Monthly Archives: May 2009

Huge problem as OAuth begins to catch on

It’s great that OAuth is finally catching on. It was a long time coming. Signing on to other sites using your OpenId makes the web a much easier place to navigate and deal with. However, the process needs clarity.

I know that the application using OAuth for sign in cannot access my password. But does the NON-developer really get that? Because someone might simulate an OAuth login and ask for a password so they can get into your account. This has been brought up by others before.

The public needs to understand that they aren’t asked for a password when they are logged into their OpenID provider like Twitter. But they should log in from the correct URL so that spoofs/phishing attempts won’t work.

Also, what does the developer get access to? A username or more? Twitter and Facebook need to make it VERY clear what data EXACTLY sites are able to access when they hook into their Authorization systems.

People will trust an app once it gets popular. Which is not a good thing. Because someone will misuse the power granted them. Sooner or later. Just look at what was happening behind the scenes with two VERY POPULAR Firefox plugins that you would think were well scrutinized by many developers.

If a major security breach happens, the trust that took so long for OAuth to gain could be lost overnight.

In fact, OAuth is a great step for now. But wouldn’t login and authentication live better in the browser? You define some basics like a username, some profile info. Maybe a social graph. All in your browser. Perhaps with some data hooked into the cloud. Then you can register at a site using Firefox. Something along the lines of a turbo charged Weave.

How to pull your mail configuration from application.ini for Zend Framework 1.8.0+

I’m working on Zend Framework 1.8.0 on a dev box and needed to configure Zend_Mail_Transport_Smtp for testing purposes to hit a gmail account. The manual wants you to do this:

$config = array('auth' => 'login',
                'username' => 'myusername',
                'password' => 'password');

$transport = new Zend_Mail_Transport_Smtp('', $config);

but who wants to put passwords and config data in code? Naturally it belongs in the application.ini. Some users may find it tricky from the manual to figure out how to get it from application.ini in version 1.8.0 into their controller, so I thought I’d offer this tip out there.

This is how I do it, assuming you are connecting to gmail. In your application.ini, put these lines in the correct section (I put in the dev section), replacing your username and password in the appropriate fields of course:

email.server     =
email.username   =
email.password   = yrpass
email.ssl        = ssl
email.port       = 465

Then in your controller, after defining the controller class:

private $_aMailConfig;
private $_strSmtp;

then in your preDispatch function (if you don’t have one, create one and) add this:

public function preDispatch()
	$bootstrap = $this->getInvokeArg('bootstrap');
	$aConfig = $bootstrap->getOptions();
	$this->_aMailConfig = array(
	 'auth' => 'login'
	,'username' => $aConfig['email']['username']
	,'password' => $aConfig['email']['password']
	,'ssl' => $aConfig['email']['ssl']
	,'port' => $aConfig['email']['port']);
	//echo '<pre>' . print_r($this->_aMailConfig,1);exit;
	$this->_strSmtp = $aConfig['email']['server'];

then whenever you need it in your controller, type this:

$mailTransport = new Zend_Mail_Transport_Smtp($this->_strSmtp,$this->_aMailConfig);

I haven’t tested this outside my own environment, which does some funky stuff, so I can’t guarantee it will work on yours, but I believe it should.

Hope this helps someone!