Added dbAuth middleware

mevdschee · mevdschee · commit 6593d38ade0f · 2019-07-11T02:38:23.000+02:00
diff --git a/README.md b/README.md
@@ -173,6 +173,11 @@ You can tune the middleware behavior using middleware specific configuration par
 - "ajaxOnly.excludeMethods": The methods that do not require AJAX ("OPTIONS,GET")
 - "ajaxOnly.headerName": The name of the required header ("X-Requested-With")
 - "ajaxOnly.headerValue": The value of the required header ("XMLHttpRequest")
+- "dbAuth.mode": Set to "optional" if you want to allow anonymous access ("required")
+- "dbAuth.usersTable": The table that is used to store the users in ("users")
+- "dbAuth.usernameColumn": The users table column that holds usernames ("username")
+- "dbAuth.passwordColumn": The users table column that holds passwords ("password")
+- "dbAuth.returnedColumns": The columns returned on successful login, empty means 'all' ("")
 - "jwtAuth.mode": Set to "optional" if you want to allow anonymous access ("required")
 - "jwtAuth.header": Name of the header containing the JWT token ("X-Authorization")
 - "jwtAuth.leeway": The acceptable number of seconds of clock skew ("5")
@@ -635,13 +640,48 @@ The GeoJSON functionality is enabled by default, but can be disabled using the "
 
 ### Authentication
 
-Authentication is done by means of sending a "Authorization" header. It identifies the user and stores this in the `$_SESSION` super global. 
+Currently there are three types of authentication supported. They all store the authenticated user in the `$_SESSION` super global.
 This variable can be used in the authorization handlers to decide wether or not sombeody should have read or write access to certain tables, columns or records.
-Currently there are two types of authentication supported: "Basic" and "JWT". This functionality is enabled by adding the 'basicAuth' and/or 'jwtAuth' middleware.
+The following overview shows the kinds of authentication middleware that you can enable.
+
+| Name     | Middleware | Authenticated via      | Users are stored in | Session variable      |
+| -------- | ---------- | ---------------------- | ------------------- | --------------------- |
+| Database | dbAuth     | '/login' endpoint      | Database table      | $_SESSION['user']     |
+| Basic    | basicAuth  | 'Authorization' header | '.htpasswd' file    | $_SESSION['username'] |
+| JWT      | jwtAuth    | 'Authorization' header | identity provider   | $_SESSION['claims']   |
+
+Below you find more information on each of the authentication types.
+
+#### Database authentication
+
+The database authentication middleware defines two new routes:
+
+    method path       - parameters               - description
+    ----------------------------------------------------------------------------------------
+    POST   /login     - username + password      - logs a user in by username and password
+    POST   /logout    -                          - logs out the currently logged in user
+
+A user can be logged in by sending it's username and password to the login endpoint (in JSON format).
+The authenticated user (with all it's properties) will be stored in the `$_SESSION['user']` variable.
+The user can be logged out by sending a POST request with an empty body to the logout endpoint.
+The passwords are stored as hashes in the password column in the users table. To generate the hash value
+for the password 'pass2' you can run on the command line:
+
+    php -r 'echo password_hash("pass2", PASSWORD_DEFAULT)."\n";'
+
+It is IMPORTANT to restrict access to the users table using the 'authorization' middleware, otherwise all 
+users can freely add, modify or delete any account! The minimal configuration is shown below:
+
+    'middlewares' => 'dbAuth,authorization',
+    'authorization.tableHandler' => function ($operation, $tableName) {
+        return $tableName != 'users';
+    },
+
+Note that this middleware uses session cookies and stores the logged in state on the server.
 
 #### Basic authentication
 
-The Basic type supports a file that holds the users and their (hashed) passwords separated by a colon (':'). 
+The Basic type supports a file (by default '.htpasswd') that holds the users and their (hashed) passwords separated by a colon (':'). 
 When the passwords are entered in plain text they fill be automatically hashed.
 The authenticated username will be stored in the `$_SESSION['username']` variable.
 You need to send an "Authorization" header containing a base64 url encoded and colon separated username and password after the word "Basic".
diff --git a/src/Tqdev/PhpCrudApi/Middleware/DbAuthMiddleware.php b/src/Tqdev/PhpCrudApi/Middleware/DbAuthMiddleware.php
@@ -45,8 +45,14 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
             $passwordColumnName = $this->getProperty('passwordColumn', 'password');
             $passwordColumn = $table->getColumn($passwordColumnName);
             $condition = new ColumnCondition($usernameColumn, 'eq', $username);
-            $columnNames = $table->getColumnNames();
-            $users = $this->db->selectAll($table, $columnNames, $condition, [], 0, -1);
+            $returnedColumns = $this->getProperty('returnedColumns', '');
+            if (!$returnedColumns) {
+                $columnNames = $table->getColumnNames();
+            } else {
+                $columnNames = array_map('trim', explode(',', $returnedColumns));
+                $columnNames[] = $passwordColumnName;
+            }
+            $users = $this->db->selectAll($table, $columnNames, $condition, [], 0, 1);
             foreach ($users as $user) {
                 if (password_verify($password, $user[$passwordColumnName]) == 1) {
                     if (!headers_sent()) {
@@ -63,7 +69,9 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
             if (isset($_SESSION['user'])) {
                 $user = $_SESSION['user'];
                 unset($_SESSION['user']);
-                session_destroy();
+                if (session_status() != PHP_SESSION_NONE) {
+                    session_destroy();
+                }
                 return $this->responder->success($user);
             }
             return $this->responder->error(ErrorCode::AUTHENTICATION_REQUIRED, '');
diff --git a/src/index.php b/src/index.php
@@ -10,6 +10,10 @@
     'username' => 'php-crud-api',
     'password' => 'php-crud-api',
     'database' => 'php-crud-api',
+    'middlewares' => 'dbAuth,authorization',
+    'authorization.tableHandler' => function ($operation, $tableName) {
+        return $tableName != 'users';
+    },
 ]);
 $request = RequestFactory::fromGlobals();
 $api = new Api($config);
diff --git a/tests/config/base.php b/tests/config/base.php
@@ -6,6 +6,7 @@
     'controllers' => 'records,columns,cache,openapi,geojson',
     'middlewares' => 'cors,dbAuth,jwtAuth,basicAuth,authorization,validation,ipAddress,sanitation,multiTenancy,pageLimits,joinLimits,customization',
     'dbAuth.mode' => 'optional',
+    'dbAuth.returnedColumns' => 'id,username,password',
     'jwtAuth.mode' => 'optional',
     'jwtAuth.time' => '1538207605',
     'jwtAuth.secret' => 'axpIrCGNGqxzx2R9dtXLIPUSqPo778uhb8CA0F4Hx',
diff --git a/tests/functional/002_auth/003_db_auth.log b/tests/functional/002_auth/003_db_auth.log
@@ -13,9 +13,9 @@ Content-Type: application/json
 ===
 200
 Content-Type: application/json
-Content-Length: 43
+Content-Length: 27
 
-{"id":2,"username":"user2","location":null}
+{"id":2,"username":"user2"}
 ===
 GET /records/invisibles/e42c77c6-06a4-4502-816c-d112c7142e6d
 ===
@@ -48,9 +48,9 @@ POST /logout
 ===
 200
 Content-Type: application/json
-Content-Length: 43
+Content-Length: 27
 
-{"id":2,"username":"user2","location":null}
+{"id":2,"username":"user2"}
 ===
 GET /records/invisibles/e42c77c6-06a4-4502-816c-d112c7142e6d
 ===
