Server Requirements

In order to install Vanguard application, your server must meet following requirements:

• PHP >= 5.3.0
• PDO PHP Extension
• PDO MySQL Extension

Installation Wizard

After downloading the ZIP archive, and uploading it to your server, first thing you have to do is to create the database where system tables will be created. Let's say, you create the database called as.

Step 1 - Welcome Screen

When you have your database created and ready to use, just navigate to the AS folder on your server and installation wizard will be displayed immediately. For example, if you have uploaded AS script into auth folder on your server, then you will be able to start the installation simply by accessing yourdomain.com/auth from your browser. After accessing the described url, the installation wizard will be displayed.

Step 2 - System Requirements

By clicking the "Next" button in bottom right corner, "System Requirements" step will be displayed. On this screen you are able to see if your server meets all requirements necessary to install and use the Advanced Security application. If your system meets all the requirements, you can proceed to next step by clicking "Next" button.

Step 3 - Database Info

On this step you need to fill in the database information required for successfully connection to MySQL database. After filling in the required fields, installation wizard will try to connect to your database and, in case there are some problem while establishing the connection, appropriate error message will be displayed.

Step 4 - Installation

This step is final configuration step that is required to successfully install the application. Here you need to provide your application/website name as well as domain (without http://, https:// or www prefix). After you provide the required information, just click "Install" button and application should be installed in matter of seconds.

Step 5 - Complete

This is the last step of the installation wizard, which means that everything is installed properly and that you can start using your application. By clicking "Log In" button you will be redirected to the login page, where you can login with default administrator credentials:

• Username: admin
• Password: admin123

Note! Since your ASEngine directory is still writable, you should change the permissions to 755 to make it writable only by root user.

Timezone

By default, time zone is set to UTC after you install the application. You can modify that by replacing "UTC" with some other time zone available on following url: http://php.net/manual/en/timezones.php

For example, if you want to set up timezone to America/New_York, your configuration should look like this:

date_default_timezone_set('America/New_York');

Website Info

ASConfig file also contains some default website configuration parameters, like website name, domain and script url. You can update those parameters here if you need to, but they all should be properly generated after script is installed.

If you decide to change WEBSITE_DOMAIN parameter, make sure that you prefix it with http:// or https://.

SCRIPT_URL parameter represent absolute url to the folder where script is installed. It can look the same as WEBSITE_DOMAIN if your script is installed inside the website root folder, but if it is installed inside some subfolder, the subfolder name should be added here too. For example, if you have installed the script inside auth folder, your SCRIPT_URL constant should look like this:

define('SCRIPT_URL', 'http://as2.dev/auth');

Database Configuration

In order to install the script, you have to provide database credentials, and those credentials are stored into ASConfig.php file after installation is completed. However, if you decide to change some database credentials/ information, you don't have to reinstall the script. You can update those information here:

DB_HOST - Your database host. If your database is on the same server as your script, it usually means that you should put localhost here.

DB_TYPE - By default, AS support only mysql database, and that means that value of this constant should be set to mysql. Since AS is built on top of PDO, it means that you can use it with some other databases with only few modifications. One of them is to change the value of this constant, and other than that, you will probably have to update the constructor of ASDatabase class, so it can successfully connect to your database.

DB_USER - DB User's username.

DB_PASS - DB User's password.

DB_NAME - Name of database you are connecting to.

Session Configuration

SESSION_SECURE (default false) - This constant allow us to force secure sessions if we want to. That actually means that, if you are accessing the website over HTTPS, and you set this parameter to true session won't start if you access the website via HTTP. It's recommended to set this parameter to true in case you want to access the website ONLY via HTTPS.

SESSION_HTTP_ONLY (default true) - When this option is set to true, generated session cookie will be only accessible by your browser and not from JavaScript code. It is recommended to keep it to true for security reasons.

SESSION_USE_ONLY_COOKIES (default true) - Specifies whether the module will only use cookies to store the session id on the client side. Enabling this setting prevents attacks involved passing session ids in URLs. It's recommended to keep the default value

Login Configuration

LOGIN_MAX_LOGIN_ATTEMPTS (default 20) - Maximum invalid login attempts before user's account is locked for current day. This configuration parameter is used to prevent brute-force attacks, so keep in mind that setting it to some huge number will make it useless.

LOGIN_FINGERPRINT (default true) - If this parameter is set to true, every time when user is logged in, hash function will generate string based on your IP Address and your browser name, and store it inside the session. This will prevent someone to steal your session. Note: It can cause problems if user IP address changes very often, so in that case you will have to turn it off by setting it to false.

