JonnyReeves.co.uk » auth http://www.jonnyreeves.co.uk Actionscript, Flash, PHP and stuff Mon, 19 Jul 2010 15:36:14 +0000 http://wordpress.org/?v=2.8.4 en hourly 1 User Registration with CakePHP 1.2 and Auth Component http://www.jonnyreeves.co.uk/2008/05/user-registration-with-cakephp-12-and-auth-component/ http://www.jonnyreeves.co.uk/2008/05/user-registration-with-cakephp-12-and-auth-component/#comments Sat, 24 May 2008 10:54:46 +0000 Jonny http://www.jonnyreeves.co.uk/?p=33 With CakePHP 1.2 nearly reaching the RC release, I have started using it as the framework for my own applications.  Once of the new features of 1.2 over 1.1 is the addition of numerous core Components for handling things such as Cookies, Email and Authentication (all of which I rolled myself in 1.1).  Today’s article is going to focus on the Auth Component and a couple of problems it threw up whilst I was trying to create a simple registration page.

Before starting with the code listings for a simple registation action, a little bit of background as to why I’m writing this post. CakePHP 1.2’s Auth Component will automatically hash the value of $this->data['User']['password'] – this is helpful in many ways and allows for a lot of Cake’s auto-magic, however it can cause problems. For example, as the passowrd is automatically being hashed into a 40 character value before any other logic is applied, any validation rules in the Model will be ignored (including NOT_EMPTY like checks). Take this as a hypothetical situation:

  • User goes to /users/register to create a new account
  • User enters their username and password correctly, they then enter an invalid email address
  • Controller fails to validate() the invalid email address supplied so takes the user back to the registration page – Cake helpfully re-populates the form with the values in $this->data array
  • This unfortunatley means the user’s password has been turned into a 40 Character SHA-1 Hash! If the user fails to notice this fact, fixes their email address and clicks submit then that 40 Character SHA-1 Hash is going to get hashed again – now the user has no idea what their password is set to – whoops!

Getting around this problem is pretty straight forward, it just requires a little bit of thought – change the fieldname from password (Which CakePHP 1.2’s Auth Component will automatically hash) to something else, ie: passwrd. Now Cake won’t hash this value, your model’s validation checks can run and everyone is happy – just don’t forget to use AuthComponent::password() to hash this value before storing it.

User Model Class

array
                (
                        ‘alphanumeric’ => array
                        (
                                ‘rule’ => ‘alphaNumeric’,
                                ‘message’ => ‘Only the letters A-z and digits 0-9 are allowed’,
                        ),
                        ‘length’ => array
                        (
                                ‘rule’ => array(‘between’, 4, 20),
                                ‘message’ => "Your username must be between 4 and 20 characters long",
                        ),
                ),
                ‘passwrd’ => array
                (
                        ‘rule’ => array(‘minLength’, 6),
                        ‘message’ => ‘Your password must be at least 6 characters long’,

                ),
                ‘email’ => ‘email’,
        );
}
?>
 

User Controller Class

Auth->allow(‘register’);
        }

        /**
         * Allows a user to sign up for a new account
        */
        function register()
        {
                // If the user submitted the form…
                if (!empty($this->data))
                {
                        // Turn the supplied password into the correct Hash.
                        // and move into the ‘password’ field so it will get saved.
                        $this->data[‘User’][‘password’] = $this->Auth->password($this->data[‘User’][‘passwrd’]);

                        // Always Sanitize any data from users!
                        $this->User->data = Sanitize::clean($this->data);
                        if ($this->User->save())
                        {
                                // Use a private method to send a confirmation
                                // email to the new user (code not shown)
                                $this->__sendConfirmationEmail();

                                // Success! Redirect to a thanks page.
                                $this->redirect(‘/users/thanks’);
                        }

                        // The plain text password supplied has been hashed into the ‘password’ field so
                        // should now be nulled so it doesn’t get render in the HTML if the save() fails
                        $this->data[‘User’][‘passwrd’] = null;
                }
        }
}
 

User/Register.ctp View

<h2>Create an Account</h2>

create(‘User’, array(‘action’ => ‘register’));
echo $form->input(‘username’, array(‘between’ => ‘Pick a username’));

// Force the FormHelper to render a password field, and change the label.
echo $form->input(‘passwrd’, array(‘type’ => ‘password’, ‘label’ => ‘Password’));
echo $form->input(‘email’, array(‘between’ => ‘We need to send you a confirmation email to check you are human’));
echo $form->submit(‘Create Account’);
echo $form->end();
?>
 

]]> http://www.jonnyreeves.co.uk/2008/05/user-registration-with-cakephp-12-and-auth-component/feed/ 6