Nodarx/authentication_provider_password
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
root
2025-12-21 10:00:41 -05:00
committed by Sebastian Krupinski
commit d2b2846567
17 changed files with 2757 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

119
lib/Controllers/PasswordController.php Normal file
View File

@@ -0,0 +1,119 @@
<?php
namespace KTXM\AuthenticationProviderPassword\Controllers;
use KTXC\Http\Response\JsonResponse;
use KTXC\SessionIdentity;
use KTXC\SessionTenant;
use KTXF\Controller\ControllerAbstract;
use KTXF\Routing\Attributes\AuthenticatedRoute;
use KTXF\Security\Crypto;
use KTXM\AuthenticationProviderPassword\Provider;
use KTXM\AuthenticationProviderPassword\Stores\CredentialStore;
class PasswordController extends ControllerAbstract
{
public function __construct(
private readonly SessionIdentity $sessionIdentity,
private readonly SessionTenant $sessionTenant,
private readonly CredentialStore $credentialStore,
private readonly Provider $provider,
private readonly Crypto $crypto
) {
}
#[AuthenticatedRoute('/password/update', name: 'password.update', methods: ['POST'])]
public function update(string $current_password, string $new_password): JsonResponse
{
$tenantId = $this->sessionTenant->identifier();
$identifier = $this->sessionIdentity->mailAddress();
if ($tenantId === null || $identifier === null) {
return new JsonResponse(['error' => 'Invalid session state'], 400);
}
$credential = $this->credentialStore->fetchByIdentifier($tenantId, $identifier);
if (!$credential) {
return new JsonResponse(['error' => 'No password set'], 400);
}
if (!$this->crypto->verifyPassword($current_password, $credential['secret'])) {
return new JsonResponse(['error' => 'Invalid current password'], 400);
}
$newHash = $this->crypto->hashPassword($new_password);
$this->credentialStore->updateSecret($tenantId, $identifier, $newHash);
return new JsonResponse(['success' => true]);
}
/**
* Admin endpoint: Get credential status for a user
*/
#[AuthenticatedRoute('/admin/status/{uid}', name: 'password.admin.status', methods: ['GET'])]
public function getStatus(string $uid): JsonResponse
{
$tenantId = $this->sessionTenant->identifier();
if ($tenantId === null) {
return new JsonResponse(['error' => 'Invalid session state'], 400);
}
// TODO: Add permission check for admin operations
$hasCredentials = $this->provider->hasCredentials($tenantId, $uid);
return new JsonResponse([
'enrolled' => $hasCredentials,
'provider' => 'password',
]);
}
/**
* Admin endpoint: Set/reset user password
*/
#[AuthenticatedRoute('/admin/reset', name: 'password.admin.reset', methods: ['POST'])]
public function adminReset(string $uid, string $password): JsonResponse
{
$tenantId = $this->sessionTenant->identifier();
if ($tenantId === null) {
return new JsonResponse(['error' => 'Invalid session state'], 400);
}
// TODO: Add permission check for admin operations
if (strlen($password) < 8) {
return new JsonResponse(['error' => 'Password must be at least 8 characters'], 400);
}
$success = $this->provider->setCredential($tenantId, $uid, $password);
if (!$success) {
return new JsonResponse(['error' => 'Failed to set password'], 500);
}
return new JsonResponse(['success' => true]);
}
/**
* Admin endpoint: Remove user password
*/
#[AuthenticatedRoute('/admin/remove/{uid}', name: 'password.admin.remove', methods: ['DELETE'])]
public function adminRemove(string $uid): JsonResponse
{
$tenantId = $this->sessionTenant->identifier();
if ($tenantId === null) {
return new JsonResponse(['error' => 'Invalid session state'], 400);
}
// TODO: Add permission check for admin operations
$this->credentialStore->delete($tenantId, $uid);
return new JsonResponse(['success' => true]);
}
}

