Merge remote-tracking branch 'origin/3.x' into 3.next

dereuromark · dereuromark · commit 6edbfe6a4b56 · 2025-04-30T01:03:06.000+02:00
diff --git a/composer.json b/composer.json
@@ -23,6 +23,7 @@
         "docs": "https://book.cakephp.org/authentication/3/en/"
     },
     "require": {
+        "php": ">=8.1",
         "cakephp/http": "^5.0",
         "laminas/laminas-diactoros": "^3.0",
         "psr/http-client": "^1.0",
diff --git a/docs/en/index.rst b/docs/en/index.rst
@@ -85,12 +85,12 @@ define the ``AuthenticationService`` it wants to use. Add the following method t
 
         // Define where users should be redirected to when they are not authenticated
         $service->setConfig([
-            'unauthenticatedRedirect' => Router::url([
+            'unauthenticatedRedirect' => [
                     'prefix' => false,
-                    'plugin' => null,
+                    'plugin' => false,
                     'controller' => 'Users',
                     'action' => 'login',
-            ]),
+            ],
             'queryParam' => 'redirect',
         ]);
 
diff --git a/readme.md b/readme.md
@@ -1,6 +1,6 @@
 # CakePHP Authentication
 
-![Build Status](https://github.com/cakephp/authentication/actions/workflows/ci.yml/badge.svg?branch=master)
+[![CI](https://github.com/cakephp/authentication/actions/workflows/ci.yml/badge.svg)](https://github.com/cakephp/authentication/actions/workflows/ci.yml)
 [![Latest Stable Version](https://img.shields.io/github/v/release/cakephp/authentication?sort=semver&style=flat-square)](https://packagist.org/packages/cakephp/authentication)
 [![Total Downloads](https://img.shields.io/packagist/dt/cakephp/authentication?style=flat-square)](https://packagist.org/packages/cakephp/authentication/stats)
 [![Code Coverage](https://img.shields.io/coveralls/cakephp/authentication/master.svg?style=flat-square)](https://coveralls.io/r/cakephp/authentication?branch=master)
@@ -23,18 +23,12 @@ You can install this plugin into your CakePHP application using
 [composer](https://getcomposer.org):
 
 ```
-php composer.phar require cakephp/authentication
+composer require cakephp/authentication
 ```
 
-Load the plugin by adding the following statement in your project's
-`src/Application.php`:
-```php
-public function bootstrap(): void
-{
-    parent::bootstrap();
-
-    $this->addPlugin('Authentication');
-}
+Then load the plugin:
+```
+bin/cake plugin load Authentication
 ```
 
 ## Documentation
@@ -43,4 +37,6 @@ Documentation for this plugin can be found in the [CakePHP Cookbook](https://boo
 
 ## IDE compatibility improvements
 
-For `AuthenticationService::loadIdentifier()` you an find an IdeHelper task in [IdeHelperExtra plugin](https://github.com/dereuromark/cakephp-ide-helper-extra/).
