Download the PHP package rsthn/rose-ext-sentinel without Composer
On this page you can find all versions of the php package rsthn/rose-ext-sentinel. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download rsthn/rose-ext-sentinel
More information about rsthn/rose-ext-sentinel
Files in rsthn/rose-ext-sentinel
Package rose-ext-sentinel
Short Description Sentinel Authentication Extension
License Apache-2.0
Informations about the package rose-ext-sentinel
Sentinel Authentication Extension
This extension adds user authentication features to Rose.
Database Structure
The following tables are required by Sentinel. Note that any of the tables below can be extended if desired, the columns shown are the required minimum.
Token Authorization
Whenever authorization via access tokens is desired (by setting auth_bearer
to true in the Sentinel configuration section), then add the following tables to your database as well:
Identifier Banning
Sentinel include support to blacklist identifiers that are trying to brute force the system. To use this feature check the sentinel:access-required
,sentinel:access-denied
and sentinel:access-granted
functions.
The following table is required for this feature:
Configuration Section: "Sentinel"
Field | Type | Description | Default |
---|---|---|---|
hash | string | Name of the hash algorithm to use (passed directly to PHP's hash function). | sha384 |
prefix | string | Password prefix (salt). | - |
suffix | string | Password suffix (salt). | - |
master | bool | Indicates if permission master should be added to all permissions checks. |
false |
auth_bearer | bool | When set to true , allows authentication via "Authorization: Bearer" header and enables the sentinel:authorize function. |
false |
auth_basic | bool | When set to true , allows authentication via "Authorization: Basic" header and automatically sends WWW-Authenticate header along with HTTP status 401 when authentication has not been completed. |
false |
token_permissions | bool | When set to true , permissions will be loaded from the token_permissions table instead of user_permissions when the user authenticates using a token. |
false |
Functions
(sentinel:password
\)
Calculates the hash of the given password and returns it. The plain password gets the suffix
and prefix
configuration fields
appended and prepended respectively before calculating its hash. The hash algorithm is set by the hash
configuration field.
(sentinel:status
)
Returns the authentication status (boolean) of the active session.
(sentinel:auth-required
)
Fails with error code 401
if the active session is not authenticated.
(sentinel:permission-required
\)
Verifies if the active session has the specified permissions. Fails with 401
if the session has not been authenticated, or with
403
if the permission requirements are not met. The permissions string contains the permission names OR-sets separated by pipe (|),
and the AND-sets separated by ampersand (&).
(sentinel:has-permission
\)
Verifies if the active session has the specified permissions. Returns boolean. The permissions string contains the permission
name sets (see sentinel:permission-required
).
(sentinel:case
\ \ ... [default \])
Checks the permissions of the active user against one of the case values. Returns the respective result or the default result if
none matches. If no default result is specified an empty string will be returned. Note that each case result should be a value
not a block. Each case string is a permission name set (see sentinel:permission-required
).
(sentinel:level-required
\)
Verifies if the active user meets the specified minimum permission level. The level is the permission_id divided by 100. Fails with 401
if the user has not been authenticated, or with 403
if the permission level requirements are not met.
(sentinel:has-level
\)
Verifies if the active user meets the specified minimum permission level. The level is the permission_id divided by 100. Returns boolean.
(sentinel:get-level
[username])
Returns the permission level of the active session user, or of the given user if username
is provided.
(sentinel:validate
\ \)
Verifies if the given credentials are valid, returns boolean.
(sentinel:login
\ \)
Verifies if the given credentials are valid, fails with 422
and sets the error
field accordingly. When successful, opens a session
and loads the user
field with the data of the user that has been authenticated.
Note that Sentinel will automatically run the login process (without creating a session) if the Authorization: BASIC data
header is detected
and the auth_basic
flag is enabled in the configuration.
When using Apache, the HTTP_AUTHORIZATION
header is not sent to the application, however by setting the following in your .htaccess
it
will be available for Sentinel to use it.
(sentinel:authorize
\ [persistent=false])
Checks if the auth_bearer
flag is set to true
in the Sentinel configuration and then verifies the validity of the token
and authorizes access. On errors return status code 422
and sets the error
field accordingly.
When successful, opens a session only if the persistent
flag is set to true
, and loads the user
field of the session
with the data of the user related to the token that was just authorized.
Note that Sentinel will automatically run the authorization process (without creating a session) if the Authorization: BEARER token
header is detected while auth_bearer
is enabled in the configuration.
(sentinel:token-id
)
Returns the token_id
of the active session or null
if the user is either not authenticated yet or the user
authenticated by other means without a token (i.e. regular login).
(sentinel:login-manual
\)
Starts a session and loads the specified data object into the user
session field, effectively creating (manually) an
authenticated session. If the data being placed in the session does not actually exist in the database, ensure to use only
the sentinel:auth-required
and sentinel:logout
functions in your API, all others that query the database will fail.
(sentinel:login-user
\)
Verifies if the user exist and forces a login without any password. Fails with 422
and sets the error
field
accordingly. When successful, opens a session and loads the user
field of the session with the data of the user
that was just authenticated.
(sentinel:logout
)
Removes authentication status from the active session. Note that this function does not remove the session itself, only
the authentication data related to the user. Use session:destroy
afterwards to fully remove the session completely.
(sentinel:reload
)
Reloads the active user's session data and permissions from the database.
(sentinel:access-required
\ [message])
Ensures the provided identifier is not either banned or blocked. Fails with status code 409
and with the default
error message if the message
parameter is not provided.
(sentinel:access-denied
\ [action='auto'] [wait-timeout=2] [block-timeout=30])
Registers an access-denied attempt for the specified identifier. Returns a string indicating the action taken for
the identifier, valid values are auto
, wait
, block
, or ban
.
(sentinel:access-granted
\ [unban=false])
Grants access to an identifier, calling this will reset the failed and blocked counters. A ban will continue
to be in effect unless the unban
parameter is set to true
.