SUCCESS_LOGIN_REDIRECT - List of redirect pages/URLs for each user role. By default, it will redirect the user to "index.php" page after successful authentication. For example, if you want to redirect users with admin role to users.php page after login, you can do it like this:

define('SUCCESS_LOGIN_REDIRECT', serialize(array(
    'default' => 'index.php', 
    'admin' => 'users.php'
)));

Password Configuration

PASSWORD_ENCRYPTION (default bcrypt if available) - Password hash algorithm. Available values are bcrypt and sha512. During the installation, installation wizard will try to set default algorithm to bcrypt if your system supports it. In case that bcrypt is not supported, sha512 will be used. It's recommended to use bcrypt algorithm if possible.

PASSWORD_BCRYPT_COST (default 13) - Bcrypt algorithm has it's cost parameter that will determine the number of rounds this algorithm will use to make the hashed version of provided string. It's recommended to keep it to default value of 13.

PASSWORD_SHA512_ITERATIONS (default 25000) - Number of iterations for sha512 hash function (if PASSWORD_ENCRYPTION is set to sha512). The default value is high enough, but it's highly recommended to use bcrypt algorithm if possible.

PASSWORD_SALT - Random, 22 characters long, string from the alphabet "./0-9A-Za-z". It generated during the installation process and you should keep it safe since it is used to hash your passwords.

PASSWORD_RESET_KEY_LIFE (default 60) - Password reset key life (in minutes). By default, when you request a password reset email, it will be valid in next 60 minutes. After it expires, you will have to request password reset email again.

Registration Configuration

MAIL_CONFIRMATION_REQUIRED (default true) - Is mail confirmation required upon successful registration. You can set it to false if you want to allow your users to login right after the registration, without forcing them to confirm their email.

REGISTER_CONFIRM (default url-to/confirm.php) - URL to the page that will be used for email configuration. It defaults to confirm.php page.

REGISTER_PASSWORD_RESET (default url-to/passwordreset.php) - URL to page that will appear after users click on password reset link inside password reset email.

Emails Configuration

MAILER (default mail) - PHP mailer that will be used for sending emails. Available values are mail and smtp. If you set it to mail (which is the default value) AS will try to use default PHP mail() function to send emails. However, keep in mind that some servers are not configured to send emails using mail() function, so you can have problems with it. Also, you probably won't be able to send emails from localhost, if you haven't configured your php installation. In that case, I recommend you to use some SMTP server for sending emails (like Mailgun) which offers 10,000 free emails per month, and it's really easy to set up.

If you want to use some external SMTP server, besides setting MAILER to smtp, you will have to configure all "SMTP_" parameters. Most services and SMTP servers will provide you the list of those parameters, and here is how you can configure it to send emails using your Gmail account:

define('MAILER', "smtp");
define('SMTP_HOST', "smtp.gmail.com");
define('SMTP_PORT', 465);
define('SMTP_USERNAME', "your_email_address@gmail.com");
define('SMTP_PASSWORD', "your_gmail_password");
define('SMTP_ENCRYPTION', "ssl");

In case that this configuration don't work as expected, try to set SMTP_PORT to 587 and SMTP_ENCRYPTION to tls. More info about Gmail SMTP settings can be found on this URL: https://support.google.com/a/answer/176600?hl=en

Note! If your server does not require encryption, just leave it blank.

MAIL_FROM_NAME - From name used in all emails that are being sent from the application.

MAIL_FROM_EMAIL - From email used in all emails that are being sent from the application.

define('SOCIAL_CALLBACK_URI', "http://yourwebsite.com/auth/socialauth_callback.php");

This is the url that you should enter everywhere you need to provide callback URL for social authentication.

Facebook Configuration

Here is an detailed explanation of how you can create an Facebook application and acquire application id and secret key, required for social authentication. During the application creation and configuration, make sure that you have entered correct application domain on application's settings page.

After you create an application, you can find your App Id and App Secret keys on your application's Dashboard. After you get the key and the secret, you should enable Facebook authentication and copy those keys into ASConfig.php configuration file as following:

define('FACEBOOK_ENABLED', true);
define('FACEBOOK_ID', "your_application_id_from_facebook");
define('FACEBOOK_SECRET', "your_application_secret_from_facebook");

Twitter

In order to create Twitter application, and get the required Application Id and Secret key, go to Twitter Application Management and click Create New App button at the top right corner. When app creation form is opened, fill all required fields and click Create your Twitter Application button at the bottom of the page.

Note! As it is mentioned above, your Callback URL is http://yourwebsite.com/socialauth_callback.php.

After application is created, go to Keys and Access Tokens tab, grab your Consumer Key and Consumer Secret and paste them into your ASConfig.php file as follows:

define('TWITTER_ENABLED', true);
define('TWITTER_KEY', "your_consumer_key");
define('TWITTER_SECRET', "your_consumer_secret");

Google+

In order to utilise Google+ Authentication, first you need to create new Google Project/Application. To do that, first you have to go to https://console.developers.google.com/projec, click Create project button at top left corner and enter your Project name.

