Primary Key only Session auth (#154)

* Use only id for Session storage.

* Add tests

* Simplify.

* Use key.

* Fixes.

* Docs

* Fix up name.

Author: dereuromark

docs/AuthenticationPlugin.md

@@ -10,15 +10,124 @@ $this->loadComponent('TinyAuth.Authentication', [
 ]);
 ```
 
-Make sure you load the middleware:
+Make sure you load the middleware in your `Application` class:
 ```php
 use Authentication\Middleware\AuthenticationMiddleware;
 
 // in Application::middleware()
 $middlewareQueue->add(new AuthenticationMiddleware($this));
 ```
 
-You can always get the identity from the AuthUser component and helper:
+This plugin ships with an improved session authenticator:
+
+- PrimaryKeySession authenticator (extending the Authentication.Session one):
+  stores only the ID and fetches the rest from DB (keeping it always up to date)
+
+It also ships with an enhanced redirect handler:
+
+- ForbiddenCakeRedirect: Allows an `unauthorizedMessage` to be set as error flash message.
+
+
+Now let's set up `getAuthenticationService()` and make sure to load all needed Authenticators, e.g.:
+
+```php
+    /**
+     * @param \Psr\Http\Message\ServerRequestInterface $request Request
+     *
+     * @return \Authentication\AuthenticationServiceInterface
+     */
+    public function getAuthenticationService(ServerRequestInterface $request): AuthenticationServiceInterface
+    {
+        $service = new AuthenticationService();
+
+        // Define where users should be redirected to when they are not authenticated
+        $service->setConfig([
+            'unauthenticatedRedirect' => Router::url([
+                'prefix' => false,
+                'plugin' => false,
+                'controller' => 'Account',
+                'action' => 'login',
+            ]),
+            'queryParam' => 'redirect',
+        ]);
+
+        $fields = [
+            AbstractIdentifier::CREDENTIAL_USERNAME => 'email',
+            AbstractIdentifier::CREDENTIAL_PASSWORD => 'password',
+        ];
+
+        // Load identifiers
+        $service->loadIdentifier('Authentication.Password', [
+            'fields' => $fields,
+            'resolver' => [
+                'className' => 'Authentication.Orm',
+                'finder' => 'active',
+            ],
+        ]);
+        $service->loadIdentifier('Authentication.Token', [
+            'tokenField' => 'id',
+            'dataField' => 'key',
+            'resolver' => [
+                'className' => 'Authentication.Orm',
+                'finder' => 'active',
+            ],
+        ]);
+
+        // Load the authenticators. Session should be first.
+        $service->loadAuthenticator('TinyAuth.PrimaryKeySession', [
+            'urlChecker' => 'Authentication.CakeRouter',
+        ]);
+        $service->loadAuthenticator('Authentication.Form', [
+            'urlChecker' => 'Authentication.CakeRouter',
+            'fields' => $fields,
+            'loginUrl' => [
+                'prefix' => false,
+                'plugin' => false,
+                'controller' => 'Account',
+                'action' => 'login',
+            ],
+        ]);
+        $service->loadAuthenticator('Authentication.Cookie', [
+            'urlChecker' => 'Authentication.CakeRouter',
+            'rememberMeField' => 'remember_me',
+            'fields' => [
+                'username' => 'email',
+                'password' => 'password',
+            ],
+            'loginUrl' => [
+                'prefix' => false,
+                'plugin' => false,
+                'controller' => 'Account',
+                'action' => 'login',
+            ],
+        ]);
+
+        // This is a one click token login as optional addition
+        $service->loadIdentifier('Tools.LoginLink', [
+            'resolver' => [
+                'className' => 'Authentication.Orm',
+                'finder' => 'active',
+            ],
+            'preCallback' => function (int $id) {
+                TableRegistry::getTableLocator()->get('Users')->confirmEmail($id);
