New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implemented stateless login for Auth #1169
Conversation
@@ -97,9 +97,6 @@ class DigestAuthenticate extends BaseAuthenticate { | |||
*/ | |||
public function __construct(ComponentCollection $collection, $settings) { | |||
parent::__construct($collection, $settings); | |||
if (empty($this->settings['realm'])) { | |||
$this->settings['realm'] = env('SERVER_NAME'); | |||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you sure we don't need the realm anymore? I thought it was required to properly generate digest hashes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is required but now DigestAuthenticate extends BasicAuthenticate and its constructor already sets the realm.
This looks good to me, just a bit concerned about the clarity on how unauthenticated() works |
@markstory @lorenzo Updated docblocks and added new tests. Although session start was prevented when correct credentials were passed for basic/digest auth, I had to add one more tweak to ensure session is not started when no or incorrect credentials are passed (check third commit). |
public function testStatelessAuthNoRedirect() { | ||
if (CakeSession::id()) { | ||
session_destroy(); | ||
debug(session_id()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left over debug()
Does anyone have anymore feedback on this or should I get the manual updates ready and merge? |
I think it looks good. |
Implemented stateless login for Auth
Don't forget to document in the book! :) |
I thought my previous message would be hint enough that I intend to. :) |
I was not enough |
I think I have finally managed to get stateless auth working in a sensible way with minimal hacking of the AuthComponent.
With this patch when using only BasicAuthenticate there is no redirection to login action nor session starting.
When using Basic and Form authenticators together (order matters) if required http headers are passed and valid user is found it behaves as mentioned above else continues with regular form basic authentication.
For now I only modified existing tests to pass. More tests need to be added after wiser men confirm what I have done is a good idea 馃槃