After you have created your project, you now have to enable Google+ API and get the credentials that will be used for authentication. Go to https://console.developers.google.com/apis/library, select your project from dropdown available on top right header and click on Google+ API link inside the list of available Google APIs.

After opening the Google+ API page, click Enable API button in order to enable the API.

After enabling the API, the only remaining step is to get the credentials you need. Just click on Go to Credentials button, fill the displayed credentials form as following and click What credentials do I need? button:

After entering in the required application Name, make sure that you enter http://YOUR_DOMAIN in Authorized JavaScript origins section, and http://YOUR_DOMAIN/socialauth_callback.php in Authorized redirect URIs section (basically your SOCIAL_CALLBACK_URI from above).

After you fill those fields, click Create client ID button, provide your product name as required, and get your Client Id and Client Secret keys.

When you have those keys, the only thing left for you to do is to paste them into your ASConfig.php file as following:

define('GOOGLE_ENABLED', true);
define('GOOGLE_ID', "your_client_id");
define('GOOGLE_SECRET', "your_client_secret");

Available Locales

Out of the box, there are 7 different locales that come with AS:

• English
• Spanish
• French
• Russian
• German
• Serbian (Cyrillic) and
• Swedish

Adding New Locale

If you want to add new locale, all you need to do is to make a copy of existing language file (en.php for example) located inside Lang directory, rename it to ru.php for example, and translate it. Of course, since this translation file is organized as PHP array, you only translate those values to the right of => sign.

Next step you need to do is to add a new flag (or organize it however you want) and create a link that will point to ?lang=ru, and that's it.

Example:

<a href="?lang=ru">Russian</a>

Setting Default Locale

If you want to set up default application locale, all you need to do is to define it inside ASConfig.php file, like the following:

define('DEFAULT_LANGUAGE', 'es');

Note! You can name the language files however you want, but you must use the same name (without .php extension) when you define default language or change language by clicking the country icon. For example, if you create a file named es.php for the Spanish language, then you will use es everywhere you need to set the language to Spanish.

In this release, the whole codebase is refreshed and updated to support the latest version of PHP. A lot of files have been changed, but for some of them, there are some minor cosmetic updates, like adding return types to class functions, so you don't have to update those files if you don't want to.

The list of modified files:

 ASEngine/AS.php                                            |   25 +-
 ASEngine/ASAjax.php                                        |   46 +-
 ASEngine/ASComment.php                                     |   54 ++-
 ASEngine/ASCsrf.php                                        |   42 +-
 ASEngine/ASDatabase.php                                    |   37 +-
 ASEngine/ASEmail.php                                       |   18 +-
 ASEngine/ASHelperFunctions.php                             |   29 +-
 ASEngine/ASLang.php                                        |   65 +--
 ASEngine/ASLogin.php                                       |  236 +++++-----
 ASEngine/ASPasswordHasher.php                              |   25 +-
 ASEngine/ASRegister.php                                    |  151 ++++---
 ASEngine/ASResponse.php                                    |   36 +-
 ASEngine/ASRole.php                                        |   60 +--
 ASEngine/ASSession.php                                     |   27 +-
 ASEngine/ASUser.php                                        |  139 +++---
 ASEngine/ASValidator.php                                   |   60 +--
 assets/css/bootstrap.min.css                               |   12 +-
 assets/css/bootstrap.min.css.map                           |    2 +-
 assets/js/app/index.js                                     |   16 +-
 assets/js/vendor/bootstrap.bundle.min.js                   |    7 -
 assets/js/vendor/bootstrap.bundle.min.js.map               |    1 -
 assets/js/vendor/bootstrap.min.css.map                     |    2 +-
 assets/js/vendor/bootstrap.min.js                          |    7 +
 assets/js/vendor/bootstrap.min.js.map                      |    1 +
 assets/js/vendor/dataTables.bootstrap4.js                  |  184 ++++++++
 assets/js/vendor/dataTables.bootstrap5.js                  |   14 -
 assets/js/vendor/jquery-validate/additional-methods.js     | 2462 +-
 assets/js/vendor/jquery-validate/additional-methods.min.js |    6 +-
 assets/js/vendor/jquery-validate/jquery.validate.js        | 3230 +-
 assets/js/vendor/jquery-validate/jquery.validate.min.js    |    6 +-
 assets/js/vendor/jquery.dataTables.min.js                  |  354 +++++++--------
 assets/js/vendor/jquery.min.js                             |    4 +-
 assets/js/vendor/popper.min.js                             |    5 +
 assets/js/vendor/popper.min.js.map                         |    1 +
 composer.json                                              |   10 +-
 composer.lock                                              |  405 +++++++++--------
 confirm.php                                                |    4 +-
 index.php                                                  |   18 +-
 install/check.php                                          |    2 +-
 install/stubs/config.stub                                  |    8 +-
 login.php                                                  |   74 ++--
 passwordreset.php                                          |    4 +-
 profile.php                                                |   14 +-
 socialauth.php                                             |  148 ++++++-
 socialauth_callback.php                                    |  148 +------
 templates/footer.php                                       |    3 +-
 templates/header.php                                       |    2 +-
 templates/languages.php                                    |   16 +-
 templates/navbar.php                                       |   14 +-
 user_roles.php                                             |    4 +-
 users.php                                                  |   54 +--
 51 files changed, 4031 insertions(+), 4261 deletions(-)

