Creating initial user


Once the tables are created and the templates installed, you need to prepare your RBA for use. One of the first things required is to create an initial user that will act as a system administrator. For this, there is a special module: 'add_initial_user'.

You can run this application only when the user table is empty, otherwise you will get an error message:



Please do not add this module to your menu and remove it from your production system when not in use. That prevents any misuse of this application.


  • UserId: Name to log in.
  • User Display Name: Name to display in headers etc.
  • UserPsw: initial password
  • UserEmail: email for notifications
  • UserRegdate, date of registration
  • UserExpDate, date of expiration (set to  the far future if not in use)
  • UserVerify: random code for the user to activate his account.


Synchronize applications


Before you can apply applications to groups, you must add all the applications to the application list. As that can be a lot of work, there is a function to synchronize. This function will only add the applications to the application table. It will not (automatically) delete modules that you have removed from your project. (If you delete modules from your project, then the generated modules will still be in your deploy area, so it is possible that after a new synchronization, modules re-appear. In this case, go to deployment->purge local deployed files and regenerate your project. Deploy your runtime and/or images depending on your project setting (private/shared libraries).




Activating account


All users, the system admin included, must activate their user account. If you use MFA, then you must also activate your TOTP token. While developing, it is handy to build your application and generate and run it without security hassle. So we advise you as a developer to wait to implement the security features until the last stage of your project.


Activate without TOTP


If you do not use TOTP, entering the user id and the activation code will activate the account. If you use a user registration procedure, the user can use a link sent in an email. Then there is a generated complex code. For the initial setup, you have entered this code in the initial user setup or added a user manually. (apply_registration.php)


Activate with TOTP


The MFA method of PHsPeed is based on TOTP. While registering, the user must scan a QR code to set up the security token or enter a unique code that is displayed on the form. After registration, all logins require a unique number that is generated by that token. The most well-known TOTP client is Google Authenticator, but you can also use others like the Microsoft authenticator. (apply_mfa.php)



After entering the user id, PHspeed will generate a QR code. Before activating, it is eminent that the user scans this code in his TOTP client. After activating, the user will need to add a code to his user id and password. If the user cannot scan the code, he/she can use the code that is displayed at the bottom of the QR code.


Enable and disable MFA


If you have used the wizard to import your RBA modules, you have enabled or disabled MFA. If the MFA field is on the form and hidden, then MFA is disabled, otherwise it is enabled. It is always possible to re-enable or disable the MFA afterward. 

To enable the MFA in PHsPeed you need to include this module in the autoloader. The autoloader of PHsPeed automatically finds (PHP) modules and allocated them (that is why there are not so many includes and include_once declaration), but the RBA module is not included automatically. To enable, go to project -> autoloader; scroll down to you find _libs, _extlibphp and TwoFactorAuth. Select this folder with the mouse and click on Select dirs. and subdirs. You should end up in a configuration like:


V


The enabling and disabling of the component of the imported module is controlled by code that overrides the property setting. So to enable or disable it, you need to open the event code and locate the following:


function form_1_onActivate($app)

   $$tfa->visible='false';
}


Set to 'true' to enable or 'false' to disable.


Module settings

Per module you can decide what kind of RBA you require. It is sufficient that the end-user is logged in, or does the user have grouped rights to access the module and read/update/delete or insert data. In the Root component, there are a few properties that controls the RBA:



PHsPeed supports a few different encryption methods for passwords. 

None        No encryption is applied. Passwords are stored as plain text. That is not advised.

MD5        This method is supported for compatibility purposes. Older systems can use MD5 encryption to store passwords, but modern technology can quickly break that code. So do not use this for new projects.

PHP        This is the most modern way of storing passwords, and is currently considered to be very safe. 

SHA        Looks like the MD5 method, but with a stronger encryption.