+            },
+        ]);
+        $service->loadAuthenticator('Tools.LoginLink', [
+            'urlChecker' => 'Authentication.CakeRouter',
+            'loginUrl' => [
+                'prefix' => false,
+                'plugin' => false,
+                'controller' => 'Account',
+                'action' => 'login',
+            ],
+        ]);
+
+        return $service;
+    }
+```
+
+
+You can always get the identity result (User entity) from the AuthUser component and helper:
 ```php
 $this->AuthUser->identity();
 ```

src/Authenticator/PrimaryKeySessionAuthenticator.php

@@ -0,0 +1,111 @@
+<?php
+declare(strict_types=1);
+
+namespace TinyAuth\Authenticator;
+
+use ArrayAccess;
+use Authentication\Authenticator\Result;
+use Authentication\Authenticator\ResultInterface;
+use Authentication\Authenticator\SessionAuthenticator as AuthenticationSessionAuthenticator;
+use Authentication\Identifier\IdentifierInterface;
+use Cake\Http\Exception\UnauthorizedException;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+/**
+ * Session Authenticator with only ID
+ */
+class PrimaryKeySessionAuthenticator extends AuthenticationSessionAuthenticator {
+
+	/**
+	 * @param \Authentication\Identifier\IdentifierInterface $identifier
+	 * @param array<string, mixed> $config
+	 */
+	public function __construct(IdentifierInterface $identifier, array $config = []) {
+		$config += [
+			'identifierKey' => 'key',
+			'idField' => 'id',
+		];
+
+		parent::__construct($identifier, $config);
+	}
+
+	/**
+	 * Authenticate a user using session data.
+	 *
+	 * @param \Psr\Http\Message\ServerRequestInterface $request The request to authenticate with.
+	 * @return \Authentication\Authenticator\ResultInterface
+	 */
+	public function authenticate(ServerRequestInterface $request): ResultInterface {
+		$sessionKey = $this->getConfig('sessionKey');
+		/** @var \Cake\Http\Session $session */
+		$session = $request->getAttribute('session');
+
+		$userId = $session->read($sessionKey);
+		if (!$userId) {
+			return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND);
+		}
+
+		$user = $this->_identifier->identify([$this->getConfig('identifierKey') => $userId]);
+		if (!$user) {
+			return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND);
+		}
+
+		return new Result($user, Result::SUCCESS);
+	}
+
+	/**
+	 * @inheritDoc
+	 */
+	public function persistIdentity(ServerRequestInterface $request, ResponseInterface $response, $identity): array {
+		$sessionKey = $this->getConfig('sessionKey');
+		/** @var \Cake\Http\Session $session */
+		$session = $request->getAttribute('session');
+
+		if (!$session->check($sessionKey)) {
+			$session->renew();
+			$session->write($sessionKey, $identity[$this->getConfig('idField')]);
+		}
+
+		return [
+			'request' => $request,
+			'response' => $response,
+		];
+	}
+
+	/**
+	 * Impersonates a user
+	 *
+	 * @param \Psr\Http\Message\ServerRequestInterface $request The request
+	 * @param \Psr\Http\Message\ResponseInterface $response The response
+	 * @param \ArrayAccess $impersonator User who impersonates
+	 * @param \ArrayAccess $impersonated User impersonated
+	 * @return array
+	 */
+	public function impersonate(
+		ServerRequestInterface $request,
+		ResponseInterface $response,
+		ArrayAccess $impersonator,
+		ArrayAccess $impersonated,
+	): array {
+		$sessionKey = $this->getConfig('sessionKey');
+		$impersonateSessionKey = $this->getConfig('impersonateSessionKey');
+		/** @var \Cake\Http\Session $session */
+		$session = $request->getAttribute('session');
+		if ($session->check($impersonateSessionKey)) {
+			throw new UnauthorizedException(
+				'You are impersonating a user already. ' .
+				'Stop the current impersonation before impersonating another user.',
+			);
+		}
+		$session->write($impersonateSessionKey, $impersonator[$this->getConfig('idField')]);
+		$session->write($sessionKey, $impersonated[$this->getConfig('idField')]);
+		$this->setConfig('identify', true);
+
+		return [
+			'request' => $request,
+			'response' => $response,
+		];
+	}
+
+}