To 3.0.1 from 3.0.0

This is a bug-fix release. You will need to update the modified application files given below to the latest versions and run composer update (or just overwrite the vendor folder if you are not using composer).

Modified files:

 ASEngine/AS.php     |   2 +-
 ASEngine/ASUser.php |   2 +-
 assets/css/app.css  |   8 ++++++++
 composer.json       |   2 +-
 composer.lock       | 129 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------
 login.php           |   2 +-
 socialauth.php      |   2 +-
 7 files changed, 126 insertions(+), 21 deletions(-)

To 3.0.0 from 2.4

Version 3, as another major version, has a lot of mainly frontend breaking changes and the only way to update it is to do do it manually and to update one file at the time.

The app now uses Bootstrap 4 and all frontend files are updated to match the new bootstrap classes. All javascript files are updated as well, so you will need to manually update your old javascript files.

Here are some guidelines that might help you in the update process:

• All JavaScript files are moved from ASLibrary folder to assets/js/app folder and ASLibrary folder is removed from the app.

• All application CSS files are now in assets/css folder.

• You can overwrite the complete install folder if you haven't removed it from the app. This will make sure that all future installations of the app work properly.

• Some of the backend files from ASEngine directory have been refactored, so it is recommended to update them too.

• The app now uses jQuery Validation plugin for frontend validation, which has it's own language files. The files are located inside assets/js/vendor/jquery-validate/localization directory in case you want to customize them.

• Overwrite your vendor folder with latest one. In case you modified something inside the vendor folder, just copy new files instead of overwriting. This version is using the most recent packages (which you can update by running composer update btw) so it is important that you update them so application can work properly (especially for social authentication feature).

• Update all files from Lang directory to the latest version, since version 3 of the app have a few more translation strings added.

To 2.4 from 2.3

This version contains few bug fixes from previous release. Here is what you wound need to do:

• Overwrite your vendor folder with latest one. In case you modified something inside the vendor folder, just copy new files instead of overwriting. This version is using the most recent packages (which you can update by running composer update btw) so it is important that you update them so application can work properly (especially for social authentication feature).

• Copy new file called socialauth_callback.php to your AS root directory.

• Update socialauth.php file with the latest one.

• Update your social callback url to look like following: http://yourdomain.com/socialauth_callback.php

• Update ASEngine/ASCsrf.php file to the latest version.

• Overwrite complete install folder if you haven't removed it from the app. This will make sure that all future installations of the app work properly.

• Make sure that your ASEngine/ASDatabase.php file is up to date with latest version.

• Update ASEngine/ASLang.php file to match the latest version.

• Update ASEngine/ASEmail.php file to match the latest version.

• Make sure that you have de.php file inside your Lang folder and then update templates\languages.php file to add German language to the top list of available languages. Also, if you want to display German flag there, you can copy it from the latest version where it is located inside assets\img folder.

To 2.3 from 2.2

This update contains a lot of changes comparing to previous version, and in order to properly do the update, I recommend you to go through all files and carefully update them. In case you haven't modified any of AS files, just overwrite everything and there should not be any issues.

Here are some guidelines on how you should perform the update:

Vendor Folder

Overwrite your vendor folder with latest one. In case you modified something inside the vendor folder, just copy new files instead of overwriting.

Install Folder

Completely replace the install folder. This is not required if you have app in production, since you won't install it again.

ASConfig

Since SESSION_REGENERATE_ID constant is removed, and session is regenerated always when some critical actions occur (after successful authentication, after user update his password etc), you can remove the constant from your ASConfig.php file.

