Hello.
I wanted to ask, if there is a specific reason why authenticate() method also writes data to a storage?
In ZF1 adapter only returned a result, which I think was the best possible solution.
I think AuthService should only check data and prepare subclasses for further actions. In most cases, user won't need default identity but custom data. And now, if data is saved, it might cause bug ZF-7546 to re-appear. To prevent it, one should once again call clearIdentity() and write again after checking isValid().
As an example, possible bug code scenario - time window logins. User can only login during 8 -16. Because of some extra blocking inside !isValid(), we treat it as valid authentication and made some extra redirects if time didn't match. Now if we forget to clear identity before redirecting, MVC identity plugin will return true. Which may then lead to another bugs if we expected array and identity is a string.
Hello. I wanted to ask, if there is a specific reason why authenticate() method also writes data to a storage? In ZF1 adapter only returned a result, which I think was the best possible solution. I think AuthService should only check data and prepare subclasses for further actions. In most cases, user won't need default identity but custom data. And now, if data is saved, it might cause bug ZF-7546 to re-appear. To prevent it, one should once again call clearIdentity() and write again after checking isValid().
As an example, possible bug code scenario - time window logins. User can only login during 8 -16. Because of some extra blocking inside !isValid(), we treat it as valid authentication and made some extra redirects if time didn't match. Now if we forget to clear identity before redirecting, MVC identity plugin will return true. Which may then lead to another bugs if we expected array and identity is a string.
Originally posted by @xorock at https://github.com/zendframework/zend-authentication/issues/21