Auth is responsible for managing session state for each configuration, and exposes a set of
methods which adapters can implement: set(), check() and clear(). You can read more about
each method below. Beyond these methods, Auth makes very few assumptions about how your
application authenticates users. Each adapter accepts a set of credentials, and returns an array
of user information on success, and false on failure. On successful authentication attempts,
the data returned from the credential check is written to the session, which is automatically
accessed on subsequent checks (though manual re-checking can be forced on a per-instance basis).
To be secure by default (and if you don't override it), a password field is never stored in
the session adapter. This prevents a possible password hash to be leaked in a cookie (for
example). You can also be very specific on what you want to store in the session:
Auth::config(array(
'default' => array(
'session' => array(
'persist' => array('username', 'email')
)
)
));
You can also pass an optional persist param to the check method to override this default.
For additional information on configuring and working with Auth, see the Form adapter.
public function testAuthPersist()
{
Auth::reset();
Auth::config(array('test' => array('adapter' => $this->_classes['mockAuthAdapter'])));
$config = Auth::config();
$this->assertTrue(isset($config['test']['session']['persist']));
$this->assertTrue(empty($config['test']['session']['persist']));
$user = array('username' => 'foo', 'password' => 'bar');
$result = Auth::check('test', $user, array('success' => true));
$this->assertTrue(isset($result['username']));
$this->assertFalse(isset($result['password']));
Auth::reset();
Auth::config(array('test' => array('adapter' => $this->_classes['mockAuthAdapter'], 'session' => array('persist' => array('username', 'email')))));
$user = array('username' => 'foobar', 'password' => 'not!important', 'email' => '*****@*****.**', 'insuranceNumer' => 1234567);
$expected = array('username' => 'foobar', 'email' => '*****@*****.**');
$result = Auth::check('test', $user, array('success' => true, 'checkSession' => false));
$this->assertEqual($expected, $result);
$this->assertEqual($expected, Session::read('test'));
Auth::reset();
Auth::config(array('test' => array('adapter' => $this->_classes['mockAuthAdapter'])));
$user = array('id' => '123', 'username' => 'foobar', 'password' => 'not!important', 'email' => '*****@*****.**', 'insuranceNumer' => 1234567);
$expected = 123;
$result = Auth::check('test', $user, array('keyOnly' => true, 'checkSession' => false));
$this->assertEqual($expected, $result);
$this->assertEqual($expected, Session::read('test'));
}
public function add()
{
$login = Auth::check('member');
if ($this->request->data) {
$software = Software::create($this->request->data);
if ($software->save()) {
$file = File::create();
foreach ($this->request->data['myfile'] as $key => $value) {
$size = $this->request->data['myfile'][$key]['size'];
if ($size >= 600000001) {
$chunksize = $size / 20;
} else {
if ($size <= 600000000 && $size >= 100000000) {
$chunksize = $size / 10;
} else {
if ($size <= 100000000 && $size >= 10000000) {
$chunksize = 10000000;
} else {
$chunksize = 1000000;
}
}
}
$save = $file->save(array('file' => $value, 'software_id' => (string) $software->_id, 'chunkSize' => 10000000));
if (!$save) {
return compact('save');
}
}
}
}
$software = Software::create();
return compact('login', 'software');
}
public function testNoConfigurations()
{
Auth::reset();
$this->assertIdentical(array(), Auth::config());
$this->expectException("Configuration `user` has not been defined.");
Auth::check('user');
}
public function index()
{
$login = Auth::check('member');
$actief = self::$actief;
$breadcrumb = self::$breadcrumb;
return compact('login', 'actief', 'breadcrumb');
}
public function testManualSessionFail()
{
$this->assertFalse(Auth::check('test'));
$user = array('id' => 13, 'user' => 'bob');
$this->assertFalse(Auth::set('test', $user, array('fail' => true)));
$this->assertFalse(Auth::check('test'));
}
public function index()
{
$login = Auth::check('member');
$actief = array('start' => 'active', 'lijsten' => '', 'beheren' => '');
$breadcrumb = array(array('naam' => 'Start'));
return compact('login', 'actief', 'breadcrumb');
}
/**
* List all users, if accessor is authed
*
* @return array
*/
public function index()
{
if (Auth::check('default', $this->request)) {
return array('users' => Users::all());
}
return array('error' => 'Not authed');
}
/**
* Clears all other adapters
*
* @param array $options Adapter-specific options. Not implemented in this adapter.