73
lib/Module.php Normal file
View File

@@ -0,0 +1,73 @@
<?php
declare(strict_types=1);
namespace KTXM\AuthenticationProviderPassword;
use KTXC\Resource\ProviderManager;
use KTXF\Module\ModuleInstanceAbstract;
/**
* Default Identity Provider Module
* Provides local database authentication
*/
class Module extends ModuleInstanceAbstract
{
public function __construct(
private readonly ProviderManager $providerManager,
) {}
public function handle(): string
{
return 'authentication_provider_password';
}
public function label(): string
{
return 'Password Authentication Provider';
}
public function author(): string
{
return 'Ktrix';
}
public function description(): string
{
return 'Ktrix Password Authentication Provider - authenticates users against credentials stored in the database';
}
public function version(): string
{
return '0.0.1';
}
public function permissions(): array
{
return [
'authentication_provider_password' => [
'label' => 'Access Password Authentication Provider',
'description' => 'View and access the password authentication provider module',
'group' => 'Authentication Providers'
],
];
}
public function boot(): void
{
$this->providerManager->register('authentication', 'password', Provider::class);
}
public function registerBI(): array
{
return [
'handle' => $this->handle(),
'namespace' => 'AuthenticationProviderPassword',
'version' => $this->version(),
'label' => $this->label(),
'author' => $this->author(),
'description' => $this->description(),
'boot' => 'static/module.mjs',
];
}
}

154
lib/Provider.php Normal file
View File

@@ -0,0 +1,154 @@
<?php
declare(strict_types=1);
namespace KTXM\AuthenticationProviderPassword;
use KTXF\Security\Authentication\AuthenticationProviderAbstract;
use KTXF\Security\Authentication\ProviderContext;
use KTXF\Security\Authentication\ProviderResult;
use KTXF\Security\Crypto;
use KTXM\AuthenticationProviderPassword\Stores\CredentialStore;
/**
* Password Authentication Provider
*
* Authenticates users against local database credentials.
*/
class Provider extends AuthenticationProviderAbstract
{
public function __construct(
private readonly CredentialStore $store,
private readonly Crypto $crypto,
) { }
// =========================================================================
// Provider Implementation
// =========================================================================
public function type(): string
{
return 'authentication';
}
public function identifier(): string
{
return 'password';
}
public function method(): string
{
return self::METHOD_CREDENTIAL;
}
public function label(): string
{
return 'Password';
}
public function description(): string
{
return 'Authenticate using username and password stored in the local database.';
}
public function icon(): string
{
return 'lock';
}
public function verify(ProviderContext $context, string $secret): ProviderResult
{
if (empty($context->tenantId)) {
return ProviderResult::failed(
ProviderResult::ERROR_INTERNAL,
'Invalid tenant context'
);
}
$identity = $context->userIdentity;
if (empty($identity)) {
return ProviderResult::failed(
ProviderResult::ERROR_INVALID_CREDENTIALS,
'Identity is required'
);
}
// Fetch credentials (timing-safe: always compute hash)
$storedCredential = $this->store->fetchByIdentifier($context->tenantId, $identity);
// Always verify password to prevent timing attacks
$dummyHash = '$2y$10$' . str_repeat('0', 53);
$hashToVerify = $storedCredential['secret'] ?? $dummyHash;
$isValid = $this->crypto->verifyPassword($secret, $hashToVerify);
if (!$storedCredential || !$isValid) {
return ProviderResult::failed(
ProviderResult::ERROR_INVALID_CREDENTIALS,
'Invalid credentials'
);
}
// Check if password needs rehash
if ($this->crypto->needsRehash($hashToVerify)) {
$newHash = $this->crypto->hashPassword($secret);
$this->store->updateSecret($context->tenantId, $identity, $newHash);
}
return ProviderResult::success([
'identity' => $identity,
'provider' => $this->identifier(),
]);
}
// =========================================================================
// Credential Management
// =========================================================================
/**
* Set or update user credentials
*/
public function setCredential(string $tenantId, string $userId, string $password): bool
{
if (empty($tenantId)) {
return false;
}
$hash = $this->crypto->hashPassword($password);
// Check if credential exists, then update or create
if ($this->store->exists($tenantId, $userId)) {
return $this->store->updateSecret($tenantId, $userId, $hash);
}
return $this->store->create($tenantId, $userId, $hash);
}
/**
* Verify a password without full authentication
*/
public function verifyPassword(string $tenantId, string $userId, string $password): bool
{
if (empty($tenantId)) {
return false;
}
$storedCredential = $this->store->fetchByIdentifier($tenantId, $userId);
if (!$storedCredential) {
return false;
}
return $this->crypto->verifyPassword($password, $storedCredential['secret']);
}
/**
* Check if user has credentials set
*/
public function hasCredentials(string $tenantId, string $userId): bool
{
if (empty($tenantId)) {
return false;
}
return $this->store->exists($tenantId, $userId);
}
}

