Blog

Eric Peterson

August 16, 2019

Spread the word


Share your thoughts

You know what's tedious? Authentication. Every project I start needs some sort of authentication system. And every project I start basically from scratch.

I noticed this pattern a while ago and created some libraries to help. You may have used them before.

cbauth is a library that handles creating user sessions for you app while giving enough customization to use different authentication methods and session storages.

auth.authenticate( username, password );
auth.isLoggedIn();
auth.getUser();
auth.logout();

While cbauth manages user sessions, it doesn't protect handlers or actions from being accessed by logged out or unauthorized users. cbguard was created for this purpose providing a way to restrict access to certain handlers and/or actions using annotations.

component secured {

    function index( event, rc, prc ) { /* ... */ }

    function create( event, rc, prc ) secured="create_posts" { /* ... */ }

}

Part of the reason for this customization is that there is not just one way to handle user persistance. Not only is there not just one way, there is not a default way. This can be considered a strength or a weakness of the community, but instead of debating that, I've decided to finally fill that gap using some hand picked libraries.

For data persistance I chose Quick, a ColdBox ORM engine. Unlike Hibernate, Quick is written in CFML and so can be contributed to and by any CFML developer. It also avoids the obscure Hibernate error messages that CF ORM is known for. For example, here's our User component:

component extends="quick.models.BaseEntity" {

    property name="bcrypt" inject="@BCrypt" persistent="false";

    property name="id";
    property name="email";
    property name="password";

    public User function setPassword( required string password ) {
        return assignAttribute(
            "password",
            bcrypt.hashPassword( arguments.password )
        );
    }

    public boolean function hasPermission( required string permission ) {
        return true;
    }

    public boolean function isValidCredentials(
        required string email,
        required string password
    ) {
        var user = newEntity().where( "email", arguments.email ).first();
        if ( ! user.isLoaded() ) {
            return false;
        }
        return bcrypt.checkPassword( arguments.password, user.getPassword() );
    }

    public User function retrieveUserByUsername( required string email ) {
        return newEntity()
            .where( "email", arguments.email )
            .firstOrFail();
    }

    public User function retrieveUserById( required numeric id ) {
        return newEntity().findOrFail( arguments.id );
    }

    public struct function getMemento() {
        return {
            "email": variables.getEmail()
        }
    }

}

This User entity is used both to represent a User in our system as well as handle intergrating with cbauth and cbguard. Properties are mapped to columns. The plural component name is used as the table name. A fluent syntax based off of qb is used to create, retrieve, update, and delete records. I think you'll find it a joy to work with.

There are plenty of other modules added and configured:

  • cbValidation is used to make sure all the data used is valid.
  • bCrypt is used to hash passwords in the database.
  • commandbox-dotenv and commandbox-cfconfig are installed to start up our servers with the correct settings.
  • A users table migration is provided and commandbox-migrations is installed to apply it.
  • Form submissions are automatically checked for a CSRF token with verify-csrf-interceptor.
  • Even niceties like redirectBack and a custom UniqueInDatabase validator are provided to completely show how I would start off an authentication system using ColdBox and Quick.
  • And last, but not least, code formatting is handled automatically using commandbox-cfformat.

The best part, this is just the starting point! Is this good enough for you? Get going on the rest of your app. Need some more information for your users? Add a migration, modify the form, and update the entity component. Have a different authentication system like LDAP or OAuth? Update your authenticationService with cbauth in your config/ColdBox.cfc file.

You can get started today using this new skeleton in your coldbox create app command:

coldbox create app skeleton=cbtemplate-quick-with-auth

Edit your .env file and server start!

I hope this gets you up and going faster than ever creating your awesome ColdBox applications!

Add Your Comment

Recent Entries

Into the Box - Updates as of June 27th, 2022

Into the Box - Updates as of June 27th, 2022

Into the Box Super Early Bird ticket pricing is over, but you can still get the Early Bird. Last week we had more episodes of the Modernize or Die Podcast - Conference Edition for ITB 2022 and announced the first 2 groups of Pre-Conference Track for Into the Box.

Gavin Pickin
Gavin Pickin
June 27, 2022
Ortus Content Digest for week of June 24th

Ortus Content Digest for week of June 24th

What has Ortus been publishing this week? We have the CFML News Podcast, more ITB Workshop Podcasts, some CFCasts and YouTube Videos, lots of Ortus and ITB Blog Posts. We have a lot more planned for next week as well

Gavin Pickin
Gavin Pickin
June 24, 2022
Online CF Meeting Series on Code Reuse, 3rd Party Libraries and Package Management

Online CF Meeting Series on Code Reuse, 3rd Party Libraries and Package Management

Gavin has presented several webinars on the Online ColdFusion Meetup with Charlie Arehart. This series was inspired by many questions from customers and community members, wanting to learn more about code reuse, when should they write their own modules, when should they use java or coldfusion/cfml packages, and why should people use CommandBox and ForgeBox vs manually handling your 3rd party and shared libraries. This series tries to go back to basics, and explain pros and cons of each approach, hopefully shedding light and demystifying 3rd party libraries, package management, CommandBox endpoint installations, and ForgeBox being the home of all CFML, not a tool for box only products and tools. Check out this blog post for all of these sessions, and links on how to view them on YouTube.

Gavin Pickin
Gavin Pickin
June 23, 2022