Adjust as per review.

dereuromark · dereuromark · commit 788944a9bb49 · 2025-11-25T12:28:20.000+01:00
diff --git a/src/Authenticator/CookieAuthenticator.php b/src/Authenticator/CookieAuthenticator.php
@@ -19,6 +19,7 @@
 use ArrayAccess;
 use Authentication\Identifier\AbstractIdentifier;
 use Authentication\Identifier\IdentifierCollection;
+use Authentication\Identifier\IdentifierInterface;
 use Authentication\PasswordHasher\PasswordHasherTrait;
 use Authentication\UrlChecker\UrlCheckerTrait;
 use Cake\Http\Cookie\Cookie;
@@ -57,12 +58,14 @@ class CookieAuthenticator extends AbstractAuthenticator implements PersistenceIn
     ];
 
     /**
-     * @inheritDoc
+     * Gets the identifier, loading a default Password identifier if none configured.
+     *
+     * This is done lazily to allow loadIdentifier() to be called after loadAuthenticator().
+     *
+     * @return \Authentication\Identifier\IdentifierInterface
      */
-    public function authenticate(ServerRequestInterface $request): ResultInterface
+    public function getIdentifier(): IdentifierInterface
     {
-        // If no identifier is configured, set up a default Password identifier
-        // This is done lazily to allow loadIdentifier() to be called after loadAuthenticator()
         if ($this->_identifier instanceof IdentifierCollection && $this->_identifier->isEmpty()) {
             $identifierConfig = [];
             if ($this->getConfig('fields')) {
@@ -71,6 +74,14 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
             $this->_identifier->load('Authentication.Password', $identifierConfig);
         }
 
+        return $this->_identifier;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function authenticate(ServerRequestInterface $request): ResultInterface
+    {
         $cookies = $request->getCookieParams();
         $cookieName = $this->getConfig('cookie.name');
         if (!isset($cookies[$cookieName])) {
@@ -93,10 +104,11 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
 
         [$username, $tokenHash] = $token;
 
-        $identity = $this->_identifier->identify(compact('username'));
+        $identifier = $this->getIdentifier();
+        $identity = $identifier->identify(compact('username'));
 
         if (!$identity) {
-            return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND, $this->_identifier->getErrors());
+            return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND, $identifier->getErrors());
         }
 
         if (!$this->_checkToken($identity, $tokenHash)) {
diff --git a/src/Authenticator/FormAuthenticator.php b/src/Authenticator/FormAuthenticator.php
@@ -18,6 +18,7 @@
 
 use Authentication\Identifier\AbstractIdentifier;
 use Authentication\Identifier\IdentifierCollection;
+use Authentication\Identifier\IdentifierInterface;
 use Authentication\UrlChecker\UrlCheckerTrait;
 use Cake\Routing\Router;
 use Psr\Http\Message\ServerRequestInterface;
@@ -49,17 +50,14 @@ class FormAuthenticator extends AbstractAuthenticator
     ];
 
     /**
-     * Authenticates the identity contained in a request. Will use the `config.userModel`, and `config.fields`
-     * to find POST data that is used to find a matching record in the `config.userModel`. Will return false if
-     * there is no post data, either username or password is missing, or if the scope conditions have not been met.
+     * Gets the identifier, loading a default Password identifier if none configured.
      *
-     * @param \Psr\Http\Message\ServerRequestInterface $request The request that contains login information.
-     * @return \Authentication\Authenticator\ResultInterface
+     * This is done lazily to allow loadIdentifier() to be called after loadAuthenticator().
+     *
+     * @return \Authentication\Identifier\IdentifierInterface
      */
-    public function authenticate(ServerRequestInterface $request): ResultInterface
+    public function getIdentifier(): IdentifierInterface
     {
-        // If no identifier is configured, set up a default Password identifier
-        // This is done lazily to allow loadIdentifier() to be called after loadAuthenticator()
         if ($this->_identifier instanceof IdentifierCollection && $this->_identifier->isEmpty()) {
             $identifierConfig = [];
             if ($this->getConfig('fields')) {
@@ -68,6 +66,19 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
             $this->_identifier->load('Authentication.Password', $identifierConfig);
         }
 
