README

This is an application that provides additional control layer to the Webiny Framework Security component. The application standardizes the login process and user stateless token storage, making it ideal for RESTful and mobile applications.

Some of the built-in features:

sessions are stored in database and can be revoked at any point
authorized devices are also stored in database and can be revoked at any point
login whitelist and blacklist based on client IP
rate limit control
stateless login validation for RESTful application
only whitelisted devices can log-in (optional)

Sample config

Login:
    SecurityFirewall: Admin
    ValidateDevice: true
    BlockThreshold: 6
    BlockTimelimit: 10
    DeviceTtl: 90
    RateLimitBlacklist:
        - 123.123.123.123
    RateLimitWhitelist:
        - 127.0.0.1
        - 192.168.1.1
        - 10.0.2.2

SecurityFirewall: defines which Security.Firewall to use for user authentication
ValidateDevice: does the device need to be whitelisted before user can login
BlockThreshold: after how many bad login attempts should the client be blocked from submitting any new login requests (client is identified as username+ip combination)
BlockTimelimit: for how many minutes should the client be blocked from submitting any additional login attempts
DeviceTtl: how long should the device session be valid (used only if ValidateDevice is turned on)
RateLimitBlacklist: list of IPs that are permanently blocked from submitting login requests
RateLimitWhitelist: list of IPs that are excluded from the rate limit control

Setup

The Login app requires following Webiny Framework components:

Entity
Http
Mongo
Security
Rest (optional - only if login RESTful service is used)

Mongo Indexes

Create the following indexes on your Mongo Database:

db.getCollection('LoginMeta').createIndex({username: 1});
db.getCollection('LoginRateControl').createIndex({ip: 1});

Example setup:

\Webiny\Component\Security\Security::setConfig('./securityConfig.yaml');
\Webiny\Component\Mongo\Mongo::setConfig('./mongoConfig.yaml');
\Webiny\Component\Entity\Entity::setConfig('./entityConfig.yaml');

$security = \Webiny\Component\Security\Security::getInstance();
$loginConfig = \Webiny\Component\Config\Config::getInstance()->yaml('./loginConfig.yaml');

$login = new \Webiny\Login\Login($security, $loginConfig);

Once you have the login instance, you can access the methods inside the class directly:

// check if we have the auth cookie and device cookie
$authCookie = \Webiny\Component\Http\Cookie::getInstance()->get('auth-token');
$deviceToken = \Webiny\Component\Http\Cookie::getInstance()->get('device-token');

if ($authCookie && $deviceToken) {
    try {
        $user = $login->getUser($authCookie, $deviceToken);
    } catch (\Webiny\Login\LoginException $le) {
        
    } catch (\Exception $e) {
        
    }
}else{
    // process login
    try {
        $login->processLogin($username, $deviceToken, $authProvider);
    
        // if login is successful, return device and auth tokens
        $authToken = $login->getAuthToken();
        return [
            'authToken'   => $authToken,
            'deviceToken' => $deviceToken
        ];
    } catch (LoginException $le) {
        $errorMsg = $le->getMessage();
    } catch (\Exception $e) {
        return $e;
    }
}

Security setup

Note that the Security component needs to implement Stateless token storage:

Security:
    Tokens:
        Stateless:
            StorageDriver: \Webiny\Component\Security\Token\Storage\Stateless # storage driver needs to be set to stateless
            SecurityKey: SecretKey
    Firewall:
        Admin:
            Token: Stateless

Login services

You can use the Login app as a RESTful service by extending the \Webiny\Login\LoginServices abstract class and implementing it into Webiny Framework Rest component. (view the app/services.php folder for sample implementation)

POST `processLogin`

This method processes the login request and returns either a login error, or in case of a success, authToken and deviceToken.