1 Topic by Jon Lebensold

  • Jon Lebensold
  • Administrator
  • Offline
  • Registered: 2009-06-27
  • Posts: 170

Topic: ZC44 – Logging in Users using Doctrine and Zend_Auth

Here's the second part of my Doctrine / Zend_Auth example. In 15 minutes, we create a logout, login and protected area that's reliant on the ZC_Auth_Adapter adapter we created in last week's video. Notice how there's no code in the IndexController exposing the authentication implementation,

Grab a copy of the project or browse the repository.

Also, a big thank you to ServerGrove for extending their support of Zendcasts for January. ServerGrove specializes in Zend Framework hosting and they've offered a 10% rebate on hosting with coupon code "zc". If you're looking for a host, be sure to check them out (referral). They've also added an additional coupon for "Mini Hosting" plans, get $2 off by using code "zcmini".

2 Reply by Reen

  • Reen
  • Guest

Re: ZC44 – Logging in Users using Doctrine and Zend_Auth

Hi Jon,

First of all I would like to say that I'm a big fan of your vid's, makes me view a lot of problems from another perspective.

I must say I watched the code without really checking the video, but it seems like you are doing some bad practices I would like to notify you about.

It's not the responsibility of a user to authenticate it's self. Like a car should not be able to put a traffic light on green. The logic for authentication should be in the authentication class. You can add a non-static function called verifyPassword, and call that function from the authentication.

Type of exceptions should not be checked by exception message. You can subclass the exception class and check it's type by using instanceof.

Things you probably said in the video:
- Passwords should be hashed (with seed);
- It is bad practice to show difference between incorrect user and incorrect password, hackers will be able to use your login interface to check for existing users.

Hope this feedback helps. Keep up the video-tutorials they are great!

Cheers

3 Reply by Jon Lebensold

  • Jon Lebensold
  • Administrator
  • Offline
  • Registered: 2009-06-27
  • Posts: 170

Re: ZC44 – Logging in Users using Doctrine and Zend_Auth

Hi Reen,

I'm glad you enjoyed the video! I really appreciate your feedback about this project. Let me respond to your comments:

Reen wrote:

Hi Jon,
It's not the responsibility of a user to authenticate it's self. Like a car should not be able to put a traffic light on green. The logic for authentication should be in the authentication class. You can add a non-static function called verifyPassword, and call that function from the authentication.

The user is not authenticating himself, the use Model, however is. I'm also using the Model_User class as a method of storing any business rules related to authentication. If the code were in the authentication class, it would couple the database querying engine (in this case Doctrine) to the authentication code. Alternatively, a data-table gateway could've been implemented so that the Model_User class could be used exclusively as a value-object. This, of course, would add to the complexity of the implementation in an area that the video wasn't focused.

Reen wrote:

Type of exceptions should not be checked by exception message. You can subclass the exception class and check it's type by using instanceof.

There's been a lot of debate about this within the Zend community, however you're absolutely right that a OOP purist would do type checking rather than error code checking. However, the disadvantage to such heavy Exception class implementations is that you start creating Exceptions for every single outcome, my own experience of seeing hundreds of lines of catch blocks in Java has led me to prefer a error-code-based comparison, using the Exception model for more generic exception handling. Furthermore, having multiple exceptions and then explaining their use would blur the overall focus of the video, which is the Zend_Controller implementation.

Reen wrote:

Things you probably said in the video:
- Passwords should be hashed (with seed);
- It is bad practice to show difference between incorrect user and incorrect password, hackers will be able to use your login interface to check for existing users.

Hope this feedback helps. Keep up the video-tutorials they are great!

Cheers

Thanks for mentioning the passwords here. Of course passwords should be hashed! Preferably with a salt as well. This is mentioned in the video.

In terms of it being a bad practice to say a user is not found, I've never found or read anything of the sort. I've also seen this functionality widely used in web applications. I would also conjecture that a hacker could use a registration interface to discern the same data.

4 Reply by Reen

  • Reen
  • Guest

Re: ZC44 – Logging in Users using Doctrine and Zend_Auth

Hi again,

First of all, I do understand that you have to make choices in your video and that you can't cover all.

The user is not authenticating himself, the use Model, however is.

From my point of view it is like you're saying "It's ok to let the car controll the traffic light as long as you make the functions static." I think the Auth_Adapter is an adapter because it only works for certain situations. Like the MySQL DB adapter only works for MySQL. There is no point in making it so abstract that it works in every case, because it will only move your problem to another place.

Furthermore, having multiple exceptions and then explaining their use would blur the overall focus of the video, which is the Zend_Controller implementation.

Agreed.

I would also conjecture that a hacker could use a registration interface to discern the same data.

Registration forms should be protected with a captcha functionality, making it hard to automate this process. Some applications might also have a non-public register interface.

5 Reply by Jon Lebensold

  • Jon Lebensold
  • Administrator
  • Offline
  • Registered: 2009-06-27
  • Posts: 170

Re: ZC44 – Logging in Users using Doctrine and Zend_Auth

Hi Reen,

I definitely see your point about the Model. Personally, I would rather keep my Doctrine queries outside of any non-Model_* classes, however you do a good point for keeping them in the adapter.

Good point about Captcha functionality! I guess it really depends on the kind of application.

6 Reply by chielsen

  • chielsen
  • New member
  • Offline
  • Registered: 2010-02-28
  • Posts: 1

Re: ZC44 – Logging in Users using Doctrine and Zend_Auth

What exactly does the build all reload do?
Does it not overwrite your authenticate method?

7 Reply by Jon Lebensold

  • Jon Lebensold
  • Administrator
  • Offline
  • Registered: 2009-06-27
  • Posts: 170

Re: ZC44 – Logging in Users using Doctrine and Zend_Auth

nope, only the base classes