* @return void
*/
public function clear(array $options = array())
{
foreach (Auth::config() as $name => $auth) {
if ($auth['adapter'] === $this->_config['adapter']) {
continue;
}
Auth::clear($name);
}
}
public function delete()
{
$success = false;
if (Auth::clear('default')) {
$success = true;
}
//return compact('success');
return $this->redirect('Posts');
}
/**
* Clean every auth configuration.
*
* @param string $name Name of configuration, if specified
* @param array $options Clear options
*/
public static function clear($name = null, array $options = array())
{
if (!isset($name)) {
foreach (static::$_configurations as $name => $config) {
parent::clear($name, $options);
}
} else {
parent::clear($name, $options);
}
}
public function add($ajax = null)
{
$login = Auth::check('member');
$location = Locations::create($this->request->data);
$actief = self::$actief;
$breadcrumb = self::$breadcrumb;
if ($this->request->data && $location->save()) {
return compact('login', 'location', 'actief', 'breadcrumb');
}
return compact('login', 'location', 'product', 'actief', 'breadcrumb');
}
public function add()
{
if (!Auth::check('default')) {
return $this->redirect('Sessions::add');
}
$success = false;
if ($this->request->data) {
$post = Posts::create($this->request->data);
$success = $post->save();
}
return compact('success');
}
/**
* Import Auth data and fetch user group data
*/
protected function _init()
{
parent::_init();
if ($this->_user = Auth::check('default')) {
$this->_guest = false;
}
if ($this->_acl) {
$this->_prepareAcl();
if (!$this->_checkAccess()) {
throw new AccessDeniedException('You dont\'t have permissions to access here!');
}
}
}
protected static function _isAuthedBy(array $names, array $params)
{
if ($names === array('*')) {
return true;
}
$names = array_intersect(array_keys(Auth::config()), $names);
foreach ($names as $name) {
if (Auth::check($name, $params['request'], array('writeSession' => false))) {
return true;
}
}
return false;
}
public function delete()
{
// Check Author authentication Session
if (!Auth::check('default')) {
return $this->redirect('Authors::login');
}
$book = Books::find($this->request->id);
if ($book && $book->delete()) {
Session::write('message', 'Book deleted');
$this->redirect(array('Authors::dashboard'));
} else {
Session::write('message', 'Book can not be deleted');
}
}
public function login()
{
//assume there's no problem with authentication
$noauth = false;
print_r(Auth::check('default', $this->request));
//perform the authentication check and redirect on success
if (Auth::check('default', $this->request)) {
//Redirect on successful login
return $this->redirect('/');
}
//if theres still post data, and we weren't redirected above, then login failed
if ($this->request->data) {
//Login failed, trigger the error message
$noauth = true;
}
//Return noauth status
return compact('noauth');
}
protected function _init()
{
parent::_init();
# Check CSRF forgery signature
if ($this->request->data and !RequestToken::check($this->request)) {
throw new \Exception('Invalid request token.');
}
if (isset($this->request->data['security']['token'])) {
unset($this->request->data['security']);
}
# Load active user
$current_identity = Auth::check('any');
if (is_object($current_identity)) {
$u = $current_identity->getUser();
$this->CURRENT_USER = $u;
}
$this->set(array('CURRENT_USER' => $this->CURRENT_USER));
}
public function login()
{
$result = Auth::check($this->request->adapter, $this->request);
$redirectUrl = $this->request->env('HTTP_REFERER') ?: '/';
if ($result) {
# Convert array to identity object
if ($this->request->adapter === 'password') {
$result = Identities::find($result['_id']);
}
$session_data = array();
$new_session = uniqid();
if (isset($result['session']['id'])) {
$session_data['id'] = (array) $result['session']['id']->data();
} else {
$session_data['id'] = array();
}
// Remember users for two weeks
$session_data['expires'] = time() + \app\util\Config::get('session_length', 7) * 24 * 60 * 60;
array_push($session_data['id'], $new_session);
setcookie('session.id', $new_session, $session_data['expires'], '/', $_SERVER['HTTP_HOST']);
$result->save(array('session' => $session_data));
Auth::set('any', $result);
} else {
$addendum = '';
// Adapter-specific error messages
if ($this->request->adapter == 'phpbb') {
if (Session::read('non_linked_phpbb_login')) {
Session::delete('non_linked_phpbb_login');
$addendum = 'You are logged into the forums, but there is no leagues account associated with with your forum account.';
} else {
$addendum = 'Please ensure that you are logged into the <a href="http://www.afdc.com/forum/">forums</a>.';
}
} else {
Logger::debug("Failed login for " . $this->request->data['email'] . " with password " . $this->request->data["password"]);
}
$error_message = 'Your login was unsuccessful. ';
if (isset($addendum) and !empty($addendum)) {
$error_message .= "<br />{$addendum}`<br />";
}
$error_message .= 'If you\'re having trouble, checkout the <a href="/help/login">login instructions</a>.';
$this->flashMessage($error_message, array('alertType' => 'error'));
}
return $this->redirect($redirectUrl);
}
public function viewedit($id = null)
{
if (!Auth::check('default')) {
return $this->redirect('Sessions::add');
} else {
$success = false;
if (!is_null($id)) {
$post = Posts::find('first', array('conditions' => array('_id' => $id)));
}
if ($this->request->data) {
$success = $post->save($this->request->data);
Posts::remove(array('title' => ''));
}
}
// elseif($this->request->data) {
//$success = Posts::update($this->request->data);
//$success = $post->delete();
//return compact('success');
// }
return compact('post', 'success');
}
public function isUserAuth()
{
return Auth::check('default') ? true : false;
}
/**
* Change email
* @requestLogin
*/
public function changeEmail()
{
$this->_rejectNotLogged();
$user = $this->_user;
unset($user['user_group']);
$user = Users::first(array('conditions' => $user));
if ($this->request->data) {
if ($user->save(array('email' => $this->request->data['email']), array('events' => array('change_email')))) {
Auth::set('default', array('email' => $user->email) + $this->_user);
return $this->redirect('li3_usermanager.Users::index');
}
}
return compact('user');
}
public function tearDown() {
Auth::clear('user');
}
/**
* The default method here is changed. First off, the Router class now uses this view method if the URL is /page/{:args}
* It changes the URL convention from pluralized controller, but since we're talking about static pages, I felt that was ok.
* Especially since URLs are for humans first and foremost.
* "/pages/view/home" still works if needed to be used in array fashion like the Html helper's link method.
* This leaves us in need of a new method though that returns dynamic pages from a datasource. That's the "read" method below.
*
*/
public function view() {
$path = func_get_args();
// If route has the "admin" key set to true then render template from Minerva's views/pages/static folder
if((isset($this->request->params['admin'])) && ($this->request->params['admin'] === true)) {
// todo: make rule and check access class
$user = Auth::check('minerva_user');
// obviously this needs to be somewhere controllable
if(!in_array($user['role'], array('administrator', 'content_editor'))) {
$this->redirect('/users/login');
}
}
if (empty($path)) {
$path = array('home');
}
// this doesn't get any documents, it just checks access. the false "find_type" key is preventing a db query
$this->getDocument(array('action' => __METHOD__, 'request' => $this->request, 'find_type' => false));
$this->render(array('template' => join('/', $path)));
}
if ($name === 'lithium') {
continue;
}
$file = "{$config['path']}/config/routes.php";
file_exists($file) ? include $file : null;
}
return $chain->next($self, $params, $chain);
});
Dispatcher::applyFilter('_callable', function ($self, $params, $chain) {
$ctrl = $chain->next($self, $params, $chain);
$request = isset($params['request']) ? $params['request'] : null;
$action = $params['params']['action'];
if ($request->args) {
$arguments = array();
foreach ($request->args as $value) {
$param = explode(":", $value);
$arguments[$param[0]] = isset($param[1]) ? $param[1] : null;
}
$request->args = $arguments;
}
if (Auth::check('default') || preg_match('|test.*|', $request->url)) {
return $ctrl;
}
if (isset($ctrl->publicActions) && in_array($action, $ctrl->publicActions)) {
return $ctrl;
}
return function () use($request) {
Session::write('message', 'You need to login to access that page.');
return new Response(compact('request') + array('location' => 'Sessions::add'));
};
});
/**
* Destroy session - log out user
*/
public function destroy()
{
Auth::clear('default');
return $this->redirect('li3_usermanager.Session::create');
}
<?php
// Define used classes.
use lithium\util\collection\Filters;
use lithium\security\Auth;
// Get to the `Auth` instance by filtering the `Dispatcher`
Filters::apply('\\lithium\\action\\Dispatcher', '_callable', function ($self, $params, $chain) {
$controller = $chain->next($self, $params, $chain);
Auth::applyFilter('check', function ($self, $params, $chain) {
$profiler = \Profiler::start('security\\Auth::check');
$result = $chain->next($self, $params, $chain);
$profiler->end();
return $result;
});
Auth::applyFilter('set', function ($self, $params, $chain) {
$profiler = \Profiler::start('security\\Auth::set');
$result = $chain->next($self, $params, $chain);
$profiler->end();
return $result;
});
Auth::applyFilter('clear', function ($self, $params, $chain) {
$profiler = \Profiler::start('security\\Auth::clear');
$result = $chain->next($self, $params, $chain);
$profiler->end();
return $result;
});
// Return the controller object.
return $controller;
});
Auth::applyFilter('check', function ($self, $params, $chain) {
$result = $chain->next($self, $params, $chain);
/**
* `Auth::check` is called in two context
* 1. With a `Request` object to sign a user in
* 2. With no arguments to check if the current user is signed in
*
* We only need to check in the first case.
*/
if (isset($params['credentials']) && $params['credentials']) {
$request = $params['credentials'];
$signature = $request->env('HTTP_X_SIGNATURE');
$username = $request->env('HTTP_X_USERNAME');
if ($username && $signature) {
/**
* Find the username the request is attempted to be made for
* The user object is needed because it holds the secret key
* we need to be able to regenerate the signature
*/
$user = Users::first(array('conditions' => compact('username')));
if (!$user) {
throw new \Exception("Invalid user {$username}");
}
/**
* GET and POST/PUT passes payload differently, this either `query` or `data`
* Also doing rewriting can mean that the `url` GET param is added
*/
$signData = $request->is('get') ? array_diff_key($request->query, array('url' => 'sodoff')) : $request->data;
/**
* Prepend the request path so all requests with no data
* does not get the same key
*/
array_unshift($signData, $request->env('base'));
if ($signature === $user->sign($signData)) {
return true;
} else {
throw new \Exception("Signature match failed in signed request");
}
}
}
return $result;
});
public function delete()
{
Auth::clear('member');
return $this->redirect('/');
}
<?php
use lithium\security\Auth;
Auth::config(array('li3b_user' => array('adapter' => 'Form', 'model' => '\\li3b_users\\models\\User', 'fields' => array('email', 'password'), 'scope' => array('active' => true), 'session' => array('options' => array('name' => 'default')))));
* @license http://opensource.org/licenses/bsd-license.php The BSD License
*/
/**
* This configures your session storage. The Cookie storage adapter must be connected first, since
* it intercepts any writes where the `'expires'` key is set in the options array.
*/
use lithium\storage\Session;
use lithium\security\Auth;
use lithium\security\Password;
Session::config(array('default' => array('adapter' => 'Php')));
/**
* Uncomment the lines below to enable forms-based authentication. This configuration will attempt
* to authenticate users against a `Users` model. In a controller, run
* `Auth::check('default', $this->request)` to authenticate a user. This will check the POST data of
* the request (`lithium\action\Request::$data`) to see if the fields match the `'fields'` key of
* the configuration below. If successful, it will write the data returned from `Users::first()` to
* the session using the default session configuration.
*
* Once the session data is written, you can call `Auth::check('default')` to check authentication
* status or retrieve the user's data from the session. Call `Auth::clear('default')` to remove the
* user's authentication details from the session. This effectively logs a user out of the system.
* To modify the form input that the adapter accepts, or how the configured model is queried, or how
* the data is stored in the session, see the `Form` adapter API or the `Auth` API, respectively.
*
* @see lithium\security\auth\adapter\Form
* @see lithium\action\Request::$data
* @see lithium\security\Auth
*/
// use lithium\security\Auth;
Auth::config(array('default' => array('adapter' => 'Form'), 'member' => array('adapter' => 'Form', 'model' => 'Users', 'fields' => array('username', 'password'))));
