[WIP] [BC BREAK] Refactor of authentication layer #554
Conversation
- Renamed from `Db` to `Mapper` - Added SM aliases for easier overriding (Mapper and Session)
- Externalize the password hashing and verification (CredentialProcessor) - Generalize Mapper adapter to work with any mapper find method - Provide factories for producing MapperUsername and MapperEmail adapters - Update dist configuration with new adapter name
|
git seems to think I deleted the |
adamlundrigan
changed the title
|
Awesome that you started refactor of the authentication system, i had that on my todo list too. |
|
👍 If you want to give me the gist of how you'd like to see it implemented I can take a stab at it. |
|
👍 |
- Now just a priority list of Zend\Authentication\Adapter\AbstractAdapter instances - Eliminated Storage from collaborator list (AuthenticationService handles this) - Eliminated some obsoleted classes (AbstractAdapter, AdapterChainEvent, ChainableAdapter, OptionsNotFoundException)
|
@Danielss89 I took a stab at simplifying the AdapterChain stuff. Internally it now just stores a priority list of standard authentication adapters and iterates over them on |
…Chain::authenticate
adamlundrigan
changed the title
…torage backend is in use
(enabled for debugging, slipped through) [skip ci]
|
Travis test failure due to 5.3.x incompatibility in a test class (use |
|
We aim for PHP version 5.5 and ZF 2.3 |
|
Btw. i will go though this, i just don't have time until next week :) Probably next weekend. |
|
I've added a prototype implementation of rehashing a user's password when required. I'm not 100% convinced it's the right approach so I've stashed it in a separate branch: adamlundrigan@98fbc53 |
|
I'm going to look through code now and drop comments, haven't tested yet though. |
|
|
||
| return $result; | ||
| $this->adapters = new PriorityList(); | ||
| $this->adapters->isLIFO(false); |
There was a problem hiding this comment.
Please expand function name, LastInFirstOut?
There was a problem hiding this comment.
That would be Zend Framework's problem: https://github.com/zendframework/zf2/blob/master/library/Zend/Stdlib/PriorityList.php#L172
There was a problem hiding this comment.
Stdlib is a bit of a mess in that regard. SplPriorityQueue and SplQueue are wrappers around the SPL classes to make them serializable. PriorityQueue uses Zend\Stdlib\SplPriorityQueue internally to get around SplPriorityQueue's destructive iterator, while PriorityList is an entirely standalone implementation. PriorityList with LIFO=false is functionally equivalent to PriorityQueue, just implemented differently. PriorityList with LIFO=true is technically a priority stack, but there is no PriorityStack in Stdlib. The only difference between PriorityStack and PriorityQueue is how they break priority ties. As far as I can tell it's all necessitated by odd behaviours in the Spl classes. And all of this has absolutely nothing to do with this PR, I just got off-track but I spent the time writing it so I might as well post it.
I'm going to try to sub in \SplPriorityQueue to see if it will work for this use case. If not, I'll sub in Zend\Stdlib\PriorityQueue which is equivalent to what I have currently but will cause no future head-scratching over isLIFO(false).
|
Also, see my answer here about IDEA for chained authentication adapters: |
Why?
In a recent project I aimed to build a ZfcUser-based app to be used in both console and API (Apigility) contexts, and the authentication layer in it's current form is not well suited for either.
AuthenticationChainEventinternalizes a copy of the Request objectDbauth adapter usesgetPostto pull user input fromAuthenticationChainEvent::$request[Unable to use ZfcUder from console due to Authentication\Adapter\Db using getPost on $request #541]Dbauth adapter assumes it's working with a PHP session [Authentication adapter should not know anything about authentication storage #513 Session is started by this module even in CLI mode #518]Dbauth adapter assumes it's working with Bcrypt (not as big a deal as the others)All of the above necessitated a partial rewrite of the
Dbauth adapter for our particular use case. As a more permanent fix I'd like to suggest the PR'd modifications to the authentication layer for ZfcUser 2.x.This code is in no way finished and still needs additional work (see TODO below). Please dissect at your leisure and insult/nitpick/praise/rewrite to your heart's content ;)
Overview of changes
V2
authenticate.prewhen Session storage is being usedV1
AdapterChainfunctionality.V0
AuthenticationChainEventto store identity and credential, instead of requestDbtoMapper, a more apt description of their inner workings.Zend\Crypt\Password\PasswordInterface)MapperUsernameFactoryandMapperEmailFactoryServiceManagerAwareInterfaceTODO
Does adapter need to know about storage? I'm leaning towards moving the read from / write to storage somewhere else...but it's not really of top necessity now that storage is decoupled from session.DoneRegenerating the session ID was inbuilt toAdded as an event listener automatically when Session storage is in use.Dbauth adapter. I've removed it, but it needs to be implemented somewhere else that makes more sense (event listener attached by session storage factory?)Dbauth adapter. Is this something that's necessary~~, and if so where should we trigger it~~? We could autoregister an event listener onauthenticate.successto handle this (Prototype here).Fix the tests. The exposed behaviours of the authentication layer haven't changed, but the method of instantiation and list of collaborators has changed for a number of classes.DoneUse Zend\Authentication\Adapter\DbTable\CallbackCheckAdapter?Mapper adapter is now sufficiently simplified to negate this.