Add following constants to ASConfig.php file:

// Name used when emails are sent from your server. 
// Default is your website name.
define('MAIL_FROM_NAME', "your_mail_from_name_here");

// Email used when emails are sent from your server.
// The recepients will see this as an email from
// which they receive their emails.
define('MAIL_FROM_EMAIL', "your_from_email_here");

PHP Classes

Copy new classes into ASEngine folder Update ASEngine\AS.php file to the latest version

Go through all PHP classes, one by one, and move all dependencies to the constructor. For example, if somewhere inside ASUser class you have $validator = new ASValidator(); you will create new protected $validator; property and move the ASValidator instance to be passed through the constructor (check latest version of ASUser class). Now, everywhere inside ASUser class you will use validator instance like $this->validator

This has to be done with all dependencies in every PHP class that AS has, and the easiest way to find all dependencies is to simply search the file for "new" keyword. This is simple preparation for some future updates that will modernize the code structure and make script testable and easier to maintain.

Assets

You should update assets folder to match the latest version. This basically means that you must copy all new files and folders from latest version, but you don't have to remove old files if you don't want to. Script will just ignore them if they are not included on your pages.

Update ASLibrarly/js/users.js, ASLibrarly/js/roles.js and ASLibrarly/js/register.js to the latest version that contains few fixes. Other JavaScript files located inside ASLibrary/js folder are not modified.

Copy newly created js-bootstrap.php file into ASLibrary/js directory.

Pages

Go through all pages (login.php, index.php...) and apply all changes from latest version. If you haven't modified those files, you can just overwrite them.

In case that you are using your own design, you probably don't need to change anything that is HTML/CSS/JavaScript related. All you have to do in that case is to update the query that is responsible for fetching data and displaying it to database (usually located on top of every file).

Update templates/footer.php to include some common scripts as well as newly created js-bootstrap.php file that is now used to initialize $_lang variable and set up jQuery AJAX to send CSRF token automatically. This means that you should now remove $_lang variable initialization from any other files than js-bootstrap.php.

When you try to access any protected file (file that requires authentication) you will automatically be redirected to login page. From there, you are able to log in using your username and password. Login form:

After successful authentication user will be redirected to the default page for his role as it is described in the configuration section.

Registration

In case that user doesn't have an account, he can create it manually from the registration form (displayed below) or by using any social authentication provider (if enabled by website owner).

After successful registration, a user will receive a confirmation email, if it is enabled inside the configuration, and after he confirms his email he will be able to log into the application.

Note! Email confirmation only makes sense if a user has registered by manually filling the registration form. For social authentication, there is no need for email confirmation.

Social Authentication

If Social Authentication is enabled as it is described on social authentication page, then all users are able to create an account (or login if they already have an account) to your system via Facebook, Twitter and Google+ by clicking the desired social network button:

When a user authenticates with the system for the first time via some social network, his account is automatically created and stored in the database. If he tries to log in again via some other social network option, the system will check if his email exists in the database and, if it does, it will be associated with existing account! If it doesn't, a new account will be created.

Password Reset

If you have forgotten your password, just select "Forgot password?" tab and enter your email address. The system will send you password reset email which contains a password reset link. If you click on that link, you will be redirected to password reset page, where you can provide your new password that will replace the old one. Forgot Password and Password Reset forms are displayed below:

Posting comments is actually a demonstration of how the Advanced Security System can be used in some real-world situations. If your user role is set to user (this is the default value when a new user successfully completes the registration process), you won't be available to post comments.

However, if the administrator changes your role to Editor, or any other custom created role, you will be able to post comments.

Posting comments is just an example here, but you get the idea of what you can do by applying the same logic.

You can navigate to profile page by clicking My Profile from sidebar navigation menu or from the drop-down menu from top-right corner. The profile page is displayed below:

From the profile page, users are able to update details like First and Last name, Address and Phone. Also, on the same page, they can change their password.

Note! Users are not able to change their username and email address. If they want to change any of those details, they will have to contact the administrator.

To do this, go to Users page.

There is 3 type of users (3 different user roles) by default:

• Admin
• Editor
• User

For every user displayed in the users table, there is one blue button in "Action" column. Depending on the user's role, text on the blue button can be User, Editor or any new role added by admin. Admin users won't be displayed there since there can be only one admin. More about how you can utilize different user roles and act differently for different user roles can be found in the authorization section.

On users page, you are able to search through all users by typing words inside the search box located above the table. Users will be automatically filtered and displayed. Also, you can sort all columns the column header, and paginate through table records using pagination located below the users table.

Create New User

As an administrator, you can add new users manually. To do that, just click "Add User" button located above the users table and fill the required info.

Edit User

Edit existing users is also a breeze. Just click small caret to the right of the blue button and select "Edit".

Display User Details

In order to view user details without editing them, just click the small caret to the right of the blue button, and select Details option from the drop-down menu.

Ban User

If you want to keep the user in the database and just disable his account, you can simply ban that user by selecting Ban option from drop-down menu. All banned users have their button inside Action column painted in red.

Delete User

You can delete the specific user by clicking small caret to the right of the blue button, and select the Delete option from the drop-down menu.

