OneAuth
PHP User Authentication Class with ACL features

OneAuth is a highly secure and small PHP User Authentication System developed to provide functionality to manage user authentication on websites, ready to use and to build upon your project.

• Small: OneAuth is two PHP classes and one MySQL table
• Scalable: You can add new fields, integrate with other login methods (such as social media networks) and build new functionalities very easily
• Secure: Passwords are salted locally and globally and encrypted using the best PHP supported algorythm, users are authenticated through a cookie instead of a session file (increased security) and it is linked to the device's IP address

Features

• Activate account through email link (optional)
• Edit account details (including old password reprompt)
• Delete account (removes identifiable information but keeps the user for historical reasons)
• Forgot password (user receives email with reset link)
• ACL flags (Access Control List): great for admin levels, memberships or any other user categorization
• Industry standard secure local+global salting encryption of passwords and tokens
• Customizable session length, password encryption strength, salts...
• MySQL uses PDO named parameters with a built-in debugging class
• Comprehensible error messages to make debugging easier
• Custom and flexible email templates

Requirements

• PHP 5.5+ (5.3.7+ compatibility below)
• MySQL

Setup

1. Modify config.php with your URL, database, salts (salt generator available at the bottom of index.php), project name and email, session length, email templates, etc.

2. Run dump.sql in your MySQL

3. Copy this into your project to initialize OneAuth:

require_once('config.php');
require_once('oneauth.php');
$oa = new OneAuth($oaconfig);

4. Open index.php to see usage examples ready to copy-paste into your project

5. Delete index.php

Class methods overview

For full documentation see the code at oneauth.php, it is full of comments and very easy to understand.

Account

• $oa->user()
• $oa->register()
• $oa->activate()
• $oa->edit()
• $oa->delete()

Password

• $oa->forgot()
• $oa->reset()

Session

• $oa->login()
• $oa->logout()

Flags

• $oa->hasflag()

Flags

Flags are letters that can be used for User Access Control, user levels, account settings, admins… These are the two used right now:

• d: Deleted account (deleted accounts cannot log in)
• i: Inactive account (needs to confirm email address)

Email templates

• forgot: Contains a link to reset the password
• activate: Contains a link to activate the account
• welcome: Contains welcome message

Database

• id (bigint20)
• email (varchar100)
• password (char40)
• date_created (datetime)
• date_seen (datetime)
• ip (varchar15)
• flags (varchar10)
• token (char40)
• token_expiry (datetime)

To debug MySQL queries replace new DB with new DBDebug in oneauth.php, this will return the formed query without executing it so you can analize it.

Salting and hashing

Here's how passwords and tokens are salted and hashed:

• Passwords: password_hash( globalSalt + password, PASSWORD_DEFAULT )
• Session token: sha1( globalSalt + IpAddress + $this->randomchars() )
• Reset password token: sha1( globalSalt + userId + $this->randomchars() )

PHP 5.3.7+ Compatibility

Since OneAuth uses password_hash() it needs PHP 5.5+ to work, for those under 5.3.7+ here is the workaround (more info):

$salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM);
$salt = base64_encode($salt);
$salt = str_replace('+', '.', $salt);
$hash = crypt('rasmuslerdorf', '$2y$10$'.$salt.'$');

Credits

OneAuth is developed by [Xavi Esteve|http://xaviesteve.com/]. Feel free to submit Issues and Pull requests.

OneAuth License

You are free to use OneAuth in any other project (even commercial projects) as long as the copyright header is left intact.

MIT Open Source License

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.