I've been exploring this simple login mechanism used by Clint where he simply depends on the PHP session to authorize the user on every request made to PHP REST server. Alhamdulillah it solves my problem on how to authenticate user on BackboneJs apps (star or fork it here). But I still feel something is not right because when you are building the Ajax apps, you cannot simply authorize the session or cookie just like you usually do your traditional PHP apps. I read more about how to validate, authorize, authenticate, etc the AJAX apps.
Simply replace the code above. The snippet now will authenticate every request made to the server. Check this out in your debugger console.
Before user login
After login and request protected data
After spending time reading this, I thought Clint's apps lack of basic CSRF. So here is snippet to make your BackboneJs Apps more secure
Please refer to index.php file where you can see all the slim framework code, look for function name "login" and "authorize"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * Quick and dirty login function with hard coded credentials (admin/admin) | |
| * This is just an example. Do not use this in a production environment | |
| */ | |
| function login() { | |
| if(!empty($_POST['email']) && !empty($_POST['password'])) { | |
| // normally you would load credentials from a database. | |
| // This is just an example and is certainly not secure | |
| if($_POST['email'] == 'admin' && $_POST['password'] == 'admin') { | |
| $user = array("email"=>"admin", "firstName"=>"Web", "lastName"=>"Scents", "token"=>base64_encode(openssl_random_pseudo_bytes(16))); | |
| $_SESSION['user'] = $user; | |
| echo json_encode($user); | |
| } | |
| else { | |
| $error = array("error"=> array("text"=>"You shall not pass...")); | |
| echo json_encode($error); | |
| } | |
| } | |
| else { | |
| $error = array("error"=> array("text"=>"Username and Password are required.")); | |
| echo json_encode($error); | |
| } | |
| } | |
| /** | |
| * Authorise function, used as Slim Route Middlewear (http://www.slimframework.com/documentation/stable#routing-middleware) | |
| */ | |
| function authorize() { | |
| return function () use ( $role ) { | |
| // Get the Slim framework object | |
| $app = Slim::getInstance(); | |
| // First, check to see if the user is logged in at all | |
| if(!empty($_SESSION['user'])) { | |
| if($_SESSION['user']['token'] == $_SERVER['HTTP_X_CSRF_TOKEN']) { | |
| //User is logged in and has the correct permissions... Nice! | |
| return true; | |
| } else { | |
| // If a user is logged in, but doesn't have permissions, return 403 | |
| $app->halt(403, 'ACCESS DENIED'); | |
| } | |
| } else { | |
| // If a user is not logged in at all, return a 401 | |
| $app->halt(401, 'PLEASE LOGIN FIRST'); | |
| } | |
| }; | |
| } |
Before user login
After login and request protected data
As for the front end, you will need to modify your login script by define the request header
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| login: function (event) { | |
| event.preventDefault(); // Don't let this button submit the form | |
| $('.alert').remove(); // Hide any errors on a new submit | |
| var url = './service/login'; | |
| $('.btn-login').button('loading'); | |
| var formValues = { | |
| email: $('#tEmail').val(), | |
| pwd: $('#tPwd').val() | |
| }; | |
| $.ajax({ | |
| url:url, | |
| type:'POST', | |
| dataType:"json", | |
| data: formValues, | |
| success:function (data) { | |
| if(data.error) { | |
| $('.alert').remove(); | |
| $('.login-wrap').prepend('<div class="alert alert-warning alert-dismissable"><button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button><strong>Warning!</strong> '+data.error.text+'</div>'); | |
| $('#tEmail').select().focus(); | |
| } else { | |
| $.ajaxSetup({ | |
| headers: {'X-CSRF-Token': data.token} | |
| }); | |
| Backbone.history.navigate("/", { trigger: true, replace: true }); | |
| } | |
| $('.btn-login').button('reset'); | |
| } | |
| }); | |
| } |
The flow with this approach may go something like this:
- The user navigates in their browser to the BackboneJs application
- The server returns a basic web page and a JavaScript application
- The JavaScript application can’t find an authentication token in the web site’s cookies
- The JavaScript application displays a login form
- The user enters correct login credentials and then submits the form
- The server validates the login information and creates an authentication token for the user
- The server sets the authentication token in a cookie/session and returns it to the JavaScript application
- The JavaScript application makes a request for some protected data, sending the authentication token in a custom header
- The server validates the token and then returns the data
2 comments:
Hi, thanx for showing this enhancement, just what I was looking for.
The synchronizer token should be inaccessible to other sites, that's why it should be in a cookie.
You put in in the $_SESSION in your PHP login script, and thus in a cookie.
However, you also send it in JSON to the browser in the user array. Should it not ONLY be sent in the cookie?
if your application often make use of ajax, then you should consider to place the token in the request header. It can help you to avoid other sites make abuse of your site.
If you have any other thought, perhaps you can share it here.
Thanks for your thoughts
Post a Comment