MyBB Community Forums

MyBB Community Forums > Development > Suggestions and Feedback > Token based authentication & bcrypt
Full Version: Token based authentication & bcrypt
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

KieronWiltshire

2016-05-24, 06:16 PM
I know the reason for the keeping the old style is to help with the upgrade from 1.8 to 2.0, but can we please use bcrypt as it's what laravel uses by default, and makes it easier to auth users in other applications written in a different language.

+ Using something like JSON Web Tokens as a means of authentication would also be nice.

Nathan Malcolm

2016-05-24, 06:29 PM
Bcrypt will be used, yes.

Euan T

2016-05-24, 06:49 PM
Crypt is already implemented as the default hashing mechanism in 2.0. We will also have support for 2FA for all users out of the box. I've not looked at using JWT at all, but we might use them in some capacity should there be a valid use case.

KieronWiltshire

2016-05-25, 02:19 PM
(2016-05-24, 06:49 PM)Euan T Wrote: [ -> ]Crypt is already implemented as the default hashing mechanism in 2.0. We will also have support for 2FA for all users out of the box. I've not looked at using JWT at all, but we might use them in some capacity should there be a valid use case.

Another thing that would be nice is a scalable permission system? Something like zizaco's entrust that allows plugins creators to create their own permission values?

Euan T

2016-05-25, 03:31 PM
(2016-05-25, 02:19 PM)KieronWiltshire Wrote: [ -> ]
(2016-05-24, 06:49 PM)Euan T Wrote: [ -> ]Crypt is already implemented as the default hashing mechanism in 2.0. We will also have support for 2FA for all users out of the box. I've not looked at using JWT at all, but we might use them in some capacity should there be a valid use case.

Another thing that would be nice is a scalable permission system? Something like zizaco's entrust that allows plugins creators to create their own permission values?

This is already possible in 1.x and will be in 2.0. The system is 2.0 will be slightly enhanced too, rather than just being "yes"/"no", it'll be "yes"/"no"/"never", so that "never" permissions aren't overwritten by secondary groups.

KieronWiltshire

2016-05-25, 05:02 PM
(2016-05-25, 03:31 PM)Euan T Wrote: [ -> ]
(2016-05-25, 02:19 PM)KieronWiltshire Wrote: [ -> ]
(2016-05-24, 06:49 PM)Euan T Wrote: [ -> ]Crypt is already implemented as the default hashing mechanism in 2.0. We will also have support for 2FA for all users out of the box. I've not looked at using JWT at all, but we might use them in some capacity should there be a valid use case.

Another thing that would be nice is a scalable permission system? Something like zizaco's entrust that allows plugins creators to create their own permission values?

This is already possible in 1.x and will be in 2.0. The system is 2.0 will be slightly enhanced too, rather than just being "yes"/"no", it'll be "yes"/"no"/"never", so that "never" permissions aren't overwritten by secondary groups.

Consider looking into a permissions module I wrote in JavaScript and the concepts I've implemented for ideas
https://github.com/KieronWiltshire/ezpermissions

laie_techie

2016-05-26, 07:46 PM
(2016-05-25, 05:02 PM)KieronWiltshire Wrote: [ -> ]Consider looking into a permissions module I wrote in JavaScript and the concepts I've implemented for ideas
https://github.com/KieronWiltshire/ezpermissions

Permissions need to be server side, but concepts can be used.

KieronWiltshire

2016-05-27, 01:06 AM
(2016-05-26, 07:46 PM)laie_techie Wrote: [ -> ]
(2016-05-25, 05:02 PM)KieronWiltshire Wrote: [ -> ]Consider looking into a permissions module I wrote in JavaScript and the concepts I've implemented for ideas
https://github.com/KieronWiltshire/ezpermissions

Permissions need to be server side, but concepts can be used.

JavaScript can be executed server side, heard of nodejs? 😂
That's what the module was written for haha

Euan T

2016-05-27, 10:00 AM
(2016-05-27, 01:06 AM)KieronWiltshire Wrote: [ -> ]
(2016-05-26, 07:46 PM)laie_techie Wrote: [ -> ]
(2016-05-25, 05:02 PM)KieronWiltshire Wrote: [ -> ]Consider looking into a permissions module I wrote in JavaScript and the concepts I've implemented for ideas
https://github.com/KieronWiltshire/ezpermissions

Permissions need to be server side, but concepts can be used.

JavaScript can be executed server side, heard of nodejs? 😂
That's what the module was written for haha

MyBB is written in PHP though, and will not be rewritten in Node.js due to it not being supported on the majority of shared hosts that most of our users use (and also due to the fact that most of our team are far more familiar with PHP).

TheGarfield

2016-05-28, 01:28 PM
(2016-05-27, 10:00 AM)Euan T Wrote: [ -> ]MyBB is written in PHP though, and will not be rewritten in Node.js due to it not being supported on the majority of shared hosts that most of our users use (and also due to the fact that most of our team are far more familiar with PHP).

I don't think that KieronWiltshire was asking the team to rewrite the whole project in Javascript, he was rather giving you an example (that happens to be written in Javascript) just to get what he means.
And it's actually pretty neat.
MyBB 1.0 for instance has a scalable permission system through groups and permissions, each permission is stored inside a SQL column (the usergroups table for example has as many columns as there are permissions in MyBB, and that's not very scalable, even though it's very convenient).

His suggestion was to make something like :
Imagine I am the author of MyAlerts (poke @Euan T) and I want to create a supertype of administrators that can manage MyAlerts plugin, I will declare a new Role :
// declaring new role
use MyBB\Core\Roles\Role;

$role = new Role("myalertsadmin");
$role->setName("My Alert's Admin");
$role->setDescription("This group can manage MyAlerts");

I will create a "Node", or a part of my app that I want to protect, since I'm protecting MyAlerts' admin area :

use MyBB\Core\Node;

$node = new Node("admin.dashboard.myalerts");
$node->setName("MyAlert's Dashboard");
$node->setDescription("This is the dashboard of MyAlerts");

What roles can access that node?
// my newly created role "myalertsadmin" can actually access the MyAlert's Dashboard
$node->give($role);

Of course I have to give the role to the desired users :
$role->give($user);

Lastly, protect my MyAlerts' Dashboard against those who don't have any role that gives them access to admin.dashboard.myalerts :
if ($currentUser->isPermitted("admin.dashboard.myalerts")) {
  // go on
} else {
  // stop there, you don't have the role
}

With that, you can use wildcards in permission check :

if ($user->isPermitted("admin.dashboard.*")) {
  // this $user has atleast one role that gives him access to admin.dashboard.something
}

The options are endless, and it's actually easy Smile

More examples in :
https://www.npmjs.com/package/ezpermissions
Pages: 1 2
MyBB Community Forums > Development > Suggestions and Feedback > Token based authentication & bcrypt