Authentication Question

[kokoro]

Hello,

I am loving Xataface!! The learning curve is perfect for me and I'm excited to be moving forward as rapidly as I am.

One quick question about authentication.

I have successfully setup authentication thanks to the easy to understand tutorial but am wondering if there is a way to use encrypted passwords in the users table in the database. I tried simple encryption from the command line

htpasswd -nb username password

and pasted the encrypted password in the appropriate field in the users table but could then not login to my application. I am assuming that I need to tell Xataface that the password is encrypted somewhere in either the auth portion of the conf.ini file or in the ApplicationDelegate.php file but am not sure which and how.

I should probably experiment a little before posting but couldn't resist throwing the question out here.

Jason

P.S. Probably a silly question but Apache style commands like

AuthName EnterPassword
AuthType Basic

don't work I am assuming?

[shannah]

The easiest way is to use the encryption directive for the password field in the fields.ini file:

http://xataface.com/wiki/encryption

[kokoro]

Steve,

Thanks for your super quick reply.

I have setup the fields.ini file in my dataface_users directory located in the tables directory and tried both

md5
&
sh1

encryption methods generating encryptions of my passwords from the terminal of a Mac running OSX (10.5) but I'm not having any luck. I get a

"Sorry, you have entered an incorrect username /password combination. Please try again."

error every time I try logging in after changing the password to the encrypted version in the database. Strange thing is that if I try to login with a user name and password that has not yet been changed to an encrypted version in the database, I am able to login without issue. It seems as if the fields.ini file in the users directory in the table directory is not being read...

Jason

**correction** I am not able to login with other passwords that have not yet been encrypted...I guess the fields.ini file is being read but the encryption method does not seem to be working.

[shannah]

The way to do this is. If you are using md5 encryption, insert the users via Xataface. Xataface wil encrypt it on the way in. And it will continue to treat it as encrypted when you try to log in.

Alternatively you could just use SQL (or your favorite SQL tool) but make sure you wrap the password in the MD5 function.

e.g.

Code: Select all

insert into users (username, password) values ('foo', md5('pass'))


[kokoro]

Steve,

Thanks a million, again

I don't understand the encryption method well enough I guess. Generating the password through the terminal and then cutting and pasting it worked for my .htacess/.htpasswrd files but it wasn't working for the passwords for the users in the users table.

I inserted the password using SQL and didn't have any problems at all. I used that to make my admin password and will generate the remaining accounts through Xataface.

Thanks again for your help!

Jason

[kokoro]

Sorry, I thought I had everything figured out and then.....

After logging in as admin, when I click on "My Profile" I get the following error:


Errors

* Permission denied because this table has been disallowed in the conf.ini file '


The strange thing is that, as far as I can see, I have everything set up the same on my production site as on my development site and the development site works fine (I click on "My Profile" and have access to the users table from there) but on my production site I get that disallowed error.

Jason

[shannah]

What is the name of your users table? Xataface checks for certain patterns in table names and blocks them by default because they are usually meant to be private.

Check out
http://xataface.com/documentation/how-t ... low_tables

You can use the [_allowed_tables] section in your conf.ini file to explicitly allow access to the table if it is incorrectly tripping Xataface's security alarms.

-Steve

[kokoro]

Steve,

Thanks, I'll try allowing the table....but I'm still not sure why it works in my development environment (MAMP) but not on my production server..?

Maybe because the table name is different?

On my MAMP server I named the table dataface_users

but on my production server I named it dataface__Users (two underscores and a capital U)

Maybe the two underscore convention, in order to have the table subcategorized, is a mistake?

If I allow the table via [_allowed_tables] in the conf.ini file isn't that going to allow it for all users? I guess I need to work on specializing the permissions and roles more so that the users table is only accessible to the ADMIN role and then create another role that allows write access but on a more limited scale.

Jason

[shannah]

OK That's why. Tables that begin with dataface__ are automatically blocked because xataface creates some tables with this naming convention. If you allow this table it will still be subject to your permissions. It will just not block it.

-Steve