+There are IdeHelper tasks in [IdeHelperExtra plugin](https://github.com/dereuromark/cakephp-ide-helper-extra/) to provide auto-complete:
+- `AuthenticationService::loadAuthenticator()`
+- `IdentifierCollection::load()`
diff --git a/src/AuthenticationService.php b/src/AuthenticationService.php
@@ -26,6 +26,7 @@
 use Authentication\Identifier\IdentifierCollection;
 use Authentication\Identifier\IdentifierInterface;
 use Cake\Core\InstanceConfigTrait;
+use Cake\Routing\Router;
 use InvalidArgumentException;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
@@ -372,6 +373,9 @@ public function getUnauthenticatedRedirectUrl(ServerRequestInterface $request):
         if ($target === null) {
             return null;
         }
+        if (is_array($target) && class_exists(Router::class)) {
+            $target = Router::url($target);
+        }
         if ($param === null) {
             return $target;
         }
diff --git a/src/Authenticator/CookieAuthenticator.php b/src/Authenticator/CookieAuthenticator.php
@@ -84,7 +84,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
 
         $identity = $this->_identifier->identify(compact('username'));
 
-        if (empty($identity)) {
+        if (!$identity) {
             return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND, $this->_identifier->getErrors());
         }
 
@@ -134,9 +134,14 @@ protected function _createPlainToken(ArrayAccess|array $identity): string
         $usernameField = $this->getConfig('fields.username');
         $passwordField = $this->getConfig('fields.password');
 
-        $salt = $this->getConfig('salt', '');
+        if ($identity[$usernameField] === null || $identity[$passwordField] === null) {
+            throw new InvalidArgumentException(
+                sprintf('Fields %s cannot be found in entity', '`' . $usernameField . '`/`' . $passwordField . '`'),
+            );
+        }
 
         $value = $identity[$usernameField] . $identity[$passwordField];
+        $salt = $this->getConfig('salt', '');
 
         if ($salt === false) {
             return $value;
diff --git a/src/Authenticator/EnvironmentAuthenticator.php b/src/Authenticator/EnvironmentAuthenticator.php
@@ -137,7 +137,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
             return $this->_buildLoginUrlErrorResult($request);
         }
         $data = $this->_getData($request);
-        if (empty($data)) {
+        if (!$data) {
             return new Result(null, Result::FAILURE_CREDENTIALS_MISSING, [
                 'Environment credentials not found',
             ]);
@@ -147,7 +147,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
 
         $user = $this->_identifier->identify($data);
 
-        if (empty($user)) {
+        if (!$user) {
             return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND, $this->_identifier->getErrors());
         }
 
diff --git a/src/Authenticator/FormAuthenticator.php b/src/Authenticator/FormAuthenticator.php
@@ -130,7 +130,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
 
         $user = $this->_identifier->identify($data);
 
-        if (empty($user)) {
+        if (!$user) {
             return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND, $this->_identifier->getErrors());
         }
 
diff --git a/src/Authenticator/HttpDigestAuthenticator.php b/src/Authenticator/HttpDigestAuthenticator.php
@@ -98,7 +98,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
             AbstractIdentifier::CREDENTIAL_USERNAME => $digest['username'],
         ]);
 
-        if (empty($user)) {
+        if (!$user) {
             return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND);
         }
 
@@ -132,13 +132,13 @@ protected function _getDigest(ServerRequestInterface $request): ?array
     {
         $server = $request->getServerParams();
         $digest = empty($server['PHP_AUTH_DIGEST']) ? null : $server['PHP_AUTH_DIGEST'];
-        if (empty($digest) && function_exists('apache_request_headers')) {
+        if (!$digest && function_exists('apache_request_headers')) {
             $headers = apache_request_headers();
             if (!empty($headers['Authorization']) && substr($headers['Authorization'], 0, 7) === 'Digest ') {
                 $digest = substr($headers['Authorization'], 7);
             }
         }
-        if (empty($digest)) {
+        if (!$digest) {
             return null;
         }
 
@@ -165,7 +165,7 @@ public function parseAuthData(string $digest): ?array
             unset($req[$i[1]]);
         }
 
-        if (empty($req)) {
+        if (!$req) {
             return $keys;
         }
 
diff --git a/src/Authenticator/JwtAuthenticator.php b/src/Authenticator/JwtAuthenticator.php
@@ -110,7 +110,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
             $subjectKey => $result[$subjectKey],
         ]);
 
-        if (empty($user)) {
+        if (!$user) {
             return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND, $this->_identifier->getErrors());
         }
 
diff --git a/src/Authenticator/SessionAuthenticator.php b/src/Authenticator/SessionAuthenticator.php
@@ -31,7 +31,7 @@ class SessionAuthenticator extends AbstractAuthenticator implements PersistenceI
      * Default config for this object.
      * - `fields` The fields to use to verify a user by.
      * - `sessionKey` Session key.
-     * - `identify` Whether or not to identify user data stored in a session. This is
+     * - `identify` Whether to identify user data stored in a session. This is
      *   useful if you want to remotely end sessions that have a different password stored,
      *   or if your identification logic needs additional conditions before a user can login.
