Is storing username and password in config/common.neon secure?

Cupara
Member | 90
+
0
-

Is it secure to store a username and password in the config/common.neon file without the password being hashed?

I ask as I'm following the Create Your First Application! tutorial and I'm on the last section of Authentication. I'll still follow it but I'm wondering if and how I could implement a user system so that the passwords are stored in the database and they are hashed?

Thanks

m.brecher
Generous Backer | 797
+
0
-

Yes it is absolutely secure. But what is very important from the point of security view is restrict http access to the root directory of the application !!! Http access must be allowed only to the /www subdirectory, where are static css, js, jpg and other files. Than database credetials are safe.

Cupara
Member | 90
+
0
-

@m.brecher is there a way to use .htaccess to restrict access to all folders except www folder and to use .htaccess to have it so when someone loads serenitydev.xyz it automatically loads from the www folder or do I need to edit my conf file for my domain to accomplish that?

nightfish
Member | 483
+
0
-

@Cupara The best way is always to point DocumentRoot to www folder (if using Apache web server) – see docs for reasoning.
There is a solution using .htaccess in root folder which passes requests to www/index.php, but that comes with security issues – mainly because you would then need to place .htaccess files into all non-www subdirectories to explicitly deny access (Require all denied or Deny from all).

nightfish
Member | 483
+
+1
-

@Cupara As for the original question – I wouldn't personally use security.admin.users config in production code. I would probably write my own authenticator, save hashed passwords in the config file and have authenticator check password's hash (password_verify). Or do the same thing, but with password hashes stored in a database (see https://doc.nette.org/…thentication#… for example implementation).

For the purposes of “Create your first application” it seems sufficient.

Cupara
Member | 90
+
0
-

@nightfish thanks. I intend to write my own authenticator system that will utilize the database where hash passwords are stored.

m.brecher
Generous Backer | 797
+
0
-

@Cupara

is there a way to use .htaccess to restrict access to all folders except www folder

Yes it is, but:

I personally am not the best sample how to build secure web application, because I still use .htaccess for restriction http access to /app directory. This is because I am relatively novice in Nette Framework and all my old pure php projects were secured this way. This way is not the best as @nightfish correctly notices, but on small websites you can use it as a “temporary” solution. The best way is definitely configure DocumentRoot to /www folder.

So this is my “not the best” .htaccess solution:

project directory system:

/app
	/Presenters
	/Model
	/templates
	... etc
	Bootstrap.php
/config
/log
/temp
/vendor
/www
	/css
	/js
	/photo
	index.php
	.htaccess
	robots.txt

.htaccess
.composer.json
.composer.lock

There are two .htaccess files, first in DocumentRoot, second in /www subdirectory

first .htaccess (in /)

Require all granted
RewriteEngine On
RewriteBase /

RewriteCond %{HTTP_HOST} ^localhost$
RewriteRule (.*) /project/www/$1

RewriteCond %{HTTP_HOST} !^localhost$
RewriteRule (.*) /www/$1

Because I do development not on Docker, but on Windows, I have all project on development machine on localhost server. Separate projects are in separate folders. On production server there is always project directly in DocumentRoot – that's why there is different algorithm for development ^localhost$ and production !^localhost$. This code makes internal redirection of all http requests to the /www folder.

This algorithm about himself is “100%” secure and there is no way how to http access any subdirectory in root with one exception /www. BUT there is another security risk than algorithmic. All the website security depends on one single file to be permanently existing in /. If God forbid somebody by mistake deletes this file than big accident may happen! So you may go this way – I am doing this many many years, but be very carefully when manipulate the .htaccess files.

second .htaccess (in /www)

Require all granted

<IfModule mod_autoindex.c>
	Options -Indexes
</IfModule>

<IfModule mod_rewrite.c>
	RewriteEngine On
    RewriteBase /

    RewriteCond %{HTTP_HOST} !^localhost$
    RewriteCond %{HTTPS} !on
    RewriteRule .? https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

	RewriteCond %{REQUEST_FILENAME} -f
	RewriteRule /\.|^\.(?!well-known/) - [F]

    RewriteCond %{HTTP_HOST} ^localhost$
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule !\.(pdf|js|ico|gif|jpg|jpeg|png|webp|svg|css)$ /project/index.php [L]

    RewriteCond %{HTTP_HOST} !^localhost$
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule !\.(pdf|js|ico|gif|jpg|jpeg|png|webp|svg|css)$ index.php [L]
</IfModule>

<IfModule mod_deflate.c>
	<IfModule mod_filter.c>
		AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/json application/xml image/svg+xml
	</IfModule>
</IfModule>

There are also slight different algorithms for development x production machines. The key code is this:

RewriteRule !\.(pdf|js|ico|gif|jpg|jpeg|png|webp|svg|css)$ index.php [L]

All http requests with exception of static files are internally redirected to index.php and from here to framework. The static files are filtered by file extensions .pdf, .js etc… You may use another static files filtering if you want.

This above two .htaccess solution works perfectly, but use it on small not important projects. And only as temporary solution.

Last edited by m.brecher (2023-12-25 00:58)