Skip to content

Commit

Permalink
API Remove ALC renewal, tweak extension point
Browse files Browse the repository at this point in the history
The ALC token is no longer rotated during an active login. Also removed related
`replace_token_during_session_renewal` config. The extension point that was
previously provided in the `renew()` method has been renamed and is now triggered
externally in the `CookieAuthenticationHandler::authenticateRequest()` method.
  • Loading branch information
Cheddam committed Aug 30, 2024
1 parent 64a17e0 commit 561413a
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 47 deletions.
18 changes: 2 additions & 16 deletions src/Security/MemberAuthenticator/CookieAuthenticationHandler.php
Original file line number Diff line number Diff line change
Expand Up @@ -175,22 +175,8 @@ public function authenticateRequest(HTTPRequest $request)
$this->cascadeInTo->logIn($member, false, $request);
}

// Renew the token
Deprecation::withNoReplacement(fn() => $rememberLoginHash->renew());

// Send the new token to the client if it was changed
if ($rememberLoginHash->getToken()) {
$tokenExpiryDays = RememberLoginHash::config()->uninherited('token_expiry_days');
Cookie::set(
$this->getTokenCookieName(),
$member->ID . ':' . $rememberLoginHash->getToken(),
$tokenExpiryDays,
null,
null,
false,
true
);
}
// Session renewal hook
$rememberLoginHash->extend('onAfterRenewSession');

// Audit logging hook
$member->extend('memberAutoLoggedIn');
Expand Down
31 changes: 0 additions & 31 deletions src/Security/RememberLoginHash.php
Original file line number Diff line number Diff line change
Expand Up @@ -80,15 +80,6 @@ class RememberLoginHash extends DataObject
*/
private static $force_single_token = false;

/**
* If true, the token will be replaced during session renewal. This can cause unexpected
* logouts if the new token does not reach the client (e.g. due to a network error).
*
* This can be disabled as of CMS 5.3, and renewal will be removed entirely in CMS 6.
* @deprecated 5.3.0 Will be removed without equivalent functionality
*/
private static bool $replace_token_during_session_renewal = true;

/**
* The token used for the hash. Only present during the lifetime of the request
* that generates it, as the hash representation is stored in the database and
Expand Down Expand Up @@ -199,28 +190,6 @@ public static function generate(Member $member)
return $rememberLoginHash;
}

/**
* Generates a new hash for this member but keeps the device ID intact
*
* @deprecated 5.3.0 Will be removed without equivalent functionality
* @return RememberLoginHash
*/
public function renew()
{
// Only regenerate token if configured to do so
Deprecation::notice('5.3.0', 'Will be removed without equivalent functionality');
$replaceToken = RememberLoginHash::config()->get('replace_token_during_session_renewal');
if ($replaceToken) {
$hash = $this->getNewHash($this->Member());
$this->Hash = $hash;
}

$this->extend('onAfterRenewToken', $replaceToken);
$this->write();

return $this;
}

/**
* Deletes existing tokens for this member
* if logout_across_devices is true, all tokens are deleted, otherwise
Expand Down

0 comments on commit 561413a

Please sign in to comment.