search

cakephp / authentication

Authentication plugin for CakePHP. Can also be used in PSR7 based applications.
MIT License
115 stars 101 forks source link

Session Identifier forces use of 'username' array key #657

Closed utdrmac closed 1 month ago

utdrmac commented 6 months ago

I'm attempting to integrate Google Auth login to my CakePHP app. Google uses an array (access_token) with keys (token_id, created, expires_in, etc) to store token information about your successful auth to google's API.

        $service->loadAuthenticator('Authentication.Session', [
            'sessionKey' => "access_token",
            'identify' => true,
            'fields' => [ 'token' => 'access_token' ]
                  ]);

The above code results in a warning: Undefined array key "username" For whatever reason, the $_defaultConfig:fields[] array (src/Authenticator/SessionAuthenticator.php:41) is being merged with the values I'm passing, rather than my values overriding the defaults.

Then, the secondary issue is that the SessionIdentifier is looking for fields passed above, "inside" the array passed as the username array key (src/Authenticator/SessionAuthenticator.php:70). Instead of simply passing the entire $access_token and all its keys/values, I have to fetch each key individually (as separate fields) to pass them to the Identifier class, only to have to recombine them into a single array so that the Google API can read it correctly.

There is no way to access top-level Session keys using this authenticator. You can only access the keys inside whatever array you pass as sessionKey. Thus, if your $_SESSION looks like this:

  $_SESSION = [ 'key1': 'val1', 'key2': [ 'key2b': 'val2b', 'key2c': 'val2c' ] ]

and you set the following:

        $service->loadAuthenticator('Authentication.Session', [
            'sessionKey' => "key2",
            'identify' => true,
            'fields' => [ 'username' => 'key1' ]
                  ]);

key1 will be searched for inside key2 and the Identifier will not have access to key1/val1.

Please consider allowing users to properly override the fields, and allow passing a single array.

github-actions[bot] commented 1 month ago

This issue is stale because it has been open for 120 days with no activity. Remove the stale label or comment or this will be closed in 15 days

markstory commented 1 month ago

Reading this over again, this sounds like an ideal scenario for you to copy the SessionAuthenticator into your application and make the changes you need to get the desired results. The framework built-ins come with a set of opinions and I'd rather encourage divergent behavior vs continually adding scope and complexity to the core implementation. Authenticators have a stable interface and as long as you conform to that interface you can do as you please.