+        return $this->_identifier;
+    }
+
+    /**
+     * Authenticates the identity contained in a request. Will use the `config.userModel`, and `config.fields`
+     * to find POST data that is used to find a matching record in the `config.userModel`. Will return false if
+     * there is no post data, either username or password is missing, or if the scope conditions have not been met.
+     *
+     * @param \Psr\Http\Message\ServerRequestInterface $request The request that contains login information.
+     * @return \Authentication\Authenticator\ResultInterface
+     */
+    public function authenticate(ServerRequestInterface $request): ResultInterface
+    {
         if (!$this->_checkUrl($request)) {
             return $this->_buildLoginUrlErrorResult($request);
         }
@@ -79,10 +90,11 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
             ]);
         }
 
-        $user = $this->_identifier->identify($data);
+        $identifier = $this->getIdentifier();
+        $user = $identifier->identify($data);
 
         if (!$user) {
-            return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND, $this->_identifier->getErrors());
+            return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND, $identifier->getErrors());
         }
 
         return new Result($user, Result::SUCCESS);
diff --git a/src/Authenticator/HttpBasicAuthenticator.php b/src/Authenticator/HttpBasicAuthenticator.php
@@ -17,6 +17,7 @@
 
 use Authentication\Identifier\AbstractIdentifier;
 use Authentication\Identifier\IdentifierCollection;
+use Authentication\Identifier\IdentifierInterface;
 use Psr\Http\Message\ServerRequestInterface;
 
 /**
@@ -43,16 +44,14 @@ class HttpBasicAuthenticator extends AbstractAuthenticator implements StatelessI
     ];
 
     /**
-     * Authenticate a user using HTTP auth. Will use the configured User model and attempt a
-     * login using HTTP auth.
+     * Gets the identifier, loading a default Password identifier if none configured.
      *
-     * @param \Psr\Http\Message\ServerRequestInterface $request The request to authenticate with.
-     * @return \Authentication\Authenticator\ResultInterface
+     * This is done lazily to allow loadIdentifier() to be called after loadAuthenticator().
+     *
+     * @return \Authentication\Identifier\IdentifierInterface
      */
-    public function authenticate(ServerRequestInterface $request): ResultInterface
+    public function getIdentifier(): IdentifierInterface
     {
-        // If no identifier is configured, set up a default Password identifier
-        // This is done lazily to allow loadIdentifier() to be called after loadAuthenticator()
         if ($this->_identifier instanceof IdentifierCollection && $this->_identifier->isEmpty()) {
             $identifierConfig = [];
             if ($this->getConfig('fields')) {
@@ -61,6 +60,18 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
             $this->_identifier->load('Authentication.Password', $identifierConfig);
         }
 
+        return $this->_identifier;
+    }
+
+    /**
+     * Authenticate a user using HTTP auth. Will use the configured User model and attempt a
+     * login using HTTP auth.
+     *
+     * @param \Psr\Http\Message\ServerRequestInterface $request The request to authenticate with.
+     * @return \Authentication\Authenticator\ResultInterface
+     */
+    public function authenticate(ServerRequestInterface $request): ResultInterface
+    {
         $server = $request->getServerParams();
         $username = $server['PHP_AUTH_USER'] ?? '';
         $password = $server['PHP_AUTH_PW'] ?? '';
@@ -69,7 +80,7 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
             return new Result(null, Result::FAILURE_CREDENTIALS_MISSING);
         }
 
-        $user = $this->_identifier->identify([
+        $user = $this->getIdentifier()->identify([
             AbstractIdentifier::CREDENTIAL_USERNAME => $username,
             AbstractIdentifier::CREDENTIAL_PASSWORD => $password,
         ]);
diff --git a/src/Authenticator/JwtAuthenticator.php b/src/Authenticator/JwtAuthenticator.php
@@ -67,6 +67,22 @@ public function __construct(IdentifierInterface $identifier, array $config = [])
         }
     }
 
