Module 3

Now that users can authenticate, we want to provide a simpler way for
them to identify themselves as they use the system. Rather than solicit
for an email address and password on every request, we want to use
server-side sessions to track the user's authentication information.

Your task is to update our authentication routine to leverage
server-side storage of session information and update the authentication
handler to use Bearer tokens (i.e. session IDs) to authenticate requests
rather than email/password combinations.

Author: ericmann

.gitignore

@@ -0,0 +1 @@
+.session

composer.json

@@ -21,7 +21,8 @@
     "autoload": {
         "psr-4": {
             "Notes\\Module1\\": "module-1/server/",
-            "Notes\\Module2\\": "module-2/server/"
+            "Notes\\Module2\\": "module-2/server/",
+            "Notes\\Module3\\": "module-3/server/"
         },
         "files": [
             "util/Database.php",

module-3/client/notes.php

@@ -8,12 +8,13 @@
 use splitbrain\phpcli\Options;
 use splitbrain\phpcli\TableFormatter;
 
-class Module2 extends CLI
+class Module3 extends CLI
 {
 	/**
 	 * @var GuzzleHttp\Client
 	 */
 	private $client;
+	private $token;
 
 	private $user;
 
@@ -33,6 +34,7 @@ protected function setup(Options $options)
 
 		$options->registerCommand('register', 'Create a user account.');
 		$options->registerCommand('changePassword', 'Change your user password');
+		$options->registerCommand('login', 'Create a persistent authentication session');
 
 		$options->registerArgument('note', 'Actual note to store.', true, 'create');
 		$options->registerArgument('noteId', 'Identify the note to retrieve.', true, 'get');
@@ -47,12 +49,13 @@ protected function setup(Options $options)
 		$options->registerOption('new-password', 'New login password', 'p', true, 'changePassword');
 		$options->registerOption('repeat-password', 'New login password (again)', 'r', true, 'changePassword');
 
-		foreach (['create', 'get', 'delete', 'all'] as $command) {
+		foreach (['create', 'get', 'delete', 'all', 'login'] as $command) {
 			$options->registerOption('email', 'Email address', 'e', true, $command);
 			$options->registerOption('password', 'Login password', 'p', true, $command);
 		}
 
 		$this->client = new GuzzleHttp\Client(['base_uri' => 'http://localhost:8888']);
+		$this->token = file_get_contents('.session');
 	}
 
 	protected function createNote($contents)
@@ -66,9 +69,11 @@ protected function createNote($contents)
 			'note' => $contents
 		];
 
-		$response = $this->client->request('POST', 'notes', [
+		$response = $this->client->request(
+			'POST',
+			'notes', [
 			'body' => json_encode($jsonBody),
-			'auth' => [$this->user, $this->pass]
+			'auth' => [$this->user, $this->pass] // @TODO Replace basic auth with Bearer auth
 		]);
 
 		if ($response->getStatusCode() === 200) {
@@ -116,7 +121,11 @@ private function printNote(array $note, TableFormatter $tf)
 
 	protected function getNote($noteId)
 	{
-		$response = $this->client->request('GET', sprintf('notes/%s', $noteId), ['auth' => [$this->user, $this->pass]]);
+		$response = $this->client->request(
+			'GET',
+			sprintf('notes/%s', $noteId),
+			['auth' => [$this->user, $this->pass]] // @TODO Replace basic auth with Bearer auth
+		);
 
 		if ($response->getStatusCode() === 200) {
 			$return = json_decode($response->getBody(), true);
@@ -134,7 +143,11 @@ protected function getNote($noteId)
 	protected function deleteNote($noteId)
 	{
 		try {
-			$this->client->request('DELETE', sprintf('notes/%s', $noteId), ['auth' => [$this->user, $this->pass]]);
+			$this->client->request(
+				'DELETE',
+				sprintf('notes/%s', $noteId),
+				['auth' => [$this->user, $this->pass]] // @TODO Replace basic auth with Bearer auth
+			);
 			$this->info(sprintf('Note ID %s has been deleted.', $noteId));
 		} catch (\GuzzleHttp\Exception\BadResponseException $e) {
 			$this->error(sprintf('Unable to delete note %s. It might not exist!', $noteId));
@@ -143,7 +156,11 @@ protected function deleteNote($noteId)
 
 	protected function getAllNotes()
 	{
-		$response = $this->client->request('GET', 'notes', ['auth' => [$this->user, $this->pass]]);
+		$response = $this->client->request(
+			'GET',
+			'notes',
+			['auth' => [$this->user, $this->pass]] // @TODO Replace basic auth with Bearer auth
+		);
 
 		if ($response->getStatusCode() === 200) {
 			$notes = json_decode($response->getBody(), true);
@@ -247,6 +264,35 @@ protected function changePassword(Options $options)
 		}
 	}
 
