     */
    public function setSignature($signature){
        $this->_signature = $signature;
        return $this;
    }
 
    /**
     * Authenticate the user
     *
     * @return Zend_Auth_Result
     */
    public function authenticate(){
        // First, we need to retrieve the data, associated with the given username.
        // The password will be decrypted for later use:
        $table = new CB_Table_Users();
        $select = $table->select()->from(CB_application::getInstance()->getTablePrefix("cb") . "users",array("id","username","email",CB_application::getInstance()->getDbAdapter()->quoteInto("AES_DECRYPT(password,?) AS password",CB_application::getInstance()->getKey())));
        $select->where("username = ?",$this->_username)->where("active = 1");
        $result = $table->fetchAll($select);
 
        $authenticated = false;
        // If we found a match, verify the other credentials
        if (count($result) == 1){
            $password = $result[0]->password;
            $this->_data = $result[0]->toArray(); // store the database data locally
 
            // Compare calculated signature with given signature:
            $calcSignature = md5(md5($password) . $this->_challenge);
 
            // if the given signature and the calculated signature match, the user is authenticated:
            $authenticated = ($calcSignature == $this->_signature);
        }
        // We prefill the authentication result with a FAILURE
        $authResult = Zend_Auth_Result::FAILURE_UNCATEGORIZED;
        $authMessages = array();
        if ($authenticated){
            // user is authenticated, overwrite the auth result:
            $authResult = Zend_Auth_Result::SUCCESS;
        } else {
            // Couldn't authenticate the user, set a message:
            $authMessages[] = 'Login failed';
        }
        // return the result:
        return new Zend_Auth_Result( $authResult, $this->_username, $authMessages );
    }
 
    /**
     * Mimics (actually almost copies) the behaviour of the getResultRowObjec() from Zend_Auth_Adapter_DbTable
     *
     * @param array $returnColumns
     * @param array $omitColumns
     * @return stdClass
     */
    public function getResultRowObject($returnColumns = null, $omitColumns = null){
        // If no data is set, return false:
        if (!$this->_data) {
            return false;
        }
 
        $returnObject = new stdClass();
 
        if (null !== $returnColumns) {
            // Process only the specified columns:
 
            $availableColumns = array_keys($this->_data);
            foreach ( (array) $returnColumns as $returnColumn) {
                if (in_array($returnColumn, $availableColumns)) {
                    $returnObject->{$returnColumn} = $this->_data[$returnColumn];
                }
            }
            return $returnObject;
 
        } elseif (null !== $omitColumns) {
            // Process all columns, except the ones specified:
 
            $omitColumns = (array) $omitColumns;
            foreach ($this->_data as $resultColumn => $resultValue) {
                if (!in_array($resultColumn, $omitColumns)) {
                    $returnObject->{$resultColumn} = $resultValue;
                }
            }
            return $returnObject;
 
        } else {
            // Process all columns, without restrictions:
 
            foreach ($this->_data as $resultColumn => $resultValue) {
                $returnObject->{$resultColumn} = $resultValue;
            }
            return $returnObject;
        }
    }
}

The puzzle is almost complete now. Let’s put the pieces together in the CB_User class:

/**
 * CB_User class
 *
 * @author Tom Van Herreweghe
 */
 
class CB_User {
    private $data = array();
 
    /**
     * Getter magical function to get properties
     *
     * @param string $key
     * @return mixed
     */
    public function __get($key){
        if (array_key_exists($key,$this->data)){
            return $this->data[$key];
        }
        throw new Exception("Unknown property '{$key}'");
    }
 
    /**
     * Setter magical function to set properties
     *
     * @param string $key
     * @param mixed $value
     */
    public function __set($key,$value){
        $allowed = array("id","username","email");
        if (in_array($key,$allowed)){
            $this->data[$key] = $value;
        }
    }
 
    /**
     * Authenticate a user via credentials
     * The amount of parameters is variable, and are therefore not explicitly declared
     *
     * @return Zend_Auth_Result
     */
    public static function authenticate(){
        // Get all the arguments:
        $args = func_get_args();
        // Initialize an authAdapter, but set it to null
        $authAdapter = null;
 
        if (count($args) == 2){
            // 2 arguments: We assume they are username & password. This means regular authentication
            $authAdapter = new Zend_Auth_Adapter_DbTable(
                CB_application::getInstance()->getDbAdapter(), // This returns an instance of a database adapter
                CB_application::getInstance()->getTablePrefix("cb").'users', // this will return a prefix, defined in a config.
                'username',
                'password'
            );
            // set the necessary credentials
            $authAdapter
                ->setIdentity($args[0])
                ->setCredential($args[1])
                ->setCredentialTreatment("AES_ENCRYPT(?, '".CB_application::getInstance()->getKey()."') AND active = 1");
                // CredentialTreatment says we'll use AES_Encrypt to encrypt the given password, and the user must be active.
                // CB_application::getInstance()->getKey() returns a predefined key from a config file.
        }
        if (count($args) == 3){
            // 3 arguments: We assume username, challenge and signature. This means custom digest authentication
 
