ErkanaAuth Version 2.0a

February 4th, 2010

In November 2007 I released an authentication library for CodeIgniter named ErkanaAuth. It was very simple to use since it just provided a few methods to make authentication simpler for you – it didn’t hijack the entire process. The post announcing that library, and the code, has long since been lost but you can still read the original post thanks to Archive.org’s Wayback machine.

Recently, I’ve taken on a personal project of a rather grand-scale and have started factoring out the authentication logic into a library of it’s own, which I am referring to as ErkanaAuth 2.0. I am now releasing the library in its current state which is vastly unfinished! Nonetheless, I would love to hear your thoughts on the direction the library is headed and features you would like to see.

I don’t think I can reiterate this enough at this point in time, this is hardcore alpha – I should have called this ErkanaAuth Version 2.0ha-dont-fucking-use-me-in-production-code. I mean, in theory you could use this, and if its a library you want to use in future applications I strongly encourage you to give it a go. The authentication mechanism is secure but the library as a whole is sorely lacking in features at this point and is pretty hard-coded to a strict environment.

Features

Authentication via username or email address and password.
Account creation using username or email address as unique identifier.
Locking of controllers/methods to logged-in users in one line.
Passwords are hashed with a salt prior to storing in the database.
User token stored in session is a hashed representation of the user’s ID and their password hash. Encrypting the session cookie via CodeIgniter’s config/config.php file adds another layer of security against altered session data.

Planned Features

Exponential delay on failed login attempts.
Group-based authorization system.
Require email validation on account creation.
Optional Captcha on account creation.
Linking of Facebook / Twitter authentication to Erkana Auth Account.
Forgotten password resets.
Extensive account API for building of authentication administration panels.
Extensive group API for building of authorization administration panels.

Installation

The downloadable package includes a number of directories and files within those directories. It is advised to extract the archive in a temporary location, ensure there are no naming conflicts with your current application and then move the directories into your CodeIgniter application’s directory. The most common naming conflict will be with the models/account.php file. The list of files included are:

helpers/erkana_auth_helper.php
language/english/erkana_auth_lang.php
libraries/Erkana_auth.php
models/account.php
sql/1-create_accounts_email.sql
sql/1-create_accounts_username.sql

After installing the library within your application directory you must decide whether your application will authenticate based on username/password or email/password and run the correct SQL file on your database schema. This file will create a table named accounts, the statement run by sql/1-create_accounts_email.sql is:

CREATE TABLE IF NOT EXISTS `accounts` ( `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT, `email` varchar(120) NOT NULL, `password_hash` varchar(40) NOT NULL, `salt` varchar(7) NOT NULL, `last_login` timestamp NOT NULL DEFAULT ’0000-00-00 00:00:00′, `created_on` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP, PRIMARY KEY (`id`), UNIQUE KEY `email` (`email`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8;

If you run sql/1-create_accounts_username.sql the following statement will be executed:

CREATE TABLE IF NOT EXISTS `accounts` ( `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT, `username` varchar(20) NOT NULL, `password_hash` varchar(40) NOT NULL, `salt` varchar(7) NOT NULL, `last_login` timestamp NOT NULL DEFAULT ’0000-00-00 00:00:00′, `created_on` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP, PRIMARY KEY (`id`), UNIQUE KEY `email` (`email`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8;

Usage

ErkanaAuth aims to be as simple as possible in its usage. As of this version, this is primarily due to the limited scope of its functionality, but the overall feel for the library will differ as little as possible from what can be seen as of now. Many of the limitations on the library (i.e., strict naming of form fields) will be corrected as development continues.

ErkanaAuth does not assist in the creation of any front-end related code (i.e., user registration forms, login forms) at this time. ErkanaAuth simply provides a powerful set of methods to be used within your controllers to assist in getting an authentication system up and running as quickly as possible. Additionally, there is a helper function to display useful error messages to your users for invalid form submissions.

Creating a User

The create_account() method accepts a single string parameter of either email (default) or username, which should reflect the authentication mechanism you opted for during the installation and execution of the SQL file earlier. This method will return TRUE or FALSE if the user was created and can be used similarly as to how the standard form_validation library is used.

The library currently requires the following form fields to be present with the corresponding rulesets:

email: Only if you select the email authentication mechanism (required|max_length[120]|valid_email|trim)
username: Only if you select the username authentication mechanism (required|min_length[4]|max_length[20]|trim)
password: Always required (required|matches[passwordconf])
passwordconf: Always required (required)

The controller method that displays and processes your account creation form should call the create_account() method and redirect on TRUE, otherwise loading the view file that contains your account creation form. In the following example, the user is redirected to accounts/index() which would display our login form.

