Add OneTimetokenAuthenticator as part of the magic link feature

CakeDC · Feb 14, 2025 · 889652b · 889652b
1 parent 0f8efc8
commit 889652b
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 9 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,7 +11,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php-version: ['8.1', '8.2']
+        php-version: ['8.2', '8.3', '8.4']
         db-type: [sqlite, mysql, pgsql]
         prefer-lowest: ['']
 
@@ -57,22 +57,22 @@ jobs:
           fi
 
       - name: Setup problem matchers for PHPUnit
-        if: matrix.php-version == '8.1' && matrix.db-type == 'mysql'
+        if: matrix.php-version == '8.2' && matrix.db-type == 'mysql'
         run: echo "::add-matcher::${{ runner.tool_cache }}/phpunit.json"
 
       - name: Run PHPUnit
         run: |
           if [[ ${{ matrix.db-type }} == 'sqlite' ]]; then export DB_URL='sqlite:///:memory:'; fi
           if [[ ${{ matrix.db-type }} == 'mysql' ]]; then export DB_URL='mysql://root:[email protected]/cakephp'; fi
           if [[ ${{ matrix.db-type }} == 'pgsql' ]]; then export DB_URL='postgres://postgres:[email protected]/postgres'; fi
-          if [[ ${{ matrix.php-version }} == '8.1' ]]; then
+          if [[ ${{ matrix.php-version }} == '8.2' ]]; then
             export CODECOVERAGE=1 && vendor/bin/phpunit --coverage-clover=coverage.xml
           else
             vendor/bin/phpunit
           fi
 
       - name: Submit code coverage
-        if: matrix.php-version == '8.1'
+        if: matrix.php-version == '8.2'
         uses: codecov/codecov-action@v1
 
   cs-stan:
@@ -85,7 +85,7 @@ jobs:
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
         with:
-          php-version: '8.1'
+          php-version: '8.2'
           extensions: mbstring, intl, apcu, memcached, redis
           tools: cs2pr
           coverage: none

diff --git a/composer.json b/composer.json
@@ -26,7 +26,7 @@
         "source": "https://github.com/CakeDC/auth"
     },
     "require": {
-        "php": ">=8.1.0",
+        "php": ">=8.2.0",
         "cakephp/cakephp": "^5.0"
     },
     "require-dev": {
@@ -37,7 +37,7 @@
         "league/oauth2-linkedin": "@stable",
         "luchianenco/oauth2-amazon": "^1.1",
         "google/recaptcha": "@stable",
-        "robthree/twofactorauth": "^2.0",
+        "robthree/twofactorauth": "^3.0",
         "league/oauth1-client": "^1.7",
         "cakephp/authorization": "^3.0",
         "cakephp/cakephp-codesniffer": "^5.0",

diff --git a/config/auth.php b/config/auth.php
@@ -108,7 +108,7 @@
         // The algorithm used
         'algorithm' => \RobThree\Auth\Algorithm::Sha1,
         // QR-code provider (more on this later)
-        'qrcodeprovider' => null,
+        'qrcodeprovider' => new \RobThree\Auth\Providers\Qr\EndroidQrCodeProvider(),
         // Random Number Generator provider (more on this later)
         'rngprovider' => null
     ],

diff --git a/src/Authenticator/OneTimeTokenAuthenticator.php b/src/Authenticator/OneTimeTokenAuthenticator.php
@@ -0,0 +1,42 @@
+<?php
+declare(strict_types=1);
+
+namespace CakeDC\Auth\Authenticator;
+
+use Authentication\Authenticator\AbstractAuthenticator;
+use Authentication\Authenticator\AuthenticatorInterface;
+use Authentication\Authenticator\Result;
+use Authentication\Authenticator\ResultInterface;
+use Cake\Core\Configure;
+use Cake\Core\InstanceConfigTrait;
+use Cake\ORM\TableRegistry;
+use Psr\Http\Message\ServerRequestInterface;
+
+class OneTimeTokenAuthenticator extends AbstractAuthenticator implements AuthenticatorInterface
+{
+    /**
+     * @inheritDoc
+     */
+    public function authenticate(ServerRequestInterface $request): ResultInterface
+    {
+        /** @var \Cake\Http\ServerRequest $request */
+        $token = $request->getQuery('token') ?: $request->getData('token');
+        if (is_array($token)) {
+            $token = join($token);
+        }
+
+        if (!$token) {
+            return new Result(null, Result::FAILURE_CREDENTIALS_MISSING);
+        }
+
+        $usersTable = TableRegistry::getTableLocator()->get(Configure::read('Users.table'));
+
+        $user = $usersTable->loginWithToken($token);
+
+        if (!$user) {
+            return new Result(null, Result::FAILURE_CREDENTIALS_MISSING);
+        }
+
+        return new Result($user, Result::SUCCESS);
+    }
+}
diff --git a/src/Controller/Component/OneTimePasswordAuthenticatorComponent.php b/src/Controller/Component/OneTimePasswordAuthenticatorComponent.php
@@ -41,11 +41,11 @@ public function initialize(array $config): void
 
         if (Configure::read('OneTimePasswordAuthenticator.login')) {
             $this->tfa = new TwoFactorAuth(
+                Configure::read('OneTimePasswordAuthenticator.qrcodeprovider'),
                 Configure::read('OneTimePasswordAuthenticator.issuer'),
                 Configure::read('OneTimePasswordAuthenticator.digits'),
                 Configure::read('OneTimePasswordAuthenticator.period'),
                 Configure::read('OneTimePasswordAuthenticator.algorithm'),
-                Configure::read('OneTimePasswordAuthenticator.qrcodeprovider'),
                 Configure::read('OneTimePasswordAuthenticator.rngprovider')
             );
         }