Amruta-Pani Amruta-Pani - 1 month ago 58
PHP Question

HTTP Basic Authentication fails with Slim 3 using PDO Authenticator

I am using Slim v 3 with JWT for writing REST APIs. I followed https://github.com/tuupola/slim-jwt-auth and it is working fine.

I am generating a token each time the user logs into the appl. To authenticate the user, I followed https://github.com/tuupola/slim-basic-auth to use as auth middleware. On success, I am generating a token using https://github.com/firebase/php-jwt.

I was going through a related question on SO here, JWT: Authentication in slim v3 and Android and I have a query on http basic auth. (I dont have sufficient rep to make a comment there ).

Now my questions:


  1. HttpBasicAuthentication through the 'users' option is working fine but I wouldnt be able to use it against my users table obviously. Many users would be logging into the application and listing all of them in the 'users' is not an option. Am I right here?

  2. If yes, I have to use Pdo Authenticator. I configured it but authentication is failing and I couldnt solve it. The error callback is being fired with "Authentication failed" message. My database has 'users' table with 'user' and 'hash' columns for username and password. Below is the piece of code I am using.




use Slim\Middleware\HttpBasicAuthentication;
use Slim\Middleware\HttpBasicAuthentication\PdoAuthenticator;



$pdo = new \PDO('mysql:host=localhost;dbname=test', $dbUser, $dbPassword);

$middlewareHttpBasicAuthConfig = [
/*"users" => [
"user1" => "password"
],*/
"secure" => false,
"relaxed" => ["localhost", "amruta-pani"],
"path" => "/*",
"passthrough" => Utils::httpAuthPassThroughRoutes,
"realm" => "Protected",

"authenticator" => new PdoAuthenticator([
"pdo" => $pdo
]),

"callback" => function($request, $response, $arguments) {
echo "Through<br>\n";
print_r($arguments);
},

"error" => function($request, $response, $arguments) {
echo "Failed<br>\n";
print_r($arguments);
}
];


$app->add(new HttpBasicAuthentication($middlewareHttpBasicAuthConfig));


I am using Google Advanced Rest Client for testing it and the output I am seeing is

Failed<br>
Array
(
[message] => Authentication failed
)


I have added below rule to my Apache webserver

RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]


What am I missing here?

Answer

@Mika Tuupola helped me resolve this problem in the comments and credit goes to him, and I thought it would help somebody. I was hoping that he would answer it for me to mark it.

Passwords should be hashed for HTTPBasicAuthentication middleware to work. Clear text passwords cannot be authenticated with PDO driver, however, if the configuration array has 'users' property, with a clear text password like below, will work which obviously wouldnt be the case in production.

$app->add(new \Slim\Middleware\HttpBasicAuthentication([
    "users" => [
        "root" => "t00r",
        "somebody" => "passw0rd"
    ]
]));

The GitHub documentation at https://github.com/tuupola/slim-basic-auth was good enough to use this middleware however when it mentioned about clear text passwords, quote -

Cleartext passwords are only good for quick testing. You probably...

I went ahead testing it with clear text passwords with PDO and it didnt work till the password is hashed.