[geeklog-devel] Code feedback on Re: A&A AEPasswordGenerator.class.php

Tony Bibbs tony at tonybibbs.com
Tue Jun 22 14:16:47 EDT 2004

I meant to include everybody else in on this as well.


-------- Original Message --------
Subject: 	Re: A&A AEPasswordGenerator.class.php
Date: 	Tue, 22 Jun 2004 13:15:21 -0500
References: 	<8319e2d6040622083174ac3d6b at mail.gmail.com>

Vinny, a couple of notes.

1) This is more of a personal thing.  I hate appreviate IF..THEN so 
stuff like this:

$len = ($gConf['randompasswordlength'] >= 4) ? 
$gConf['randompasswordlength'] : 4;

Should be replace with the traditional IF..THEN.  This is more of a 
readability thing really.  This sort of stuff will get ironed out more 
when we get formal coding standards agreed on.  We should do that in the 
next week or so.

2) Most of your config variables have some sort of Auth_Enterprise 
equivalent in AEServerConfig.php.  Not a huge deal but we should either 
replace what I have or modify your code to use mine.

3) Your code assumes pspell and crack are in the path.  We should have 
config variables for them.  In fact we may want to include a user 
executable path:
$gConf['user_executables'] = '/usr/bin/';
$gConf['path_pspell'] = $gConf['user_executables'] . 'pspell';
$gConf['path_crack'] = $gConf['user_executables'] . 'crack';

We should also add an option for the pspell dictionary as we don't want 
to assume english.

4) Use of die() in Auth_Enterprise should not be allowed.  Instead we 
should throw an exception and let the calling application figure out 
what to do more gracefully.  You can either use one of the ones I have 
in AEExceptions.php or add a new one for that case to that file.

Finally, in general I like the concept of my code in that they can 
configure if they require lowercase, require upper case, require special 
chars.  To that end, we should have regular expressions for all those 
permutations.  Also the minimum and maximum password length should 
probably be configurable.

The regex's are nice.  It's probably a better way to go.  Good work. If 
you have questions let me know.  When we get this all ironed out, do you 
want to take a stab at adding these updates?

FWIW, this is a great example of how the OO-nature of Auth_Enterprise 
has.  SHould someone not like our implementation fo AEPasswordGenerator, 
they can write their own, drop it in their filesystem and start using it.


Vincent Furia wrote:

>I rewrote the password generator/validator using regex to give much
>more flexibility when it comes to creating rules (see attached). 
>Since the generator is creating a random password (can really only be
>broken brute force) from a decent sized set of characters I didn't
>think enforcing any rules is really necessary.  Especially since A&A
>should probably force a password change after a password reset upon
>first login...
>Also, I thought I'd suggest password reset support like Dirk has place
>into the most recent version of Geeklog.  i.e. you send a link that
>includes a big random value (hash of some kind) and make the user
>change their password when following the link.  The is easy to
>implement with a built in Auth system, not sure how you would do this
>(or force a password change) with A&A...  Catch me on IRC sometime and
>we can talk more about it...
>Anyway, hope the like the changes I made.  The rest of A&A looks
>pretty good, if a bit of overkill for most people running Geeklog. :)
>I think it'd be cool if we implemented single sign on.  I wasn't sure
>if you had any ideas how to implement that, again I'd be happy to chat
>(IRC or voice) with you about it sometime.

More information about the geeklog-devel mailing list