// create() // Creates a user function create() { if ($this->erkana_auth->create_account(‘email’)) { redirect(‘accounts’); }

$this->load->view(‘accounts/create’); }

Validating a User’s Login Credentials

The validate_login() method accepts a single string parameter of either email (default) or username, which should reflect the authentication mechanism you opted for during the installation and execution of the SQL file earlier. This method will return TRUE or FALSE if the credentials are valid and can be used similarly as to how the standard form_validation library is used.

The library currently requires the following form fields to be present:

email: Only if you select the email authentication mechanism
username: Only if you select the username authentication mechanism
password: Always required

The controller method that displays and processes your login form should call the validate_login() method and redirect on TRUE, otherwise loading the view file that contains your login form. In the following example, the user is redirected to announcements/index() which would display a “dashboard” like page and only be accessible to logged in users.

// index() // Displays the login screen function index() { if ($this->erkana_auth->validate_login(‘email’)) { redirect(‘announcements’); }

$this->load->view(‘accounts/index’); }

Validating a User’s Logged-in Status at Page Load

The required() method provides a simple, one-line, way to validate a user’s session and ensure the user is logged into a valid account. This line should be placed within the constructor of any controller class you would like to complete protect or as the first line of a method you would like to protect. The following example is a controller named Announcements that currently only has its index() method protected. Any other methods added to this controller would not be protected without either moving the required() method to the constructor or placing a call to the required() method within the controller methods themselves.

class Announcements extends Controller { function Announcements() { parent::Controller(); } // index() // List of announcements function index() { $this->erkana_auth->required(); echo ‘Logged in’; }

}

Displaying Errors on Invalid Form Submissions

The library includes a helper with the function authentication_errors() to assist in displaying errors upon form submission. This function will return all errors, delimited by a . If there are no errors, NULL is returned. In the following example, we are displaying a login form that will display errors at the top of the form if any exist from prior submission attempts:

Your email address: Your password:

Technical Details

During account creation an alphanumeric string is randomly generated to serve as the user’s salt. This salt is then hashed with the user’s password and the resulting hash is stored in the database to validate against.

On a login attempt, the database is queried for a record based on your authentication mechanism (email or username). That record is then compared against the user submitted data for validation. On a successful validation, session variables are stored consisting of the record’s id and a hash of the record’s id field and password_hash field.

When a user visits a protected page the session is first checked for the variables that are set by a successful login. If these session variables exist, the database is queried for the record identified. If this record exists, the session is further validated by comparing the stored hash of the record’s id and password_hash with the data that is stored in the record.

Download

Erkana Auth 2.0a is available for download. At this early stage of development a version control repository has not been made publicly available. In the future, Subversion and Git repositories will be made available.

License

ErkanaAuth 2.0a is licensed under the BSD License as defined by the Human-Readable Creative Commons Deed.

Filed in CodeIgniter, Projects

17 Comments »

17 Responses to “ErkanaAuth Version 2.0a”

bjorn Says:
February 5th, 2010 at 2:58 am
Micheal, this looks like a really good contribution to the CI community .. I like that you have created something that is lightweight and discoupled from any kind of backend (ie. an user/group administration) – but still provided an API for others to build this.

Also, great choice of license. I’ve been looking for something that could be the defacto user lib for CI, but have a hard time finding one since they’re all GPL!

Haven’t played around with this yet – but does it support roles/rights? Ie. assigning rights to groups and then checking for specific rights (not just logged in status).
Michael Wales Says:
February 5th, 2010 at 7:30 am
@bjorn:
At this point in time it does not support roles/rights but there will be a role-based system implemented in the future in addition to an authorization layer (authentication means who are you, authorization means are you allowed to access this resource).
bjorn Says:
February 7th, 2010 at 8:39 am
Great Michael, I’ll play around with it one of these days. You should put it up on github btw!
biojazzard Says:
February 13th, 2010 at 5:20 am
Great work!
I followed your great posts in the forum, serious approach!!.
Will Wilkins Says:
March 27th, 2010 at 11:42 pm
Michael, I’m glad to see you continuing development on ErkanaAuth.

I did notice one issue in your 1-create_accounts_username.sql file:

UNIQUE KEY `email` (`email`)

Should be:

UNIQUE KEY `username` (`username`)
Michael Wales Says:
March 28th, 2010 at 9:33 am
@Will Thanks for pointing that out, I’ll get it fixed and loaded up in the BitBucket.org repository soon.
Patrick Allmond Says:
April 1st, 2010 at 1:06 pm
On my site (above) I already have an existing method to get users signed up with email and hashed password. But I have not session/login/logout mgmt yet.

