# To protect a directory using user info in a MySQL database, insert this code towards the
# end of your site's .conf file.

# Apache recommends NOT putting this type of code in an .htaccess file as it would then be 
# accessed every time any page in that directory is requested - or indeed any asset (e.g. 
# images) on the page. The MySQL request would thus be processed every time. There is a 
# caching mechanism (mod_authn_socache) available, which relieves the load on the 
# database.

# Best practice is to put it in your site's .conf file and specify the applicable 
# directory there. Apache will do any preprocessing at Apache start time instead of on 
# every page access. The downside to this is that any changes require an Apache restart.

# Specify which DB you're using. This has to be in the .conf file, not within the <Directory> directive (at least I couldn't make it work).
DBDriver mysql

# Specify parameters to connect to the database. This should be movable to within the 
# <Directory> section but I ran into errors. Your mileage may vary.
DBDParams "host=localhost dbname=espritg_registration user=espritg_regadmin pass=********"

# Specify number of concurrent connections to allow (minimum 4, maximum sustained 
# connections 8, maximum (during peak demand) 20, keepalive time for idle connections 300 
# seconds
DBDMin 4
DBDKeep 8
DBDMax 20
DBDExptime 300

# Path to protected directory. You need to repeat this entire directory segment for every
# directory you want to protect.
<Directory "/var/www/reg/private">

AuthType Basic

# This text appears in the message requesting the user's credentials
AuthName "My DB-protected directory!"

# To cache credentials, put socache ahead of dbd here. Highly recommended. Requires 
# authn_socache enabled.
AuthBasicProvider socache dbd

# Also required for caching: tell the cache to cache dbd lookups! 
AuthnCacheProvideFor dbd
# 
# This disambiguates the caches in the event that multiple authentication areas are being 
# accessed by identical usernames. Use some unique name here; perhaps a chunk of the
# protected directory path?
AuthnCacheContext my-server

# mod_authz_core configuration. Required.
Require valid-user

# mod_authn_dbd SQL query to authenticate a user. This can be any MySQL query against the 
# database specified above. The validator looks only at the first column of the first row, 
# which must be an already-hashed password. Good ways to construct this are PHP's 
# password_hash('plaintext', PASSWORD_BCRYPT) function which produces reaasonably secure 
# BCRYPT encryption.
# 
# Many PHP implementations will also process additional fields (e.g. SELECT password, 
# firstname, lastname FROM...) and return them in environment variables named 
# AUTHENTICATE_firstname, AUTHENTICATE_lastname etc.
#
# Apache passes the username value (email in this example) as %s to the query. Other MySQL 
# WHERE conditions can be applied as well.

AuthDBDUserPWQuery "SELECT password FROM reg WHERE email = %s" 

# End of protected directory specifications.
</Directory>
#
# Other directives not specific to this directory can go here (my site has SSL-related
# things in here).
