AutoLoginMiddleware #218

[mapeveri]

Q	A
Is bugfix?	❌
New feature?	✔️
Breaks BC?	❌
Tests pass?	✔️

This PR is incomplete, I have some questions:

1. I understand that the 'remember' cookie is not defined. Where do i have to define it?
2. For exceptions, what kind of exception do I create?
3. In getIdentityAndDurationFromCookie at https://github.com/yiisoft/yii2/blob/master/framework/web/User.php#L562 is there a validateAuthKey method. In yii 3 does this method exist?. How can I trigger warnings?.
4. Is this method in yii 3 exist?.

I think I do not forget anything else, I wait for suggestions and improvements :)

[mapeveri]

@xepozz @roxblnfk Thank you very much for the feedback. I pay attention to the comments :)

[xepozz]

I think we need abstract the credentials storage.
For example, we can store the crentials into 1. cookies, 2. query string, 3. headers, 4. request body, etc.
Later this middleware can be used into yii-rest :)

[mapeveri]

I updated my code, although I have a doubt with authKey. Whether it is necessary or not.

[samdark]

As for the questions:

1. It is usually set on logging in with "remember me" checked in the form. So there should be a service that may do it.
2. None.
3. Auth key is required to secure the cookie and allow revoking login status. Warnings could be logged with PSR logger interface.
4. There's nothing for auth key yet.

[mapeveri]

@samdark

1. That is apart from this PR? If not, would you explain a little more.
2. Ok.
   3 / 4. In this PR, we are going to do something related to this?

[samdark]

1. Should be part of the pull request.
   3, 4. Yes or else the pull request won't make much sense.

[mapeveri]

@samdark ok, great. Can you guide me a little please?.

1. Where I will add the cookie. In the user login method?
2. Related to authkey, I check yii2 to see how it does it?. Any suggestion?

Thanks!

[samdark]

1. Yes.
2. Nope. Check Yii 2.

[mapeveri]

@samdark I updated my PR, but I have some questions.

1. I added the getAuthKey, validateAuthKey and sendIdentityCookie in User class, but I don't know how save the cookie. I think I need return the response, but not is clear for me. I need a littler help :)

2. The logout method, I think that need remove the cookie, right?. My doubt is, how to delete the cookie?.

The rest is OK?

Thanks!

[samdark]

1. See https://github.com/yiisoft/yii-web/blob/master/src/Cookie.php
2. Yes, we need to delete cookie. Add one with expiration equals -1.

[romkatsu]

not enough tests

[samdark]

TODO:

Create an issue about adding two tests testAddCookieAfterLogin() and testRemoveCookieAfterLogout(). No idea how to implement these in a good way :(

[samdark]

@mapeveri it's mostly finished except two tests that I have no idea on how to implement in a good way. What do you think?

[samdark]

Thanks for starting it, @mapeveri.

[mapeveri]

@samdark thanks to you. I would like make a some questions, for understand, because I have some doubts. The if of the line https://github.com/mapeveri/yii-web/blob/e89d374cf0b9d2dc838ac449f46e9dde510d963a/src/User/AutoLoginMiddleware.php#L43

and the line https://github.com/mapeveri/yii-web/blob/e89d374cf0b9d2dc838ac449f46e9dde510d963a/src/User/AutoLoginMiddleware.php#L47

I don't understands this. It is not clear to me when each condition is met to add the cookie or not. The login is done on this line: https://github.com/mapeveri/yii-web/blob/e89d374cf0b9d2dc838ac449f46e9dde510d963a/src/User/AutoLoginMiddleware.php#L97

[samdark]

These conditions are to detect if user logged in (was guest, became non-guest) or logged out (was non-guest, became guest) in the current request. On login we're setting a cookie. On logout we're removing a cookie. This is totally separated from logging user in by existing cookie that it happening regardless in the very beginning.

[mapeveri]

@samdark thanks!!