Change User's Role

User role can be changed to any available user role, no matter if its a default or manually added one. You can change user's role by clicking small caret to the right of the blue button and selecting Change Role

After that, just select the desired user role from the dropdown list and click Ok.

Create New Role

To add a new role, simply enter new role name and click Add. The new role will be automatically added. It's recommended to use one-word role because it will be easier for you to check if the user has a specific role inside the source code. Every role name will be converted to lower case.

Delete Role

To delete a role, just click Delete button next to role you want to delete. If there are users that already have this user role, they will be returned back to the User role.

Debug Mode

By default, the system is configured to not display any errors. This is simply the way to protect some sensitive information that can possibly be displayed to your end users when your website is in production.

However, while developing some new features or customizing the system, it's much easier if you enable the DEBUG mode and see all the errors on the screen. To enable DEBUG mode, just edit ASEngine\AS.php and DEBUG constant to true.

Note! Always set DEBUG to false when your website is in production!

Debugging AJAX Requests

Since this script uses AJAX for communicating with the server, it's useful to know how you can debug all those ajax requests to see if something went wrong with it. The following guide is for Chrome users, but it's almost identical in any browser.

1) Open "Chrome Developer Tools" by simply clicking anywhere on the page and selecting "Inspect" from the context menu. More details and shortcuts are available here.

2) Navigate to Network tab. Here you will be able to see all HTTP request sent from your browser.

3) Perform any action inside the AS (we will add new comment for the sake of this example) and check the Request/Response info:

As you can see from that screenshot from above, you are able to see complete request and response including all headers and data. This will help you to see if the server returns everything you expect for specific HTTP Request. In case that you have debug mode enabled, and there are some PHP errors, they will be displayed here as well.

A dependency injection (DI) container can be defined as an object that knows how to instantiate and configure objects and all their dependent objects.

Lets take a look into an example to better understand how you can use DI Container to instantiate objects. We will use some pseudo Container class here, just so you can get the basic idea.

$container = new Container();

// Tell the container how he should instantiate the UserService class.
// This class depends upon UserRepository, so it has to be passed as 
// a parameter.
$container->bind('user_service', function () {
    return new UserService(new UserRepository);
});

// Getting user service out of the container
$userService = $container->get('user_service');

// We can now use $userService (which is intance of UserService class)
// and do anything we want with it without worrying about how it is 
//instantiated.

UserService class has only one dependency, so it is not a problem to instantiate it whenever we need it. However, imagine some class with 3-4 dependencies where each dependency has it's own dependencies. It will be a nightmare to instantiate such classes. That's where DI Container comes into play and make things a lot easier.

You can start learning more about Dependency Injection and DI Containers here: http://www.phptherightway.com/#containers

Pimple

Pimple is a small Dependency Injection Container for PHP, and since AS starves to simplicity and ease of use, it uses Pimple to make instantiating classes a breeze.

Here is an example how to use Pimple for our UserService from previous chapter:

$container = new Pimple\Container();

$container['user_service'] = function () {
    return new UserService(new UserRepository);
});

// Getting user service out of the container
$userService = $container['user_service'];

More about Pimple is available here.

Pimple in AS

All Advanced Security classes (starting from version 2.3) are being instantiated out of the container.

For example, if you want to instantiate ASLogin class, which has two dependencies (ASDatabase and ASPasswordHasher), can be instantianted like this:

$asLogin = $container['login'];

And it is bound to a container like this:

$container['login'] = $container->factory(function ($c) {
    return new ASLogin($c['db'], $c['hasher']);
});

AS provides one additional helper method app() that can be used to resolve some class out of the container anywhere inside the application. For example, if we want to resolve this ASLogin class, as in example above, we can do it by using app function like following:

$asLogin = app('login');

All container bindings are defined inside ASEngine/AS.php file, so you can check that file and learn more about how you can instantiate different AS classes out of the container.

<?php

include 'ASEngine/AS.php';

if (! app('login')->isLoggedIn()) {
    redirect("login.php");
}

The code above will just check if user is logged in, and redirect him to login.php if he is not logged in.

If you want to redirect users to any other page (instead of login.php), just update the redirect function and pass the page (or external URL) you want.

Note! Make sure that you place the code snippet from above at the very top of your php file. There shouldn't be any HTML (not even a empty space) before it since that will prevent PHP session to start properly.

Redirect to a custom page after login

Check login configuration section for more information.

AJAX Forms

If you are using jQuery and send form data via AJAX, then you just need to make sure that following script is included on your page (right after you include jQuery), since it will configure all AJAX requests to automatically send CSRF token to the server:

<!-- Make sure that this script file is included on the page after you include jQuery -->
<script src="app/js/app/bootstrap.php"></script>

This script is already included on all AS pages by default (check templates/footer.php for example).