Would this be easy to interface to an existing users table?
Michael Wales Says:
April 1st, 2010 at 2:37 pm
@Patrick
Yep – super easy. The only thing Erkana requires is an id field and either a username or email field.
vecima Says:
April 27th, 2010 at 10:22 am
Hey Michael, I’m a big fan of Erkanaauth, and I have to say that I find 2.0 much more easy to wrap my head around.

I realize that alpha code shouldn’t be used in production, but I have a client for whom which security was a secondary concern to just getting the website online (there is no personal data, no financial data or transactions – purely product / location information). I made an admin controller so he could log in and maintain that information himself, and included a very rudimentary login system that wasn’t very secure. Security isn’t my strong point, and with smart guys like you inventing the wheel (or maybe in the case of erkana the “zen” of the wheel), I’m happy to use a library, so long as it’s demonstrably secure.

I guess my question is this: would using erkana 2.0 on a production site be the lesser evil to my hackneyed attempt at security? you seem to cover many more of the bases than my attempt did anyway.

Also, how long / how far away, until you post that you’re happy with the code, and it’s got the stamped seal of approval for use in production code?
Michael Wales Says:
April 27th, 2010 at 10:44 am
@vecima
There is nothing inherently wrong or insecure in this release, so I would say you will be okay in using it. My concern simply lies in the fact that it has not been tested much and it could, potentially, have bugs. It’s also not very configurable at the moment, locking you into a very specific set of ideas (controller naming, etc.) but this is easily changed within the library files themselves.

Keep an eye on the BitBucket repository for future development.
vecima Says:
April 27th, 2010 at 10:57 am
Thanks for the quick reply. Luckily in my case I don’t need a feature rich authentication system. Just a simple, secure login that I can easily fit into my existing site – and you’ve already provided that! In the time since my first post I’ve gotten it working on my localhost. I’ll probably go production later tonight.

Thanks again!

(ps – just noticed the phrase “whom which” in my first post… I don’t know what a whom which is, but it sounds delicious!)
vecima Says:
April 27th, 2010 at 12:36 pm
I don’t mean to spam up the place, but I thought I’d let you know that I implemented a get_identifer (to return the email or username) and a change_password method. I posted about it here:
http://codeigniter.com/forums/viewthread/144518/

Also, I’m not sure if it’s a bug or just something up with the way I’m using ErkanaAuth, but I have a library called Auth_wrapper that loads ErkanaAuth, and the first time I tried to log in, I got an error about a call on an undefined object in validate_login. I added a check that the CI_Session class exists (as you did in other methods) and it seems to have fixed it:

if (!class_exists(‘CI_Session’)) {
$this->CI->load->library(‘session’);
}
Michael Wales Says:
April 27th, 2010 at 4:49 pm
@vecima
Glad to see your contributions to the library! If you use Mercurial and have a BitBucket account, it would be great if you could fork the project, commit your changes and send me a pull request. This is the easiest way for me to accept and vet community contributions.
vecima Says:
April 27th, 2010 at 5:50 pm
haha, I’d consider it an honor to contribute something to ErkanaAuth! I don’t have any of the accounts you mentioned, but I’ll look into ‘em. I need to roll out the security update for the client I mentioned earlier tonight, but I’ll definitely look into it in the next couple days.
Jason H Says:
April 30th, 2010 at 9:39 pm
Love it man, keep up the good work. A solid, well thought out auth library for CodeIgniter will help it go far!
Nick Jennings Says:
May 2nd, 2010 at 4:28 pm
Hi Michael,

Many thanks for the work! I’ve got a small project I’m working on at the moment, and didn’t want to go for something too crazy with features. A simple “in or out” authentication mechanism (aka. Erkana auth) is just what I needed!

I had a problem however, where the Erkana_auth library was referring to $this->CI->account (and throwing an error), capitalizing ‘Account’ wherever the the load->model was called, and references to $this->CI->Account seemed to fix everything. I’m a bit curious why I got this problem and no one else seemed to mention it above

Other than that, was just wondering why there is no logout library method? seems like it would be as simple as a call to $this->CI->session->unset_userdata() – or would this somehow be a bad idea?

Is there somewhere I should be checking for newer releases? I haven’t taken the plunge into mercurial yet, and still prefer downloading “releases” – do you make regular release of erkanaauth?

Thanks again for your lightweight authentication library. I’ve been thinking of releasing a CI library of my own and plan to use yours as an example.
Michael Wales Says:
May 2nd, 2010 at 9:42 pm
@Nick
Your issue sounds like a Linux vs. Windows issue with capatilization (Linux views capitals as a different character than lowercase). This is probably an issue with the model and I will look into whether this is inherent to ErkanaAuth itself, or release a number of guidances if it is a user-generated error.

I will continue to issue releases here on the blog but if you want the most up-to-date release, the BitBuck repository is the way to go.

Michael Wales