      *
@@ -60,7 +60,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
         $session = $request->getAttribute('session');
         $user = $session->read($sessionKey);
 
-        if (empty($user)) {
+        if (!$user) {
             return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND);
         }
 
@@ -71,7 +71,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
             }
             $user = $this->_identifier->identify($credentials);
 
-            if (empty($user)) {
+            if (!$user) {
                 return new Result(null, Result::FAILURE_CREDENTIALS_INVALID);
             }
         }
diff --git a/src/Authenticator/TokenAuthenticator.php b/src/Authenticator/TokenAuthenticator.php
@@ -75,9 +75,9 @@ protected function stripTokenPrefix(string $token, string $prefix): string
      */
     protected function getTokenFromHeader(ServerRequestInterface $request, ?string $headerLine): ?string
     {
-        if (!empty($headerLine)) {
+        if ($headerLine) {
             $header = $request->getHeaderLine($headerLine);
-            if (!empty($header)) {
+            if ($header) {
                 return $header;
             }
         }
@@ -89,12 +89,12 @@ protected function getTokenFromHeader(ServerRequestInterface $request, ?string $
      * Gets the token from the request query
      *
      * @param \Psr\Http\Message\ServerRequestInterface $request The request that contains login information.
-     * @param string $queryParam Request query parameter name
+     * @param string|null $queryParam Request query parameter name
      * @return string|null
      */
     protected function getTokenFromQuery(ServerRequestInterface $request, ?string $queryParam): ?string
     {
-        if (empty($queryParam)) {
+        if (!$queryParam) {
             return null;
         }
 
@@ -123,7 +123,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
             TokenIdentifier::CREDENTIAL_TOKEN => $token,
         ]);
 
-        if (empty($user)) {
+        if (!$user) {
             return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND, $this->_identifier->getErrors());
         }
 
diff --git a/src/Controller/Component/AuthenticationComponent.php b/src/Controller/Component/AuthenticationComponent.php
@@ -388,6 +388,7 @@ public function implementedEvents(): array
      * @param \ArrayAccess $impersonated User impersonated
      * @return $this
      * @throws \Exception
+     * @see https://book.cakephp.org/authentication/3/en/impersonation.html
      */
     public function impersonate(ArrayAccess $impersonated)
     {
@@ -425,6 +426,7 @@ public function impersonate(ArrayAccess $impersonated)
      *
      * @return $this
      * @throws \Exception
+     * @see https://book.cakephp.org/authentication/3/en/impersonation.html
      */
     public function stopImpersonating()
     {
@@ -453,6 +455,7 @@ public function stopImpersonating()
      *
      * @return bool
      * @throws \Exception
+     * @see https://book.cakephp.org/authentication/3/en/impersonation.html
      */
     public function isImpersonating(): bool
     {
@@ -473,6 +476,7 @@ public function isImpersonating(): bool
      *
      * @return \Authentication\Authenticator\ImpersonationInterface
      * @throws \Exception
+     * @see https://book.cakephp.org/authentication/3/en/impersonation.html
      */
     protected function getImpersonationAuthenticationService(): ImpersonationInterface
     {
diff --git a/src/Identifier/Ldap/ExtensionAdapter.php b/src/Identifier/Ldap/ExtensionAdapter.php
@@ -89,7 +89,7 @@ public function getConnection(): Connection
      *
      * @param string $host Hostname
      * @param int $port Port
-     * @param array $options Additonal LDAP options
+     * @param array $options Additional LDAP options
      * @return void
      */
     public function connect(string $host, int $port, array $options): void
@@ -110,7 +110,7 @@ public function connect(string $host, int $port, array $options): void
         $this->_unsetErrorHandler();
 
         foreach ($options as $option => $value) {
-            $this->setOption($option, $value);
+            $this->setOption((int)$option, $value);
         }
     }
 
diff --git a/src/PasswordHasher/PasswordHasherTrait.php b/src/PasswordHasher/PasswordHasherTrait.php
@@ -13,7 +13,7 @@ trait PasswordHasherTrait
     protected ?PasswordHasherInterface $_passwordHasher = null;
 
     /**
-     * Whether or not the user authenticated by this class
+     * Whether the user authenticated by this class
      * requires their password to be rehashed with another algorithm.
      *
      * @var bool
diff --git a/src/UrlChecker/CakeRouterUrlChecker.php b/src/UrlChecker/CakeRouterUrlChecker.php
@@ -28,7 +28,7 @@ class CakeRouterUrlChecker extends DefaultUrlChecker
     /**
      * Default Options
      *
-     * - `checkFullUrl` Whether or not to check the full request URI.
+     * - `checkFullUrl` Whether to check the full request URI.
      *
      * @var array
      */
diff --git a/src/UrlChecker/DefaultUrlChecker.php b/src/UrlChecker/DefaultUrlChecker.php
@@ -26,8 +26,8 @@ class DefaultUrlChecker implements UrlCheckerInterface
     /**
      * Default Options
      *
-     * - `urlChecker` Whether or not to use `loginUrl` as regular expression(s).
-     * - `checkFullUrl` Whether or not to check the full request URI.
+     * - `urlChecker` Whether to use `loginUrl` as regular expression(s).
+     * - `checkFullUrl` Whether to check the full request URI.
      *
      * @var array
      */
@@ -44,8 +44,7 @@ public function check(ServerRequestInterface $request, $loginUrls, array $option
         $options = $this->_mergeDefaultOptions($options);
 
         $urls = (array)$loginUrls;
-
-        if (empty($urls)) {
+        if (!$urls) {
             return true;
         }
 
@@ -69,7 +68,7 @@ public function check(ServerRequestInterface $request, $loginUrls, array $option
      * method and inject additional options without the need to use the
      * MergeVarsTrait.
      *
-     * @param array $options Options to merge in
+     * @param array<string, mixed> $options Options to merge in
      * @return array
      */
     protected function _mergeDefaultOptions(array $options): array
@@ -80,7 +79,7 @@ protected function _mergeDefaultOptions(array $options): array
     /**
      * Gets the checker function name or a callback
      *
-     * @param array $options Array of options
+     * @param array<string, mixed> $options Array of options
      * @return callable
      */
     protected function _getChecker(array $options): callable
diff --git a/src/UrlChecker/UrlCheckerInterface.php b/src/UrlChecker/UrlCheckerInterface.php
@@ -28,7 +28,7 @@ interface UrlCheckerInterface
      *
      * @param \Psr\Http\Message\ServerRequestInterface $request Server Request
      * @param array|string $loginUrls Login URL string or array of URLs
-     * @param array $options Array of options
+     * @param array<string, mixed> $options Array of options
      * @return bool
      */
     public function check(ServerRequestInterface $request, array|string $loginUrls, array $options = []): bool;
diff --git a/src/View/Helper/IdentityHelper.php b/src/View/Helper/IdentityHelper.php
@@ -110,7 +110,7 @@ public function is(int|string $id, string $field = 'id'): bool
      */
     public function get(?string $key = null): mixed
     {
-        if (empty($this->_identity)) {
+        if ($this->_identity === null) {
             return null;
         }
 
diff --git a/tests/TestCase/AuthenticationServiceTest.php b/tests/TestCase/AuthenticationServiceTest.php
diff --git a/tests/TestCase/Authenticator/CookieAuthenticatorTest.php b/tests/TestCase/Authenticator/CookieAuthenticatorTest.php

Original file line number	Diff line number	Diff line change
`@@ -137,7 +137,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface`
`137`	`137`	`return $this->_buildLoginUrlErrorResult($request);`
`138`	`138`	`}`
`139`	`139`	`$data = $this->_getData($request);`
`140`		`- if (empty($data)) {`
	`140`	`+ if (!$data) {`
`141`	`141`	`return new Result(null, Result::FAILURE_CREDENTIALS_MISSING, [`
`142`	`142`	`'Environment credentials not found',`
`143`	`143`	`]);`
`@@ -147,7 +147,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface`
`147`	`147`