Regular Forms

If you are not using AJAX to send the data to the server, and you use regular <form> elements instead, you will need to add CSRF token as a hidden input field to each form you create. The hidden input field should look like the following:

<from>
    <input type="hidden" name="<?= ASCsrf::getTokenName() ?>" value="<?= ASCsrf::getToken() ?>">
    <!-- ... -->
</from>

By including ASEngine/AS.php file into some of your own files, your session will be automatically started. However, if you want to do it by your self, you need to call startSession() method from ASSession class.

ASSession::startSession();

Note! Always start session using this function because it will start secure session!

If you want to destroy existing session, just call destroySession() method:

ASSession::destroySession();

In order to store something to the session, you can use set method

ASSession::set("something", 5);

And if you want to get something from the session, for example user ID, call get method

$userId = ASSession::get("user_id");

If you want to unset some session item, you can do it by calling destroy method

ASSession::destroy('someething_that_was_set_before');

Session Lifetime

By default, AS session cookie will use lifetime configuration from your php.ini file, which usually means that session cookie will expire right after you close the browser window. In order to modify that, just edit ASSession class and inside startSession function replace $cookieParams["lifetime"] with an integer that represent lifetime of the session cookie in seconds. For example, if you want your cookie to expire after 2 hours, your startSession method should look like following:

public static function startSession()
{
    //...
    session_set_cookie_params(
        7200,
        $cookieParams["path"],
        $cookieParams["domain"],
        SESSION_SECURE,
        SESSION_HTTP_ONLY
    );
    //...
}

Session Cookie for Multiple Subdomains

In order to allow auth cookie to be shared across multiple subdomains, just go to ASEngine/ASSession.php, and replace $cookieParams["domain"] with .domain.com inside startSession method, and you are good to go.

// Id of currently authenticated user
$userId = ASSession::get('user_id');

This ID can be used anywhere inside the application where we need to get the id for the current user. However, just to make things easier, information for the currently authenticated user is stored inside the container, so you can easily get all the info about the user without having to manually fetch his info. More about it in the following section.

User Details

As mentioned, all details about currently authenticated user are stored inside the container and can be easily accessed from anywhere inside the application like this:

$user = app('current_user');

// $user is actually a stdClass object, and it contains 
// the following data
$user->id; // user's unique id
$user->email; // user's email address
$user->first_name; // user's first name
$user->last_name; // user's last name
$user->confirmed; // boolean - TRUE if user is confirmed, FALSE otherwise
$user->role; // name of user's role
$user->role_id; // role id
$user->phone; // user's phone number
$user->address; // user's address
$user->is_banned; // boolean - TRUE if user is banned, FALSE otherwise
$user->is_admin; // boolean - TRUE if user is admin (has "admin" role), FALSE otherwise
$user->last_login; // Date and time last login

The advantage of this approach is that you can access the current user anywhere inside the application, and it is smart enough to query the database only once, no matter how many times you call app('current_user').

You can get the basic user info (data from as_users db table) like following:

$info = app('user')->getInfo($userId);

$info will be an array containing following information:

$user_id            = $info['user_id'];
$email              = $info['email'];
$username           = $info['username'];
$password           = $info['password']
$confirmation_key   = $info['confirmation_key'];
$confirmed          = $info['confirmed'];
$password_reset_key = $info['password_reset_key'];
$register_date      = $info['register_date'];
$user_role          = $info['user_role'];
$last_login         = $info['last_login'];

Note app('user') will just resolve the instance of ASUser class for you (check container section for details). If you want to get the user's info from some other class that already have instance of ASUser class injected through the constructor (like ASComment class for example), you can use it like usual: $this->users->getInfo($userId).

Update Info

You can update every user's information by passing it as an array item to updateInfo method.

So, if you want to update user's email, you will do this:

app('user')->updateInfo($userId, array(
    "email" => $newEmail
));

And if you want to update last_login, username and confirmation_key, you will just put it inside an array, and pass it to updateInfo function, like this

$user->updateInfo($userId, array(
    "last_login" => $newLastLoginValue,
    "username" => $newUsername,
    "confirmation_key" => $newConfirmationKey
));

Note Don't forget that you can get the id for currently authenticated user from the container.

Get Details

You can get user details (data from as_user_details db table) like following:

$details = app('user')->getDetails($userId);

$details will be an array with following fields:

$first_name = $details['first_name'];
$last_name  = $details['last_name'];
$address = $details['address'];
$phone = $details['phone'];

Update Details

Updating user details works the same as updating user info.

So, if you want to update address and phone, you can do it like following:

app('user')->updateDetails($userId, array(
     "address" => $newAddress,
     "phone" => $newPhone
));

User's Role

As it was already mentioned inside current user page, we are able to get the role of currently authenticated user like following:

$role = app('current_user')->role;

If we want to get the role of any other user, all we need is his id:

$userId = 123;

// $role variable will now contain the role name for 
// user with provided id
$role = app('role')->getRole($userId);

Role-specific Content

And now, let's say that currently authenticated user is able to leave the comment on our home page only if he does not have the user role. This can be accomplished as follows:

$role = app('current_user')->role;

<?php if($role != 'user'): ?>
      <div class="leave-comment">
            <div class="control-group">
                <h5>Leave comment</h5>
                <div class="controls">
                    <textarea id="comment-text"></textarea>
                    <button class="btn btn-success" id="comment">Comment</button>
                </div>
            </div>
      </div>
<?php else: ?>
      <p>You can't post comments here until admin change your role.</p>
<?php endif; ?>

Opening the Connection

You can get the instance of ASDatabase class out of the container, like following:

$db = app('db');

Since it is resolved out of the container as a singleton, every time you call app('db') you will get the same instance of ASDatabase class, which prevents simultaneous database connections during the same HTTP request.

SELECT

Just write regular SQL query and use parameters instead of variables (:id is parameter in this case). The second method parameter is bind array. This is an array where the key represents the name of SQL query parameter (id in this case, without ":") and value for that key should be the value you want to replace that parameter inside SQL query:

$result = $db->select(
    "SELECT * FROM `as_user_details` WHERE `user_id` = :id",
    array ("id" => $userId)
);

If you don't have any parameter inside SQL query, just don't pass anything as a second method parameter, as follows:

$result = $db->select("SELECT * FROM `as_users`");

The result will always be an array!

If result should be only one database row or only one database column, you can access it like this:

//result of first query
$userDetails = $result[0];

If there will be multiple rows, you can iterate through them with simple foreach:

foreach($result as $user) {    
    echo $user['email'];    
    echo $user['username'];    
}

INSERT

In order to insert something into the database, insert method need 2 parameters.

The first parameter is table name and the second one is an array where keys represent names of database columns, and values represent what should be written into that database column.

So, if you want to insert a new user into your database, you need to write this:

$db->insert('as_users', array(
    "email" => $email,
    "username"  => $username,
    "password"  => $password,
    "confirmation_key" => $key,
    "register_date" => $date
));

UPDATE

Update method needs 4 parameters.

• First one is database table that should be updated.

• Second one is array where keys are names of columns that should be updated and values are new values for those columns.

• Third parameter is SQL WHERE query part. Remember that you need to use sql parameters for every variable that you want to pass to the query to prevent SQL Injection.

• And fourth parameter is bind array with key => value pair for every sql parameter you have added into sql query.

So, if you want to update user's password, and you have $userId for that user, you can do it like this:

$db->update(
    'as_users',
    array ("password" => $newPassword),
    "user_id = :id",
    array("id" => $user_id)
);

This is actually converted to

"UPDATE `as_users` SET `password` = '$newPassword' WHERE `user_id` = '$user_id'"

but we use PDO prepared statements to prevent SQL injection!

DELETE

In order to delete something from database, you need to pass 3 parameters to delete method:

• First one is database table name from which you want to delete.

• Second is SQL WHERE query part, using parameters.

• And third is an array with key => value pair for every SQL parameter inside your WHERE query part.

So, if you want to delete all comments posted by user with specific $userId, you need to do the following

$db->delete(
    "as_comments",
    "posted_by = :id", 
    array("id" => $userId)
);

$comment = app('comment');

Adding New Comment

To insert new comment into database, you need $userId of user who is posting the comment and comment text.

Usually logged user is posting the comment (unless you want to make it different) and his user Id can be found inside the session, or you can get it from the container, as it is explained here.

To insert new comment, just call insertComment method and pass two mentioned parameters

$comment->insertComment($userId, $commentText);

User's Comments

If you want to get all comments from specific user, you need to do the following

$comment->getUserComments($userId);

Last X Comments

To get last X comments from database, just call getComments method and pass number of comments as parameter. If you call getComments without parameters, you will get last 7 comments from database.

$comment->getComments();   //returns last 7 comments
$comment->getComments(20); //returns last 20 comments

However, if you just want to redirect your customers back to the page they tried to access before they were redirected to the login.php page, you will need to modify the application like following:

1) Add the following code to the login.php file, right below the AS.php file is included:

ASSession::set('prev_page', $_SERVER['HTTP_REFERER']);

2) Modify the userLogin method in ASLogin class by updating the respond function call at the bottom of that method to look like the following:

//...

respond(array(
    'status' => 'success',
    'page' => ASSession::get('prev_page', get_redirect_page())
));