            // Here, we use our custom created CB_Auth_Adapter_DbTable:
            $authAdapter = new CB_Auth_Adapter_Chap(
                    CB_application::getInstance()->getDbAdapter(),
                    CB_application::getInstance()->getTablePrefix("cb").'users',
                    'username',
                    'password'
            );
            // set the necessary credentials:
            $authAdapter
                ->setUsername($args[0])
                ->setChallenge($args[1])
                ->setSignature($args[2]);
        }
 
        if (is_null($authAdapter)){
            throw new Exception("No authAdapter specified. Please check all the arguments");
        }
 
        // Zend_Auth will now try to authenticate, using our auth adapter:
        $result = Zend_Auth::getInstance()->authenticate($authAdapter);
 
        if($result->isValid()) {
            /*
             * When authentication is succesfull, we will write an instance of CB_User to the storage
             * Later on, when we want to know which user is authenticated, we will retrieve this CB_User from the storage
             * This all hapens quite transparently via regular Zend Framework code
             */
 
            // get the resulting line from the database, except the "password" column:
            $data = $authAdapter->getResultRowObject(null,'password');
            // retrieve an an instance of CB_User via the user id:
            $user = self::getInstance($data->id);
            // write our CB_User object to the storage of Zend_Auth
            // Zend_Auth::getInstance()->getIdentity() will return that CB_User object
            Zend_Auth::getInstance()->getStorage()->write($user);
        }
        // Return the Zend_Auth result:
        return $result;
    }
 
    /**
     * Return an instance of the CB_User class, via the user_id
     *
     * @param int $user_id
     * @return CB_User
     */
    public static function getInstance($user_id){
        $table = new CB_Table_Users();
        $select = $table->select()->from(CB_application::getInstance()->getTablePrefix("cb") . "users",array("id","username","email"));
        $select->where("id = ?",$user_id)->where("active = 1");
        $result = $table->fetchRow($select);
 
        if (!is_null($result)){
            return self::factory($result);
        }
        throw new Exception("No user found");
    }
 
    /**
     * Transform the raw data from the database into a CB_User object
     *
     * @param Zend_Db_Table_Row $data
     * @return CB_User
     */
    public static function factory($data){
        if (is_a($data,"Zend_Db_Table_Row")){
            $user = new CB_User();
            $user->id       = $data->id;
            $user->username = $data->username;
            $user->email    = $data->email;
            return $user;
        }
        throw new Exception("Wrong datatype for the CB_User::factory() method");
    }
}

Now that we have written our classes, we want to use them. Mind you, this is just a demonstration. We will first log the user in via the CHAP method, then we do a logout, and then we log the user in via the regular method.:

class IndexController extends Zend_Controller_Action{
    public function indexAction() {
        $this->getHelper("Layout")->disableLayout();
        $this->getHelper("ViewRenderer")->setNoRender();
 
        // Verify if we aren't logged in yet
        if (Zend_Auth::getInstance()->hasIdentity()){
            // Oops, we were still logged in from a previous demonstration..
            // Let's log out:
            Zend_Auth::getInstance()->clearIdentity();
        }
        // Alright, at this point we're not logged in.. Let's proceed:
 
        $challenge = 'challenge'; // <- this should be a random string
        $password = 'password';
        // Calculate the signature:
        $signature = md5(md5($password) . $challenge);
        // Authenticate via CHAP:
        $result = CB_User::authenticate('test',$challenge,$signature);
        // Show the result
        print_r(Zend_Auth::getInstance()->getIdentity());
 
        // Logout again for another demonstration:
        Zend_Auth::getInstance()->clearIdentity();
        // Lets try the other authentication method:
        $result = CB_User::authenticate('test',$password);
        print_r(Zend_Auth::getInstance()->getIdentity());
        die("demonstration is over !");
        }
}

That’s it for now. We have completed a first part of a framework: create a User class, and allow a user to authenticate. Right now, we can’t do much with it yet, but it will come in handy. We still need a way of registering users, but most importantly, we have to determine what that user can do now that he’s logged in. I will write about that in another blog post about Zend_ACL.

Tom's Blog » codebase

Leveraging Zend_Auth for building your authentication