Вскоре мне придется разрабатывать аутентификацию для пользователей, поэтому, натолкнувшись на этот обзор решил скопипастить на будущее.
Обзор довольно большой, помещен под кат, а для начала, оттуда же требования к наиболее идеальной библиотеке аутентификации:

  • Tiny footprint with optional test implementation
  • Full documentation
  • No autoloading required. Just-in-time loading of libraries for performance
  • Language file support; no hard-coded strings
  • reCAPTCHA supported but optional
  • Recommended TRUE random salt generation (e.g. using random.org or random.irb.hr)
  • Optional add-ons to support 3rd party login (OpenID, Facebook Connect, Google Account, etc.)
  • Login using either username or email
  • Separation of user and profile data
  • Emails for activation and lost passwords
  • Automatic cookie login feature
  • Configurable phpass for hashing (properly salted of course!)
  • Hashing of passwords
  • Hashing of autologin codes
  • Hashing of lost password codes
  • Hooks into CI’s validation system
  • NO security questions!
  • Enforced strong password policy server-side, with optional client-side (Javascript) validator
  • Enforced maximum number of failed login attempts with BEST PRACTICES countermeasures against both dictionary and DoS attacks!
  • All database access done through prepared (bound) statements!

Вот и сам обзор:

DX Auth

Pros

  • Very full featured
  • Medium footprint (25+ files), but manages to feel quite slim
  • Excellent documentation, although some is in slightly broken English
  • Language file support
  • reCAPTCHA supported
  • Hooks into CI’s validation system
  • Activation emails
  • Unactivated accounts auto-expire
  • Suggests grc.com for salts (not bad for a PRNG)
  • Banning with stored ‘reason’ strings
  • Simple yet effective error handling

Cons

  • Only lets users ‘reset’ a lost password (rather than letting them pick a new one upon reactivation)
  • Homebrew pseudo-event model - good intention, but misses the mark
  • Two password fields in the user table, bad style
  • Uses two separate user tables (one for ‘temp’ users - ambiguous and redundant)
  • Uses potentially unsafe md5 hashing
  • Failed login attempts only stored by IP, not by username - unsafe!
  • Autologin key not hashed in the database - practically as unsafe as storing passwords in cleartext!
  • Role system is a complete mess: is_admin function with hard-coded role names, is_role a complete mess, check_uri_permissions is a mess, the whole permissions table is a bad idea (a URI can change and render pages unprotected; permissions should always be stored exactly where the sensitive logic is). Dealbreaker!
  • Includes a native (poor) CAPTCHA
  • reCAPTCHA function interface is messy

FreakAuth Light

Pros

  • Very full featured
  • Mostly quite well documented code
  • Separation of user and profile data is a nice touch
  • Hooks into CI’s validation system
  • Activation emails
  • Language file support
  • Actively developed

Cons

  • Feels a bit bloated (50+ files)
  • And yet it lacks automatic cookie login (!)
  • Doesn’t support logins with both username and password
  • Seems to have issues with UTF-8 characters
  • Requires a lot of autoloading (impeding performance)
  • Badly micromanaged config file
  • Terrible View-Controller separation, with lots of program logic in views and output hard-coded into controllers. Dealbreaker!
  • Poor HTML code in the included views
  • Includes substandard CAPTCHA
  • Commented debug echoes everywhere
  • Forces a specific folder structure
  • Forces a specific Ajax library (can be switched, but shouldn’t be there in the first place)
  • No max limit on login attempts - VERY unsafe! Dealbreaker!
  • Hijacks form validation
  • Uses potentially unsafe md5 hashing

pc_user

Pros

  • Good feature set for its tiny footprint
  • Lightweight, no bloat (3 files)
  • Elegant automatic cookie login
  • Comes with optional test implementation (nice touch)

Cons

  • Uses the old CI database syntax (less safe)
  • Doesn’t hook into CI’s validation system
  • Kinda unintuitive status (role) system (indexes upside down - impractical)
  • Uses potentially unsafe sha1 hashing

Fresh Powered

Pros

  • Small footprint (6 files)

Cons

  • Lacks a lot of essential features. Dealbreaker!
  • Everything is hard-coded. Dealbreaker!

Redux

Pros

  • Tiny footprint, no bloat (3 files)
  • Excellent documentation
  • Database normalized to 3rd normal form (nice touch)
  • Activation emails
  • Sleek coding style
  • Suggests grc.com for salts (not bad for a PRNG)

Cons

  • Requires autoloading (impeding performance)
  • Return types are a bit of a hodgepodge of true, false, error and success codes
  • Doesn’t hook into CI’s validation system
  • Doesn’t allow a user to resend a ‘lost password’ code

SimpleLoginSecure

Pros

  • Tiny footprint (4 files)
  • Minimalistic, absolutely no bloat
  • Uses phpass for hashing (excellent)

Cons

  • Only login, logout, create and delete
  • Lacks a lot of essential features. Dealbreaker!
  • More of a starting point than a library

Популярность: 42%

Полезные записи: