Download the PHP package taproot/authentication without Composer
On this page you can find all versions of the php package taproot/authentication. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download taproot/authentication
More information about taproot/authentication
Files in taproot/authentication
Package authentication
Short Description Makes adding indieauth login (client app) and token generation (server app) to your Silex/Symfony app as easy as it should be.
License MIT
Informations about the package authentication
Abandoned!
taproot/authentication is deprecated and no longer maintained. Future development will happen in the newer, more compatible and better tested taproot/indieauth
taproot/authentication
A library for quickly adding full-blown indieauth/web sign-in support to Silex/Symfony applications. Built on top of indieweb/indieauth-client.
Installation
Install using Composer:
./composer.phar require taproot/authentication:~0.1
Usage
taproot/authentication exposes two functions, which, given your Silex $app
, set up pre/post request handlers and return a route collection which you can mount wherever you like.
Both functions require several services on $app
:
url_generator
: a Symfony Routing UrlGeneratorInterface instance, e.g. one provided by a UrlGeneratorServiceProvider in Silex.encryption
: an object implementing two methods,string encrypt(mixed $data)
andmixed decrypt(string $token)
capable of encrypting and decrypting arbitrary data. Usually an instance of[Illuminate\Encryption\Encrypter](https://github.com/illuminate/encryption)
Both functions will optionally make use of the following services, but do not require them to function:
logger
: a PSR-3-compatible logging interface
Taproot\Authentication\client()
client()
implements the logic and routes required for users to log into your app using their domains, and optionally grant it permissions (e.g. to use micropub to post new content to their website).
It returns a RouteCollection ready to be mounted wherever you want, containing the following routes:
/login/
(indieauth.login) — POST to this URL with required “me” and optional “next” parameters to start the login process/authorize/
(indieauth.authorize) — the URL redirected to by the user’s authorization server after successful authorization. Checks details and sets remember-me cookie/logout/
(indieauth.logout) — POST to this URL (with optional “next” parameter) whilst logged in to log out, i.e. remove the remmeber-me cookies.
After a successful login, client()
sets a remember-me cookie on the user’s browser from which they can be identified in future requests. By default the contents of the cookie is just the array containing their information, encrypted, but if you wish to use another form of storage you can pass data -> cookie and cookie -> data functions to client()
, e.g.:
If the pre-request handler finds the remember-me cookie on a request, it turns it into an array of information about the current user and adds it to $request->attributes
under indieauth.client.token
.
This array will always have a me
property which is the URL the user signed in as. Additionally, depending on how the user signed in, whether or not they have a micropub endpoint, and what permissions they have granted you, it may have other properties.
This is how you would typically use the token in a controller:
To programatically log a user out, call $app['indieauth']->logoutResponse($response)
before sending the response.
client()
doesn’t require any services other than the ones detailed above, but defaults can be overridden by the following services:
indieauth.url
: if a user tries to log in but an authorization server can’t be found, fall back to using this server. Defaults to 'https://indieauth.com'indieauth.cookiename
: the name of the cookie used to remember the current user. _random will be appended to this for the random state persistance. Defaults to 'indieauth_token'.indieauth.cookielifetime
: the lifetime, in seconds, for indieauth remember-me cookies to last. Defaults to 60 days.indieauth.loginredirecturl
: if no “next” POST parameter is given on login attempts, redirect to this URL. If unset, redirects to$request->getHttpHost()
indieauth.clientid
: the string to use to identify this indieauth app. If unset, defaults to$request->getHttpHost()
indieauth.securecookie
: bool, whether or not to set the auth process and token cookies to HTTPS-only. Defaults to true, turn off only for development.
Taproot\Authentication\server()
server()
creates event handlers and routes implementing a token provider and resource server (i.e. micropub endpoint which client apps can make posts to on behalf of users).
The token endpoint only supports a single user logging in. Their URL must be defined in $app['owner']['url']
. It’s suggested to use $app['owner']
as a place for storing information about the site owner, and for authorization purposes e.g.
It returns a RouteCollection ready to be mounted wherever you want, with the following route:
/token/
(indieauth.token) — clients POST to this URL with a bunch of details, including encrypted state, to gain an access token.
During the authorization process, the server creates an access token for the client app, granting them certain permissions (scope). Then, when client apps make requests with the access token, a pre-request listener picks them up and annotates the $request
object with information about the user and client “logged in”.
Here’s how it would typically be used in a controller — for example, a micropub endpoint:
Much like client()
, by default server()
maps between access tokens and their data without saving them to persistant storage — the access token is simply an encrypted form of the array, which is then decrypted. This is very simple, but there are advantages to storing access token data persistently — for example, listing authorized apps and allowign them to be revoked.
You may define your own token -> data and data -> token functions in exactly the same way as with client()
:
Questions with answers
Can an app be both a client and a server?
Yes it can! In fact before this code was separated into client and server code when it was packaged up, the two shared the same route collection and before/after listeners. Simply mount + set up both route collections.
Can this be used outside of Silex?
It works best with silex but with some small modifications might be easily adapted to any project using Symfony HTTP Kernel — if you’re interested in getting this working, raise an issue.
Alternatively, take a look at indieweb/indieauth-client, Aaron Parecki’s excellent library of which taproot/authentication is merely a thin wrapper.
Contributions + Testing
Contributions (especially bug reports and security reviews) are greatly welcome! Please raise an issue here, or ping barnabywalters on the indiewebcamp IRC channel.
As of version 0.1.0, there’s only the stub of a test suite — I plan to write comprehensive functional tests using a mock app, but such things take time, and the code is already in daily use on waterpigs.co.uk.
Changelog
v0.1.0 2014-04-09
- Initial extraction from Taproot
- Split messy code into well-defined client app and resource server portions
- Initial documentation
- Stubbed test suite
All versions of authentication with dependencies
guzzle/guzzle Version *
psr/log Version *
symfony/routing Version ~2.3|3.0.*