Entity protected fields interferes with Digest Authentication

[SAMGARTNER]

This is a (multiple allowed):

• bug

• enhancement

• feature-discussion (RFC)

• CakePHP Version: 3.3.15

• Platform and Target: Mac OS X Yosemite With Server App MySQL.

What you did

I was trying to implement digest authentication and I have the Users table with the password field already being used for JWT so I added a second field called digest. Also inside the User Entity I added the field 'digest' to the Hidden Fields in order to hide this data from the API request.

protected $_hidden = [
        'password','mydigest'
    ];

What happened

When I try to get into the site I receive an error that points me to the line 115 of the DigestAuthenticate.php file . This happens even with the default 'password' setting.

$field = $this->_config['fields']['password'];
$password = $user[$field];

What you expected to happen

DigestAuthenticate relies on BaseAuthenticate that gets the user from the database but with the hidden fields stripped. In my case I had to replace

$user = $this->_findUser($digest['username']);

with

$users = TableRegistry::get('Users');
        $user = $users->find('all')
    	->where(['username' => $digest['username']])
    	->first();

Not sure if this is something desirable, of course I had to manually strip both 'password' and 'mydigest' from the user object but this brakes the settings pattern.

P.S. Remember, an issue is not the place to ask questions. You can use Stack Overflow
for that or join the #cakephp channel on irc.freenode.net, where we will be more
than happy to help answer your questions.

Before you open an issue, please check if a similar issue already exists or has been closed before.

[markstory]

Hidden fields are not elided from the database query results, and should be accessible to DigestAuthentication. Have you tried removing mydigest from the hidden fields? Does that resolve the problem?

[SAMGARTNER]

Yes that was the first thing that I tried, but since the password field is being hidden by default it kinda creeped me out to remove it, since it's basically a second password. Of course DigestAuthenticate unsets the field but in all other parts the user object will have it. Not trying to pretend to be an expert here.

[markstory]

@jigzat Even with the digest hash hidden, CakePHP should still be able to read the field. The hash check is done here and the array access methods on entities do not 'protect' direct property reads.

[ADmad]

@markstory I think the issue is that _findUser() uses toArray() on the entity which would strip out any hidden fields. Hence the password and mydigest field are already gone from $user by the time execution reaches the lines you linked.

[markstory]

@ADmad Yes that would make it not work. I totally missed that toArray() call before.

[burzum]

@ADmad we'll probably need to fix this in the Authentication plugin as well?

[markstory]

Pull request open now.