BjyAuthorize Deny All, Super User, User Spoofing - zend-framework

I'm building a web system with no public views (except for login fo course).
So far, I got Bjyauthorize running with zfcUser, what I would like to do is:
1) Guard all routes but the login, so I don't have to be writting guards for every single page while I'm in development and for security reasons this would be a plus for me, because I wouldnt accidentaly expose any part that is not intended to be exposed.
2) I need the admin Role to be able to retrieve any route, any controller, disregarding any guards.
3) I'd like to add the functionality for the Super user to be able to spoof any user aka make the system think I'm that specific user, so I could test my system functionality through the eyes of a specific user.
We already have a system in PHP, MVC which makes all of these and we are migrating to Zend, so this would be a necessity for us.
I don't expect a full answer of every single Item, Some guides, tutorials and above all a concise answer if this is achievable through BjyAuthorize would be much appreciated :D

Related

Keycloak users - is a good idea to differentiate users by their country?

I'm designing a fairly complex backend and now I have a doubt. Is a good idea in Keycloak to differentiate users in different keycloak groups by their country when I create them during a sign-in for example?
I was thinking that it could be useful to better manage users in the future.
What do you think?
There is no direct solution for such question. It clearly depends on your application. If in the future your application will provide services based on the country of each user it might be good idea as your application might get this information about the user directly from Keycloak.
If you are planning to do some researches about your users it also might be good idea as some statistics might be country related or you would like to get country related outputs (to relocate your cloud instances near to majority of your users etc..)
There might be faster database lookups with such additional information but I don't know if Keycloak currently provides functionality for this. On the other hand, if I will sign up to your service while I am chilling on my holidays on the other side of the world from where I usually live your record will be useless. Therefore this action could bring more issues to implementation of your application while you might not need it at all.
If you have no plans for such functionalities there is simply no reason to do such thing. Present web services tend to store more data then they actually need to. For example in majority of recent database leaks you can see LAST geological coordination's point stored with each user. While these might be unnecessary for precise advertisements targeting and unnecessary users screening, there is really no reason to store last geological coordination of each user. Such information might change with each user login and should be determined in "runtime". If services do not benefit from such data users are under threat for no reason.
You should determine what is needed by your application and what is not. You should never store or expose any additional information's about your users regardless how well your application is secured.

In general, would it be redundant to have two GET routes for users (one for ID and one for username)?

I'm building a CRUD for users in my rest API, and currently my GET route looks like this:
get("/api/users/:id")
But this just occured to me: what if a users tries to search for other users via their username?
So I thought about implementing another route, like so:
get("api/users/username/:id")
But this just looks a bit reduntant to me. Even more so if ever my app should allow searching for actual names as well. Would I then need 3 routes?
So in this wonderful community, are there any experienced web developers that could tell me how they would handle having to search for a user via their username?
Obs: if you need more details, just comment about it and I'll promptly update my question 🙃
how they would handle having to search for a user via their username?
How would you support this on a web site?
You would probably have a form; that form would have an input control that would allow the user to provide a user name. When the user submit the form, the browser would copy the form input controls into an application/x-www-form-urlencoded document (as described by the HTTP standard), then substitute that document as the query_part of the form action, and submit the query.
So the resulting request would perhaps look like
GET /api/users?username=GuiMendel HTTP/x.y
You could, of course, have as many different forms as you like, with different combinations of input controls. Some of those forms might share actions, but not necessarily.
so I could just have my controller for GET "/api/users" redirect to an action based on the inputs?
REST doesn't care about "controllers" -- that's an implementation detail; the whole point is that the client doesn't need to know how the server produces a representation of the resource, we just need to know how to ask for it (via the "uniform interface").
Your routing framework might care a great deal, but again that's just another implementation detail hiding behind the facade.
for example, there were no inputs, it would return all users (index), but with the input you suggested, it would filter out only users whose usernames matched the input? Did I get it right?
Yup, that's fine.
From the point of view of a REST client
/api/users
/api/users?username=GuiMendel
These identify different resources; the two resources don't have to have any meaningful relationship with each other at all. The machines don't care (human beings do care, so we normally design our identifiers in such a way that at least some human beings have an easy time of it -- for example, we might optimize our identifiers to make things easy when operators are reading the access logs).

