atk4/login

Login and User module for Agile UI

5.0.0 2024-03-26 18:55 UTC

README

ATK UI implements a high-level User Interface for Web App - such as Admin System. One of the most common things for the Admin system is a log-in screen.

Although you can implement log-in form easily, this add-on does everything for you:

Installation

Install through composer composer require atk4/login

Then add Auth into your app and set appropriate user controller:

$app = new \Atk4\Ui\App();
$app->initLayout([\Atk4\Ui\Layout\Admin::class]);
$app->db = new \Atk4\Data\Persistence($dsn);

// ADD THIS CODE:
$app->auth = new \Atk4\Login\Auth($app);
$app->auth->setModel(new \Atk4\Login\Model\User($app->db));

// The rest of YOUR UI code will now be protected
\Atk4\Ui\Crud::addTo($app)->setModel(new Client($app->db));

(If you do not have User model yet, you can extend or use \Atk4\Login\Model\User).

Login

Features

Here are all the classes implemented:

  • Full transparent authentication
    • Populates user menu with name of current user
    • Adds log-out link
    • Adds Preferences page
  • Flexible ACL support
  • Model\User - basic user entity that can be extended
  • LoginForm - username/password login form
  • RegisterForm - registration form
  • Auth - authentication controller, verify and record logged state
  • UserAdmin - UI for user administration
  • Layout\Narrow - Fomantic-UI based narrow responsive layout login/registration forms
  • Templates for forms an messages
  • Demos for all of the above

When used default installation, it will relay on various other components (such as LoginForm), however you can also use those components individually.

Advanced Usage

There are two modes of operation - Automated and Manual. Automated handles display of forms based on currently logged state automatically. It was already presented in the "Installation" section above.

For a more advanced usage, you can either tweak Automated mode or use individual components manually.

Tweaking Automated Mode

When you initialize 'Auth' class you may inject property values:

$app->auth = new \Atk4\Login\Auth($app, [
    'hasPreferences' => false, // do not show Preferences page/form
    'pageDashboard' => 'dashboard', // name of the page, where user arrives after login
    'pageExit' => 'goodbye', // where to send user after logout

    // Oter options:
    // 'hasUserMenu' => false, // will disable interaction with Admin Layout user menu
]);
$app->auth->setModel(new User($app->db));

Using Manual Mode

In the manual mode, no checks will be performed, and you are responsible for authenticating user yourself. This works best if you have a more complex auth logic.

$app->auth = new \Atk4\Login\Auth($app, [
    'check' => false,
]);
$app->auth->setModel(new User($app->db));


// Now manually use login logic
if (!$app->auth->user->isLoaded()) {
    \Atk4\Login\LoginForm::addTo($app, ['auth' => $app->auth]);
}

Adding sign-up form

\Atk4\Login\RegisterForm::addTo($app)
    ->setModel(new \Atk4\Login\Model\User($app->db));

Displays email and 2 password fields (for confirmation). If filled successfully will create new record for \Atk4\Login\Model\User. Will cast email to lowercase before adding. Things to try:

  • Extend or use your own User class
  • Add more fields to registration form
  • Decorate registration form with message and links
  • Use multi-column form layout

Log-in form

Login

\Atk4\Login\LoginForm::addTo($app, [
    'auth' => $app->auth,
    // 'successLink' => ['dashboard'],
    // 'forgotLink' => ['forgot'],
]);

Displays log-in form and associate it with $auth. When form is filled, will attempt to authenticate using $auth's model. If password is typed correctly, will redirect to "successLink" (which will be passed to $app->url()). Things to try:

  • Redirect to login page if not authenticated
  • Add 3rd party authentication (authenticate using 3rd party lib, look up connected account, store into auth persistence)
  • Implement two factor authentication (store flag in auth persistence indicating if 2nd factor is carried out, if not display it)
  • Implement password verification delay after several unsuccessful attempts
  • Ask user to change password if it is about to expire

Dashboard

To check if user is currently logged in:

if ($app->auth->user->isLoaded()) {
    // logged-in
}

Auth model stores user model data in session, so if you delete user from database, he will not be automatically logged out. To log-out user explicitly, call $app->auth->logout().

You may also access user data like this: $app->auth->model['name']; Things to try:

  • Explicitly load user record from database instead of cache only
  • Store last login / last access time in database
  • Move auth cache to MemCache

Profile Form

This form would allow user to change user data (including password) but only if user is authenticated. To implement profile form use:

Form::addTo($app)->setModel($app->auth->user);

Demos open profile form in a pop-up window, if you wish to do it, you can use this code:

Button::addTo($app, ['Profile', 'class.primary' => true])
    ->on('click', Modal::addTo($app)->set(function (View $p) {
        Form::addTo($p)->setModel($p->getApp()->auth->user);
    })->jsShow());

Things to try:

  • Ask user to verify old password before changing settings
  • Send SMS notification / email if any user setting has bees changed
  • Store user settings in multiple tables (join)

Password

Field 'password' is using a custom field class Password. Stored value is always a hash, use Password::hashPassword() + Password::set() methods to set the value or use Password::setPassword() method to set the password directly. You can use this field in any model like this:

$model->addField('password', [\Atk4\Data\Field\PasswordField::class]);

Also the password will not be stored in session cache and will not be accessible directly.

Things to try:

  • Add complexity validation
  • Add password recovery form
  • use CAPCHA when recovering password

Custom User Model

Although a basic User model is supplied, you can either extend it or use your own user model.

User Admin

We include a slightly extended "Admin" interface which includes page to see user details and change their password. To create admin page use:

\Atk4\Login\UserAdmin::addTo($app)
    ->setModel(new \Atk4\Login\Model\User($app->db));

Login

This uses a standard CRUD interface, enhancing it with additional actions:

  • key button allows to change user password and offers random password generator. Uses "input" field for a visible password. You can also use regular "edit" button which will contain asterisk-protected field for the password.
  • eye button is designed to show user details, such as which group he belongs to. Currently this panel and groups are not implemented.

Login

Things to try:

  • Add additional information on details modal.
  • Add audit log for user actions (login, change password etc)

Migrations

Use of migration is optional, but can help by populating initial structure of your user model. Look inside file demos/wizard.php. It simply adds a console component, which will execute migration of 'User' model.

When migration is executed it simply checks to make sure that table for 'user' exists and has all required fields. It will not delete or change existing fields or tables.

Roadmap

Generally we wish to keep this add-on clean, but very extensible, with various tutorials on how to implement various scenarios (noted above under "Things to try").

For some of those features we would like to add a better support in next releases:

  • [1.0] - add "$auth->check()" - for Automated authentication checks
  • [1.1] - add Password Reminder form and tutorial on integration with Email / SMS sending
  • [1.2] - add Password strength verification (and indicator)

If you would like to propose other features, please suggest them by opening ticket here: