Skip to content

Add PrimaryKeySessionAuthenticator #710

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: 3.next
Choose a base branch
from
Open

Add PrimaryKeySessionAuthenticator #710

wants to merge 2 commits into from

Conversation

dereuromark
Copy link
Member

@dereuromark dereuromark commented Apr 18, 2025
edited
Loading

Replaces #707

Ports dereuromark/cakephp-tinyauth#153 as direct class into this plugin.

    $service->loadAuthenticator('Authentication.PrimaryKeySession');
    $service->loadIdentifier('Authentication.Token', [
        'tokenField' => 'id', // lookup for DB table
        'dataField' => 'key', // incoming data
        'resolver' => 'Authentication.Orm',
    ]);

@dereuromark dereuromark marked this pull request as ready for review April 18, 2025 18:14
markstory
markstory reviewed Apr 20, 2025
View reviewed changes
tests/TestCase/Authenticator/PrimaryKeySessionAuthenticatorTest.php
->expects($this->exactly(2))
->method('check')
->with(
...static::withConsecutive(['Auth'], ['Auth']),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why static?

Copy link
Member Author

@dereuromark dereuromark Apr 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is copy and paste from the other Session test.

src/Authenticator/PrimaryKeySessionAuthenticator.php
public function __construct(IdentifierInterface $identifier, array $config = [])
{
$config += [
'identifierKey' => 'key',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you're inheriting from SessionAuthenticator how does identifierKey interact with fields?

What is key here? I don't see that as a field in the auth_users table that your tests use. Is it primarily to be aligned with the identifier configuration?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

key here maps to the dataField of the identifier, this is how they pass in the data.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fields is unused afaik.

docs/en/authenticators.rst
Make sure to match this with a Token identifier with ``key``/``id`` keys:

$service->loadIdentifier('Authentication.Token', [
'tokenField' => 'id', // lookup for DB table
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels like it could be risky when combined with other authenticators.

Copy link
Member Author

@dereuromark dereuromark Apr 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Token field? thats the DB lookup field internally, that should be fine
It basically builds the conditions for the ORM resolver:

return $this->getResolver()->find($conditions);

The dataField is the one coming from the authenticator and possibly matching another identifier

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels like it could be risky when combined with other authenticators.

I have similar concerns. While our default configs might not have any config overlap, we should ensure there isn't a possibility of opening a vulnerability even with custom config and potentially end up with something similar to the algo config vulnerability that were found in various JWT libs.

I think we should first work of #711 to directly associate identifiers with authenticators and add this new authenticator only after that.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#712 is open
But IMO those don't collide.
The deprecation in parallel together with new docs will make sure people move over to a safer approach.
While it should still work out for everyone so far even if on the deprecated approach.

@dereuromark dereuromark mentioned this pull request Apr 20, 2025
Open
@dereuromark dereuromark added this to the 3.next milestone Apr 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markstory markstory markstory left review comments

@ADmad ADmad ADmad left review comments

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
3.next
Development

Successfully merging this pull request may close these issues.
3 participants
@dereuromark @markstory @ADmad