120
lib/Stores/CredentialStore.php Normal file
View File

@@ -0,0 +1,120 @@
<?php
declare(strict_types=1);
namespace KTXM\AuthenticationProviderPassword\Stores;
use KTXC\Db\DataStore;
/**
* Credential Store for Default Identity Provider
* Manages local authentication credentials
*
* Collection: provider_identity_default
* Schema: {
* tid: string, // Tenant identifier
* identifier: string, // User identity (email/username)
* secret: string, // Encrypted password
* created_at: int, // Creation timestamp
* updated_at: int // Last update timestamp
* }
*/
class CredentialStore
{
protected const COLLECTION_NAME = 'provider_identity_default';
public function __construct(private DataStore $store)
{ }
/**
* Fetch credential record by identifier (email/username)
*
* @param string $tenant Tenant identifier
* @param string $identifier User identity
* @return array|null Credential record or null if not found
*/
public function fetchByIdentifier(string $tenant, string $identifier): ?array
{
$entry = $this->store->selectCollection(self::COLLECTION_NAME)->findOne([
'tid' => $tenant,
'identifier' => $identifier
]);
if (!$entry) {
return null;
}
return (array)$entry;
}
/**
* Create a new credential record
*
* @param string $tenant Tenant identifier
* @param string $identifier User identity
* @param string $encryptedSecret Encrypted password
* @return bool Whether creation was successful
*/
public function create(string $tenant, string $identifier, string $encryptedSecret): bool
{
$result = $this->store->selectCollection(self::COLLECTION_NAME)->insertOne([
'tid' => $tenant,
'identifier' => $identifier,
'secret' => $encryptedSecret,
'created_at' => time(),
'updated_at' => time(),
]);
return $result->isAcknowledged();
}
/**
* Update credential secret
*
* @param string $tenant Tenant identifier
* @param string $identifier User identity
* @param string $encryptedSecret New encrypted password
* @return bool Whether update was successful
*/
public function updateSecret(string $tenant, string $identifier, string $encryptedSecret): bool
{
$result = $this->store->selectCollection(self::COLLECTION_NAME)->updateOne(
['tid' => $tenant, 'identifier' => $identifier],
['$set' => [
'secret' => $encryptedSecret,
'updated_at' => time(),
]]
);
return $result->isAcknowledged();
}
/**
* Delete credential record
*
* @param string $tenant Tenant identifier
* @param string $identifier User identity
* @return bool Whether deletion was successful
*/
public function delete(string $tenant, string $identifier): bool
{
$result = $this->store->selectCollection(self::COLLECTION_NAME)->deleteOne([
'tid' => $tenant,
'identifier' => $identifier
]);
return $result->isAcknowledged();
}
/**
* Check if credential exists for identifier
*
* @param string $tenant Tenant identifier
* @param string $identifier User identity
* @return bool Whether credential exists
*/
public function exists(string $tenant, string $identifier): bool
{
return $this->fetchByIdentifier($tenant, $identifier) !== null;
}
}