Skip to content

Fix loadIdentifier called after loadAuthenticator losing resolver config #755

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: 3.x
Choose a base branch
from
Open

Fix loadIdentifier called after loadAuthenticator losing resolver config #755

wants to merge 2 commits into from

Conversation

@dereuromark
Copy link
Member

@dereuromark dereuromark commented Nov 24, 2025
edited
Loading

Summary

Fixes #754

When loadAuthenticator() was called before loadIdentifier(), the resolver config (including userModel and finder) would be lost because:

  1. loadAuthenticator() triggers authenticators()identifiers() which creates an empty IdentifierCollection
  2. The authenticator (e.g., FormAuthenticator) would see the empty collection and create a new default PasswordIdentifier with default resolver config
  3. Later calls to loadIdentifier() would add to the service's collection, but the authenticator already had its own separate collection

@dereuromark
Copy link
Member Author

dereuromark commented Nov 24, 2025

The fix is quite heavy, as it would need to move the defaulting out of the constructor.
We have 3 options:

  • document the loading order
  • fix the bc break
  • revert defaulting and only apply to new major

@dereuromark dereuromark requested a review from ADmad November 24, 2025 22:02
markstory
markstory reviewed Nov 25, 2025
View reviewed changes
src/Authenticator/FormAuthenticator.php Outdated
Comment on lines 58 to 59
public function __construct(IdentifierInterface $identifier, array $config = [])
public function authenticate(ServerRequestInterface $request): ResultInterface
Copy link
Member

@markstory markstory Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason we can't use setIdentifier()/getIdentifier()? It seems it could be a simpler path forward.

If when we need the identifier, and the collection is empty, authenticators could create their default. We could even have a hook method on AbstractAuthenticator if you wanted to get fancy.

Copy link
Member

@ADmad ADmad Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If when we need the identifier, and the collection is empty, authenticators could create their default.

That's what's being done below isn't it? Just that the _identifier property is used directly instead of using setIdentifer()/getIdentifier().

Copy link
Member

@ADmad ADmad Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After the updates done by dereuromark I see now what you meant :)

Copy link
Member Author

@dereuromark dereuromark Nov 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want to make an alternative PR or adjust this one?
Or all good now?

@dereuromark
Copy link
Member Author

dereuromark commented Nov 25, 2025

We need to squash merge this, and then for merging to 4.x we probably want to go back to cleaner constructor way.

@dereuromark dereuromark marked this pull request as ready for review November 25, 2025 11:29
ADmad
ADmad reviewed Nov 25, 2025
View reviewed changes
@dereuromark @claude
Fix loadIdentifier called after loadAuthenticator losing resolver config
acfdcf8 
When loadAuthenticator() was called before loadIdentifier(), the
authenticator would receive an empty IdentifierCollection and create
its own default Password identifier immediately in the constructor.
Later calls to loadIdentifier() would add to the service's identifier
collection, but the authenticator already had its own separate
collection with the default identifier.

This fix changes the default identifier loading from eager (in
constructor) to lazy (in authenticate()). This ensures that if
loadIdentifier() is called after loadAuthenticator(), the identifier
will be loaded into the shared collection before the authenticator
tries to use it.

Fixes #754

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@dereuromark dereuromark force-pushed the fix/754-resolver-config-lost branch from 788944a to acfdcf8 Compare November 25, 2025 11:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@markstory markstory markstory left review comments

@ADmad ADmad ADmad left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Regression 3.3.3] OrmResolver config (userModel/finder) is ignored when nested under 'resolver' in PasswordIdentifier

4 participants

@dereuromark @markstory @ADmad