+	protected function login(Options $options)
+	{
+		try {
+			$response = $this->client->request('GET', 'login', ['auth' => [$this->user, $this->pass]]);
+
+			if ($response->getStatusCode() === 200) {
+				$auth = json_decode($response->getBody(), true);
+
+				if (empty($auth)) {
+					$this->error('Could not establish a session!');
+				} else {
+					$token = $auth['token'];
+
+					try {
+						$fp = fopen('.session', 'w');
+						fwrite($fp, $token);
+						fclose($fp);
+
+						$this->info('Established a persistent session. Commence note taking!');
+					} catch (\Exception $e) {
+						$this->error('Could not establish a session!');
+					}
+				}
+			}
+		} catch(\GuzzleHttp\Exception\BadResponseException $e) {
+			$this->error('Could not establish a session!');
+		}
+	}
+
 	protected function main(Options $options)
 	{
 		$args = $options->getArgs();
@@ -272,6 +318,9 @@ protected function main(Options $options)
 			case 'changePassword':
 				$this->changePassword($options);
 				break;
+			case 'login':
+				$this->login($options);
+				break;
 			default:
 				$this->error('No known command was called, we show the default help instead:');
 				echo $options->help();
@@ -280,5 +329,5 @@ protected function main(Options $options)
 	}
 }
 
-$cli = new Module2();
+$cli = new Module3();
 $cli->run();

module-3/server/AuthMiddleware.php

@@ -1,35 +1,23 @@
 <?php declare(strict_types=1);
 
-namespace Notes\Module2;
+namespace Notes\Module3;
 
-use League\Route\Http\Exception\BadRequestException;
 use League\Route\Http\Exception\ForbiddenException;
-use Notes\Util\Database;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface;
 use Psr\Http\Server\RequestHandlerInterface;
-use Zend\Diactoros\Response\JsonResponse;
 
 class AuthMiddleware implements MiddlewareInterface
 {
 	public function process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface
 	{
-		$authentication = $request->getHeader('authorization')[0];
-		$base64Auth = trim(substr($authentication, 5));
-		$decoded = explode(':', base64_decode($base64Auth));
+		if (Server::authenticate($request)) {
+			return $handler->handle($request);
+		}
 
-		$db = new Database();
-		try {
-			$user = $db->getUserByEmail($decoded[0]);
-
-			// @TODO Proper hash comparison
-			if (hash_equals($user->password, $decoded[1])) {
-				$_SESSION['userId'] = $user->userId;
-
-				return $handler->handle($request);
-			}
-		} catch (\Exception $e) {}
+		// @TODO Check for a Bearer token and set up the session
+		$authorization = $request->getHeader('authorization')[0];
 
 		throw new ForbiddenException();
 	}

module-3/server/Server.php

@@ -1,7 +1,8 @@
 <?php declare(strict_types=1);
 
-namespace Notes\Module2;
+namespace Notes\Module3;
 
+use GuzzleHttp\Exception\BadResponseException;
 use League\Route\Http\Exception\BadRequestException;
 use League\Route\Http\Exception\ForbiddenException;
 use Notes\Util\Database;
@@ -112,7 +113,7 @@ public function register(ServerRequestInterface $request): array
 			// Create the user when we throw a not found exception!
 			$user = new BaseUser();
 			$user->email = $parsed['email'];
-			$user->password = $parsed['password']; // @TODO This should be hashed!
+			$user->password = password_hash($parsed['password'], PASSWORD_BCRYPT, ['cost' => 11]);
 			$user->greeting = isset($parsed['greeting']) ? $parsed['greeting'] : 'Friend';
 
 			$userId = $this->db->createUser($user);
@@ -140,22 +141,55 @@ public function changePassword(ServerRequestInterface $request): ResponseInterfa
 			throw new BadRequestException('No such user!');
 		}
 
