Authenticate Silverstripe users using Core PHP -
my client has website , backend made silverstripe. client wants mobile app , wants me build api communicate database. unfortunately wants me use other framework, or core php implementation pdo.
my problem:
how silverstripe encrypt password? how manually authenticate users using plain php. logic encrypt/hash (like silverstripe does) user input enough me.
unfortunately wants me use other framework, or core php implementation pdo
you, developer, have ability tell client why might wrong this.
if website/application built silverstripe should have good/specific reason not continue use implement api on top of silverstripe data - makes perfect sense use silverstripe this, , little sense rewrite parts of silverstripe framework sake of "not using silverstripe."
it's important mention client underlying encryption/hashing algorithms silverstripe implements not part of public api, , hence can change without requiring explicit notice given developers. mean default algorithm changed (for example if zero-day exploit found in blowfish algorithm) , mobile app stop working. using silverstripe api not have same problem.
the above applies general data structure of silverstripe. let's assume 1 day decide move away flat tables eav database storage design - public api (classes public methods) stay same while backend classes separate accessibility processing , data storage change. you have update api too, if build yourself!
how silverstripe encrypt passwords?
it depends - the default method encryption blowfish algorithm, there half dozen or (in 3.4.1) implementations of passwordencryptor
class configured use.
the algorithm use configurable via security::$password_encryption_algorithm
property, or via yaml config.
each user have different password encryption/hashing algorithm used - take look @ member
database table under passwordencryption
column.
how manually authenticate users using plain php
theoretically if wanted this, you'd need recreate of logic in framework's authenticator. start looking @ member::checkpassword
- initiation of logic check password against member - you'll care about.
you'll find assuming implementations of silverstripe use default algorithm of blowfish encryption, , follow passwordencryptor::create_for_algorithm
through passwordencryptor_blowfish::check
. @ point you'll see literally end replicating amount of silverstripe framework's code able achieve want.
summary
- what want achieve involve lot of duplication
- it not work 100% of silverstripe implementations
- it may work now, break @ point when algorithms change
- ask client why, , convince them change mind (after all, you're expert, they're client)
- use silverstripe api module (a couple listed below)
api modules
silverstripe/silverstripe-restfulserver
- officially supported, , provides simple , easy way started providing api access silverstripe system. have basic control on http request methods, , can limit access , permissions each dataobject.colymba/silverstripe-restfulapi
- community module. arguably more flexible , powerful. more work set up/configure way want work.
Comments
Post a Comment