"Call to a member function getOriginalData() on null" Cake4 - RequestAuthorizationMiddleware

• bug

• enhancement

• feature-discussion (RFC)

• CakePHP Version: 4.1.0

I followed the implementation of the Request Authorization Middleware : https://book.cakephp.org/authorization/2/en/request-authorization-middleware.html
My objective is to setup a global security by checking the user role. So i created a RequestPolicy.php with the function canAccess.
It works well however when the session is expired, it still calls the function canAccess which uses $identity which is null because of the expired session so i get an error “Call to a member function getOriginalData() on null” ($identity->getOriginalData()) instead of redirecting me to the login with the redirect param.
I do not understand how it is supposed to handle that case.

[markstory]

Could you share the code you have? Based on what I can understand from this issue you need to guard your getOriginalData() call with an if ($identity) check as the identity is not always set.

Application.php

    /**
     * Returns a service provider instance.
     *
     * @param \Psr\Http\Message\ServerRequestInterface $request Request
     * @return \Authentication\AuthenticationServiceInterface
     */
    public function getAuthenticationService(ServerRequestInterface $request): AuthenticationServiceInterface
    {
        $service = new AuthenticationService();

        // Define where users should be redirected to when they are not authenticated
        $service->setConfig([
            'unauthenticatedRedirect' => \Cake\Routing\Router::url(['prefix' => false, 'controller' => 'Users', 'action' => 'login']),
            'queryParam' => 'redirect',
        ]);
    
        $fields = [
            'username' => 'username',
            'password' => 'password'
        ];

        // Load the authenticators. Session should be first.
        $service->loadAuthenticator('Authentication.Session');
        $service->loadAuthenticator('Authentication.Form', [
            'fields' => $fields
        ]);
    
        // Load identifiers
        $service->loadIdentifier('Authentication.Password', [
            'fields' => $fields,
            'resolver' => [
                'className' => 'Authentication.Orm',
                'finder' => 'auth'
            ]
        ]);
    
        return $service;
    }

    /**
     * Returns a service provider instance.
     *
     * @param ServerRequestInterface $request
     * @return AuthorizationServiceInterface
     */
    public function getAuthorizationService(ServerRequestInterface $request): AuthorizationServiceInterface
    {
        $ormResolver = new OrmResolver();
        $mapResolver = new MapResolver();
        $mapResolver->map(ServerRequest::class, RequestPolicy::class);

        $resolver = new ResolverCollection([$mapResolver, $ormResolver]);

        return new AuthorizationService($resolver);
    } 

RequestPolicy.php

    /**
     * Method to check if the request can be accessed
     *
     * @param \Authorization\IdentityInterface|null Identity
     * @param \Cake\Http\ServerRequest $request Server Request
     * @return bool
     */
    public function canAccess($identity, ServerRequest $request)
    {
        if (!$request->getParam('prefix')) {            
            return true;
        }

        if ($request->getParam('prefix') === 'Admin') {
            return $identity->getOriginalData()->hasAdminRole();
        }

        return false;
    }

If i'm not connected, that function is still called whereas the identity is null instead of redirecting me to the login page with the query param, for example if i go to /admin/users

[markstory]

You'll need to ensure that the identity is an object before calling methods on it. When no user is authenticated the identity will be null.

But how do i redirect to a login page when the identity is null ?
I didnt find any configuration by using RequestAuthorizationMiddleware

[markstory]

But how do i redirect to a login page when the identity is null ?

You don't do that in authorization. That should be handled by authentication. This docs page has an example.

I dont understand, that code is my function

        $service = new AuthenticationService();

        // Define where users should be redirected to when they are not authenticated
        $service->setConfig([
            'unauthenticatedRedirect' => \Cake\Routing\Router::url(['prefix' => false, 'controller' => 'Users', 'action' => 'login']),
            'queryParam' => 'redirect',
        ]);

If the method CanAccess always returns true, i am well redirected to the login page. But it causes error when i want to control a certain route by checking the identity role (which is null). So that function is called before the redirection.
And the beforeFilter method of the controller (of the route) is also called when i'm not authenticated.

I am probably not implementing the right way.
All i would like is to setup a security control based on the user role as it is mentionned in the doc .

If i go to "/admin/*" then i should have the role "admin".

If i'm not authenticated i am redirected to the login page with the query param "/admin/*"

Thank you for your reply

What about this ?
#120

[markstory]

Seems related. The previous commenter never got around to contributing a patch, and it still needs doing. Perhaps you'd like to help?

I will try and will inform you.

[othercorey]

Can't you just throw a Authorization\Exception\Exception which AuthorizationMiddleware will catch? You can re-use the unauthorizedHandler config for requests.

[matteorebeschi]

Why was this issue closed when the problem still persists?

@othercorey that wouldn't work because, when throwing an exception in a RequestPolicy class (that is, a class that implements the RequestPolicyInterface interface), that exception needs to be caught in the RequestAuthorizationMiddleware, and not in the AuthorizationMiddleware.

In fact, the process method of AuthorizationMiddleware has a try/catch block, while the process method of RequestAuthorizationMiddleware doesn't.

[markstory]

Why was this issue closed when the problem still persists?

No one got around to sending a patch. The RequestPolicy that was provided earlier was missing logic for checking for unauthenticated users.

If you're running into a similar issue @matteorebeschi could you open a new issue that includes a way to reproduce the problem you're having? Perhaps we can figure out a solution.