`148`	`148`	`$user = $this->_identifier->identify($data);`
`149`	`149`
`150`		`- if (empty($user)) {`
	`150`	`+ if (!$user) {`
`151`	`151`	`return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND, $this->_identifier->getErrors());`
`152`	`152`	`}`
`153`	`153`
Original file line number	Diff line number	Diff line change
`@@ -130,7 +130,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface`
`130`	`130`
`131`	`131`	`$user = $this->_identifier->identify($data);`
`132`	`132`
`133`		`- if (empty($user)) {`
	`133`	`+ if (!$user) {`
`134`	`134`	`return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND, $this->_identifier->getErrors());`
`135`	`135`	`}`
`136`	`136`
Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface`
`98`	`98`	`AbstractIdentifier::CREDENTIAL_USERNAME => $digest['username'],`
`99`	`99`	`]);`
`100`	`100`
`101`		`- if (empty($user)) {`
	`101`	`+ if (!$user) {`
`102`	`102`	`return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND);`
`103`	`103`	`}`
`104`	`104`
`@@ -132,13 +132,13 @@ protected function _getDigest(ServerRequestInterface $request): ?array`
`132`	`132`	`{`
`133`	`133`	`$server = $request->getServerParams();`
`134`	`134`	`$digest = empty($server['PHP_AUTH_DIGEST']) ? null : $server['PHP_AUTH_DIGEST'];`
`135`		`- if (empty($digest) && function_exists('apache_request_headers')) {`
	`135`	`+ if (!$digest && function_exists('apache_request_headers')) {`
`136`	`136`	`$headers = apache_request_headers();`
`137`	`137`	`if (!empty($headers['Authorization']) && substr($headers['Authorization'], 0, 7) === 'Digest ') {`
`138`	`138`	`$digest = substr($headers['Authorization'], 7);`
`139`	`139`	`}`
`140`	`140`	`}`
`141`		`- if (empty($digest)) {`
	`141`	`+ if (!$digest) {`
`142`	`142`	`return null;`
`143`	`143`	`}`
`144`	`144`
`@@ -165,7 +165,7 @@ public function parseAuthData(string $digest): ?array`
`165`	`165`	`unset($req[$i[1]]);`
`166`	`166`	`}`
`167`	`167`
`168`		`- if (empty($req)) {`
	`168`	`+ if (!$req) {`
`169`	`169`	`return $keys;`
`170`	`170`	`}`
`171`	`171`
Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface`
`110`	`110`	`$subjectKey => $result[$subjectKey],`
`111`	`111`	`]);`
`112`	`112`
`113`		`- if (empty($user)) {`
	`113`	`+ if (!$user) {`
`114`	`114`	`return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND, $this->_identifier->getErrors());`
`115`	`115`	`}`
`116`	`116`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ class SessionAuthenticator extends AbstractAuthenticator implements PersistenceI`
`31`	`31`	`* Default config for this object.`
`32`	`32`	* - `fields` The fields to use to verify a user by.
`33`	`33`	* - `sessionKey` Session key.
`34`		- * - `identify` Whether or not to identify user data stored in a session. This is
	`34`	+ * - `identify` Whether to identify user data stored in a session. This is
`35`	`35`	`* useful if you want to remotely end sessions that have a different password stored,`
`36`	`36`	`* or if your identification logic needs additional conditions before a user can login.`
`37`	`37`	`*`
`@@ -60,7 +60,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface`
`60`	`60`	`$session = $request->getAttribute('session');`
`61`	`61`	`$user = $session->read($sessionKey);`
`62`	`62`
`63`		`- if (empty($user)) {`
	`63`	`+ if (!$user) {`
`64`	`64`	`return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND);`
`65`	`65`	`}`
`66`	`66`
`@@ -71,7 +71,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface`
`71`	`71`	`}`
`72`	`72`	`$user = $this->_identifier->identify($credentials);`
`73`	`73`
`74`		`- if (empty($user)) {`
	`74`	`+ if (!$user) {`
`75`	`75`	`return new Result(null, Result::FAILURE_CREDENTIALS_INVALID);`
`76`	`76`	`}`
`77`	`77`	`}`