[geeklog-devel] Code feedback on Re: A&A AEPasswordGenerator.class.php
tony at tonybibbs.com
Tue Jun 22 14:25:30 EDT 2004
Vinny, duh, I just noticed that my last item about configuring the rules
was wrong. You do do that. However, we need to figure out how to make
the configuration easier. User's shouldn't see the actual regex's in
the config file....they are scary ;-)
Tony Bibbs wrote:
> I meant to include everybody else in on this as well.
> -------- Original Message --------
> Subject: Re: A&A AEPasswordGenerator.class.php
> Date: Tue, 22 Jun 2004 13:15:21 -0500
> References: <8319e2d6040622083174ac3d6b at mail.gmail.com>
> Vinny, a couple of notes.
> 1) This is more of a personal thing. I hate appreviate IF..THEN so
> stuff like this:
> $len = ($gConf['randompasswordlength'] >= 4) ?
> $gConf['randompasswordlength'] : 4;
> Should be replace with the traditional IF..THEN. This is more of a
> readability thing really. This sort of stuff will get ironed out more
> when we get formal coding standards agreed on. We should do that in
> the next week or so.
> 2) Most of your config variables have some sort of Auth_Enterprise
> equivalent in AEServerConfig.php. Not a huge deal but we should
> either replace what I have or modify your code to use mine.
> 3) Your code assumes pspell and crack are in the path. We should have
> config variables for them. In fact we may want to include a user
> executable path:
> $gConf['user_executables'] = '/usr/bin/';
> $gConf['path_pspell'] = $gConf['user_executables'] . 'pspell';
> $gConf['path_crack'] = $gConf['user_executables'] . 'crack';
> We should also add an option for the pspell dictionary as we don't
> want to assume english.
> 4) Use of die() in Auth_Enterprise should not be allowed. Instead we
> should throw an exception and let the calling application figure out
> what to do more gracefully. You can either use one of the ones I have
> in AEExceptions.php or add a new one for that case to that file.
> Finally, in general I like the concept of my code in that they can
> configure if they require lowercase, require upper case, require
> special chars. To that end, we should have regular expressions for
> all those permutations. Also the minimum and maximum password length
> should probably be configurable.
> The regex's are nice. It's probably a better way to go. Good work.
> If you have questions let me know. When we get this all ironed out,
> do you want to take a stab at adding these updates?
> FWIW, this is a great example of how the OO-nature of Auth_Enterprise
> has. SHould someone not like our implementation fo
> AEPasswordGenerator, they can write their own, drop it in their
> filesystem and start using it.
> Vincent Furia wrote:
>> I rewrote the password generator/validator using regex to give much
>> more flexibility when it comes to creating rules (see attached).
>> Since the generator is creating a random password (can really only be
>> broken brute force) from a decent sized set of characters I didn't
>> think enforcing any rules is really necessary. Especially since A&A
>> should probably force a password change after a password reset upon
>> first login...
>> Also, I thought I'd suggest password reset support like Dirk has place
>> into the most recent version of Geeklog. i.e. you send a link that
>> includes a big random value (hash of some kind) and make the user
>> change their password when following the link. The is easy to
>> implement with a built in Auth system, not sure how you would do this
>> (or force a password change) with A&A... Catch me on IRC sometime and
>> we can talk more about it...
>> Anyway, hope the like the changes I made. The rest of A&A looks
>> pretty good, if a bit of overkill for most people running Geeklog. :)
>> I think it'd be cool if we implemented single sign on. I wasn't sure
>> if you had any ideas how to implement that, again I'd be happy to chat
>> (IRC or voice) with you about it sometime.
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net
More information about the geeklog-devel