Zend Force Login

I have my shell application working and I now want to ensure that a user is logged in before anything else occurs. I have a working auth controller and associated database tables, etc.
I assumed that the best ay to do this was to put the identity test in the bootstrap, as I don't want to check for identity in each controller. Basically, I think I want to put code in the bootstrap that says if identity, then run the index otherwise, run auth. Is this the best way to do it in Zend? If not, what is the preferred method?
I was thinking Bootstrap because for every request of any type, I don't want to allow it if the user is logged in and of course, it would be best to chave this check only in ne place.
I have more commonly seen this in done via a plugin. These can be done at various stages of the Zend Application dispatch cycle. The most common set up I have encountered would be to put a check user login status plugin in at preDispatch.
Search the Zend documentation for preDispatch plugins, or have a look on Youtube as there are some good video tutorials that walk you through it.
An advantage to doing this is that in the future you may want to run some kind of functionality prior to the user authentication test. In such an instance you could put new functionality in a dispatchLoopStartup plugin.
Having said this, there is nothing really wrong with checking the user login status in the bootstrap - I have seen this done many times. It is possibly just tidier to user plugins as they are more repeatable in new applications.
This is just my opinion of course, but I hope this helps.

Symfony design question - how can I share forms between apps?

I'm developing a site in Symfony, and I'm not sure what the best way is to handle this scenario.
I'm creating a party bookings system. Anyone can go to my frontend app and submit a new booking. Once they're finished, they'll just get a confirmation screen, they can't edit it. Easy.
Only certain users will be able to get to the admin app (it might be secured simply by being on an intranet, but that's not important, just assume it will be only accessible by admin users). They'll be able to view the list of submitted bookings. Easy.
My problem is around code re-use when allowing admin users to edit existing bookings. When you do generate-module in Symfony, the generated module (which as a newbie I'm assuming is a good example of structuring things) creates the form as a partial. I've had to customize this form a lot for my usage (lots of Javascript, etc), so of course I want to re-use this code, to be able to load an existing booking into this form. But there doesn't seem to be a way to share this partial between the apps (I've seen people mention making a plugin...but this seems complicated for this use).
I considered using an IFrame to load the form from the frontend and just passing an "id" parameter to load it in edit mode, but this would mean that the edit mode is not secure - anyone could go to the form on the frontend and pass this parameter to edit a booking.
I also considered putting all of the form display code (HTML, Javascript, etc) in a method on the form object, but this doesn't seem very MVC - all of the display code is then in the form. But this is only because I'm thinking of the form in the same way as a model - is that right?
I feel like this should be a common situation. You can share models and forms between apps, why can't you share this common form display code too?
Thanks!
You should reconsider having 2 applications in the first place. Not only you run into the code reuse problem, but also i18n, testings and other issues. I find it much easier to have 1 application with different bunch of modules for frontend and backend users. You can configure security per module. You can have one sign in form for all users and redirect them to appropriate module based on their credentials.
You can reuse partials between modules inside the same application, but you seem to be talking about two different applications (frontend and backend) so as far as i know the only way is to copy & paste the partial from one application to the other...

Where can I find some MVC User Administration Helpers for AD Users?

So I have an MVC 2 app that uses the Active Directory Membership Provider. Authentication works like a charm! Now I need to add some additional screens to allow the users to:
Change their password
Reset forgotten passwords (email a super secret link or something?)
Conditionally add additional users (of course users of a certain role, as determined by another Role Provider).
Conditionally disable existing users (ditto on roles).
I'm just looking for some very basic functionality and I'm having trouble finding either any MVC helpers to help with this or even any legitimate .NET libraries to help. We'd be happy to buy something to do this but I've not seen anything that's convinced me as being good!
Does anybody have any suggestions? Surely many others have had to tackle this by now...
I modified code found here http://www.codeproject.com/KB/system/everythingInAD.aspx for my needs. The ActiveDirectoryMembershipProvider is extremely limited on it's capabilities. ( http://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx )