GitHub - libcast/sfHttpDigestAuthPlugin: Support of HTTP Digest authentication in symfony 1.x. Fork me, I'm famous!

libcast / sfHttpDigestAuthPlugin Public

Notifications You must be signed in to change notification settings
Fork 2
Star 3

Support of HTTP Digest authentication in symfony 1.x. Fork me, I'm famous!

Notifications

Name		Name	Last commit message	Last commit date
Latest commit History 5 Commits
config		config
lib		lib
LICENSE		LICENSE
README		README
package.xml.tmpl		package.xml.tmpl

Repository files navigation

sfHttpDigestAuthPlugin
======================

Installation
------------

    symfony plugin:install sfHttpDigestAuthPlugin --stability="beta"

Configuration
-------------

Edit your `config/filters.yaml` to enable the digest authentication.

    # config/filters.yml
    http_digest:
      class: sfHttpDigestAuthFilter

You can also customize the plugin parameters:

    # config/filters.yml
    http_digest:
      class: sfHttpDigestAuthFilter
      param:
        # realm sent to the client
        realm:                Realm

        # authentication "session" duration
        nonce_life:           300

        # key used to generate the nonce
        password_is_hash:     true

        # key used to generate the nonce
        private_key:          privatekey

The *user provider* is a valid callback taking a `username` in parameter and
returning his `password` in return, or `null` if the username doe not exist.

The *user signin* takes a `username` in parameter and proceed to the full user
signin, including the `setAuthenticated()` call.

The builtin sfGuardUser provider supports both Propel and Doctrine implementations.
Is is bundled with some configuration parameters too:

    # config/app.yml
    all:
      sfHttpDigestAuth:
        callback:
          # callback used to retrieve the password corresponding to a username
          retrieve:            [ sfGuardUserProvider, findForUser ]

          # callback used to signin the user when authentication is successful
          signin:              [ sfGuardUserProvider, signIn ]

        sfGuardUser:
          # the sfGuardUser method used to retrieve the password HTTP Digest needs
          password_method:     getPassword

          # does the password_method belongs to the profile class?
          method_is_profile:   false

The `password_method` must either return a clear password or key, or a hash of
`username:realm:password` for the Digest to work.

A good practice is to use a randomly generated key dedicated to the HTTP authentication,
like an API key. This way, you can store the clear key without compromising the
password.
In addition, it makes brute force attacks more difficult as they can not rely on
current dictionaries.