-		// @TODO Use better comparisons
-		if (!hash_equals($user->password, $parsed['old_password'])) {
+		if (!password_verify($parsed['old_password'], $user->password)) {
 			throw new BadRequestException('Invalid password!');
 		}
 
 		if (!hash_equals($parsed['new_password'], $parsed['repeat_password'])) {
 			throw new BadRequestException('Passwords must match!');
 		}
 
-		// @TODO This should be hashed!
-		$user->password = $parsed['new_password'];
+		$user->password = password_hash($parsed['new_password'], PASSWORD_BCRYPT, ['cost' => 11]);
 
 		if ($this->db->updateUserPassword($user)) {
 			return new EmptyResponse();
 		}
 
 		throw new \Exception('Server error while updating password.');
 	}
+
+	public static function authenticate(ServerRequestInterface $request): bool
+	{
+		$authentication = $request->getHeader('authorization')[0];
+		$base64Auth = trim(substr($authentication, 5));
+		$decoded = explode(':', base64_decode($base64Auth));
+
+		$db = new Database();
+		try {
+			$user = $db->getUserByEmail($decoded[0]);
+
+			if (password_verify($decoded[1], $user->password)) {
+				if (session_status() !== PHP_SESSION_ACTIVE) {
+					session_start();
+				}
+
+				$_SESSION['userId'] = $user->userId;
+				return true;
+			}
+		} catch (\Exception $e) {}
+
+		return false;
+	}
+
+	public function login(ServerRequestInterface $request): array
+	{
+		if (self::authenticate($request)) {
+			return [
+				'userId' => $_SESSION['userId'],
+				'token'  => session_id()
+			];
+		}
+
+		throw new \Exception('There was a problem in your login attempt');
+	}
 }

module-3/server/index.php

@@ -13,14 +13,15 @@
 $router->setStrategy($strategy);
 
 $router->group('/notes', function(\League\Route\RouteGroup $router) {
-	$router->get('/',        'Notes\Module2\Server::getNotes');
-	$router->get('/{id}',    'Notes\Module2\Server::getNote');
-	$router->post('/',       'Notes\Module2\Server::createNote');
-	$router->delete('/{id}', 'Notes\Module2\Server::deleteNote');
-})->middleware(new Notes\Module2\AuthMiddleware());
-
-$router->post('/account',     'Notes\Module2\Server::register');
-$router->put('/account',      'Notes\Module2\Server::changePassword');
+	$router->get('/',        'Notes\Module3\Server::getNotes');
+	$router->get('/{id}',    'Notes\Module3\Server::getNote');
+	$router->post('/',       'Notes\Module3\Server::createNote');
+	$router->delete('/{id}', 'Notes\Module3\Server::deleteNote');
+})->middleware(new Notes\Module3\AuthMiddleware());
+
+$router->post('/account', 'Notes\Module3\Server::register');
+$router->put('/account',  'Notes\Module3\Server::changePassword');
+$router->get('/login',   'Notes\Module3\Server::login');
 
 $response = $router->dispatch($request);
 

vendor/composer/autoload_psr4.php

@@ -14,6 +14,7 @@
     'Psr\\Http\\Server\\' => array($vendorDir . '/psr/http-server-handler/src', $vendorDir . '/psr/http-server-middleware/src'),
     'Psr\\Http\\Message\\' => array($vendorDir . '/psr/http-factory/src', $vendorDir . '/psr/http-message/src'),
     'Psr\\Container\\' => array($vendorDir . '/psr/container/src'),
+    'Notes\\Module3\\' => array($baseDir . '/module-3/server'),
     'Notes\\Module2\\' => array($baseDir . '/module-2/server'),
     'Notes\\Module1\\' => array($baseDir . '/module-1/server'),
     'League\\Route\\' => array($vendorDir . '/league/route/src'),

vendor/composer/autoload_static.php

@@ -55,6 +55,7 @@ class ComposerStaticInite8d69a9c610684d4ceded15f33142591
         ),
         'N' => 
         array (
+            'Notes\\Module3\\' => 14,
             'Notes\\Module2\\' => 14,
             'Notes\\Module1\\' => 14,
         ),
@@ -109,6 +110,10 @@ class ComposerStaticInite8d69a9c610684d4ceded15f33142591
         array (
             0 => __DIR__ . '/..' . '/psr/container/src',
         ),
+        'Notes\\Module3\\' => 
+        array (
+            0 => __DIR__ . '/../..' . '/module-3/server',
+        ),
         'Notes\\Module2\\' => 
         array (
             0 => __DIR__ . '/../..' . '/module-2/server',