+    /**
+     * Gets the identifier, loading a default JwtSubject identifier if none configured.
+     *
+     * This is done lazily to allow loadIdentifier() to be called after loadAuthenticator().
+     *
+     * @return \Authentication\Identifier\IdentifierInterface
+     */
+    public function getIdentifier(): IdentifierInterface
+    {
+        if ($this->_identifier instanceof IdentifierCollection && $this->_identifier->isEmpty()) {
+            $this->_identifier->load('Authentication.JwtSubject');
+        }
+
+        return $this->_identifier;
+    }
+
     /**
      * Authenticates the identity based on a JWT token contained in a request.
      *
@@ -76,12 +92,6 @@ public function __construct(IdentifierInterface $identifier, array $config = [])
      */
     public function authenticate(ServerRequestInterface $request): ResultInterface
     {
-        // If no identifier is configured, set up a default JwtSubject identifier
-        // This is done lazily to allow loadIdentifier() to be called after loadAuthenticator()
-        if ($this->_identifier instanceof IdentifierCollection && $this->_identifier->isEmpty()) {
-            $this->_identifier->load('Authentication.JwtSubject');
-        }
-
         try {
             $result = $this->getPayload($request);
         } catch (Exception $e) {
@@ -113,12 +123,13 @@ public function authenticate(ServerRequestInterface $request): ResultInterface
             return new Result($user, Result::SUCCESS);
         }
 
-        $user = $this->_identifier->identify([
+        $identifier = $this->getIdentifier();
+        $user = $identifier->identify([
             $subjectKey => $result[$subjectKey],
         ]);
 
         if (!$user) {
-            return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND, $this->_identifier->getErrors());
+            return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND, $identifier->getErrors());
         }
 
         return new Result($user, Result::SUCCESS);
diff --git a/src/Authenticator/TokenAuthenticator.php b/src/Authenticator/TokenAuthenticator.php
@@ -17,6 +17,7 @@
 namespace Authentication\Authenticator;
 
 use Authentication\Identifier\IdentifierCollection;
+use Authentication\Identifier\IdentifierInterface;
 use Authentication\Identifier\TokenIdentifier;
 use Psr\Http\Message\ServerRequestInterface;
 
@@ -36,6 +37,22 @@ class TokenAuthenticator extends AbstractAuthenticator implements StatelessInter
         'tokenPrefix' => null,
     ];
 
+    /**
+     * Gets the identifier, loading a default Token identifier if none configured.
+     *
+     * This is done lazily to allow loadIdentifier() to be called after loadAuthenticator().
+     *
+     * @return \Authentication\Identifier\IdentifierInterface
+     */
+    public function getIdentifier(): IdentifierInterface
+    {
+        if ($this->_identifier instanceof IdentifierCollection && $this->_identifier->isEmpty()) {
+            $this->_identifier->load('Authentication.Token');
+        }
+
+        return $this->_identifier;
+    }
+
     /**
      * Checks if the token is in the headers or a request parameter
      *
@@ -120,23 +137,18 @@ protected function getTokenFromQuery(ServerRequestInterface $request, ?string $q
      */
     public function authenticate(ServerRequestInterface $request): ResultInterface
     {
-        // If no identifier is configured, set up a default Token identifier
-        // This is done lazily to allow loadIdentifier() to be called after loadAuthenticator()
-        if ($this->_identifier instanceof IdentifierCollection && $this->_identifier->isEmpty()) {
-            $this->_identifier->load('Authentication.Token');
-        }
-
         $token = $this->getToken($request);
         if ($token === null) {
             return new Result(null, Result::FAILURE_CREDENTIALS_MISSING);
         }
 
-        $user = $this->_identifier->identify([
+        $identifier = $this->getIdentifier();
+        $user = $identifier->identify([
             TokenIdentifier::CREDENTIAL_TOKEN => $token,
         ]);
 
         if (!$user) {
-            return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND, $this->_identifier->getErrors());
+            return new Result(null, Result::FAILURE_IDENTITY_NOT_FOUND, $identifier->getErrors());
         }
 
         return new Result($user, Result::SUCCESS);
