Merge pull request #126 from kenjis/fix-events-trigger

fix: Event triggers

Author: kenjis

docs/2 - authentication.md

@@ -97,7 +97,7 @@ if($result->isOK()) {
 }
 ```
 
-If the attempt fails a `failedLoginAttempt` event is triggered with the credentials array as 
+If the attempt fails a `failedLogin` event is triggered with the credentials array as 
 the only parameter. Whether or not they pass, a login attempt is recorded in the `auth_logins` table.
 
 If `allowRemembering` is `true` in the `Auth` config file, you can tell the Session authenticator

docs/5 - events.md

@@ -8,24 +8,24 @@ When you want to respond to an event that Shield publishes, you will need to add
 
 ## Event List
 
-#### didRegister
+#### register
 
 Triggered when a new user has registered in the system. It's only argument is the `User` entity itself.
 
 ```php
-Events::trigger('didRegister', $user);
+Events::trigger('register', $user);
 
-Events::on('didRegister', 'SomeLibrary::handleRegister');
+Events::on('register', 'SomeLibrary::handleRegister');
 ```
 
-#### didLogin
+#### login
 
 Fired immediately after a successful login. The only argument is the `User` entity.
 
 ```php
-Events::trigger('didLogin', $user);
+Events::trigger('login', $user);
 
-Events::on('didLogin', 'SomeLibrary::handleLogin');
+Events::on('login', 'SomeLibrary::handleLogin');
 ```
 
 #### failedLogin
@@ -42,6 +42,9 @@ Events::on('failedLogin', function($credentials) {
 });
 
 // Outputs:
-
 ['email' => 'foo@example.com'];
 ```
+
+#### logout
+
+Fired immediately after a successful logout. The only argument is the `User` entity.

src/Auth.php

@@ -10,19 +10,17 @@
 use CodeIgniter\Shield\Models\UserModel;
 
 /**
- * AuthenticatorInterface:
- *
+ * @method void      activateUser(User $user)                 [Session]
  * @method Result    attempt(array $credentials)
  * @method Result    check(array $credentials)
+ * @method bool      checkAction(string $token, string $type) [Session]
  * @method User|null getUser()
  * @method bool      loggedIn()
  * @method bool      login(User $user)
  * @method void      loginById($userId)
  * @method bool      logout()
  * @method void      recordActiveDate()
- *
- * Authenticators\Session:
- * @method $this remember(bool $shouldRemember = true)
+ * @method $this     remember(bool $shouldRemember = true)    [Session]
  */
 class Auth
 {

src/Authentication/Actions/Email2FA.php

@@ -4,6 +4,7 @@
 
 use CodeIgniter\HTTP\IncomingRequest;
 use CodeIgniter\HTTP\RedirectResponse;
+use CodeIgniter\Shield\Authentication\Authenticators\Session;
 use CodeIgniter\Shield\Exceptions\RuntimeException;
 use CodeIgniter\Shield\Models\UserIdentityModel;
 
@@ -94,26 +95,18 @@ public function handle(IncomingRequest $request)
      */
     public function verify(IncomingRequest $request)
     {
-        $token    = $request->getPost('token');
-        $user     = auth()->user();
-        $identity = $user->getIdentity('email_2fa');
+        $token = $request->getPost('token');
+
+        /** @var Session $authenticator */
+        $authenticator = auth('session')->getAuthenticator();
 
         // Token mismatch? Let them try again...
-        if (empty($token) || $token !== $identity->secret) {
+        if (! $authenticator->checkAction('email_2fa', $token)) {
             session()->setFlashdata('error', lang('Auth.invalid2FAToken'));
 
             return view(setting('Auth.views')['action_email_2fa_verify']);
         }
 
-        /** @var UserIdentityModel $identityModel */
-        $identityModel = model(UserIdentityModel::class);
-
-        // On success - remove the identity and clean up session
-        $identityModel->deleteIdentitiesByType($user->getAuthId(), 'email_2fa');
-
-        // Clean up our session
-        session()->remove('auth_action');
-
         // Get our login redirect url
         return redirect()->to(config('Auth')->loginRedirect());
     }

src/Authentication/Actions/EmailActivator.php

@@ -5,6 +5,8 @@
 use CodeIgniter\Exceptions\PageNotFoundException;
 use CodeIgniter\HTTP\IncomingRequest;
 use CodeIgniter\HTTP\RedirectResponse;
+use CodeIgniter\Shield\Authentication\Authenticators\Session;
+use CodeIgniter\Shield\Entities\User;
 use CodeIgniter\Shield\Exceptions\LogicException;
 use CodeIgniter\Shield\Exceptions\RuntimeException;
 use CodeIgniter\Shield\Models\UserIdentityModel;
@@ -81,30 +83,25 @@ public function handle(IncomingRequest $request)
      */
     public function verify(IncomingRequest $request)
     {
-        $token    = $request->getVar('token');
-        $user     = auth()->user();
-        $identity = $user->getIdentity('email_activate');
+        $token = $request->getVar('token');
+
+        $auth = auth('session');
+
+        /** @var Session $authenticator */
+        $authenticator = $auth->getAuthenticator();
 
         // No match - let them try again.
-        if ($identity->secret !== $token) {
+        if (! $authenticator->checkAction('email_activate', $token)) {
             session()->setFlashdata('error', lang('Auth.invalidActivateToken'));
 
             return view(setting('Auth.views')['action_email_activate_show']);
         }
 
-        /** @var UserIdentityModel $identityModel */
-        $identityModel = model(UserIdentityModel::class);
-
-        // Remove the identity
-        $identityModel->delete($identity->id);
+        /** @var User $user */
+        $user = $auth->user();
 
         // Set the user active now
-        $provider     = auth()->getProvider();
-        $user->active = true;
-        $provider->save($user);
-
-        // Clean up our session
-        unset($_SESSION['auth_action']);
+        $auth->activateUser($user);
 
         // Get our login redirect url
         return redirect()->to(config('Auth')->loginRedirect());

src/Authentication/AuthenticatorInterface.php

@@ -32,7 +32,7 @@ public function loggedIn(): bool;
      *
      * @see https://codeigniter4.github.io/CodeIgniter4/extending/authentication.html
      */
-    public function login(User $user): bool;
+    public function login(User $user): void;
 
     /**
      * Logs a user in based on their ID.

src/Authentication/Authenticators/AccessTokens.php

@@ -141,11 +141,9 @@ public function loggedIn(): bool
     /**
      * Logs the given user in by saving them to the class.
      */
-    public function login(User $user): bool
+    public function login(User $user): void
     {
         $this->user = $user;
-
-        return true;
     }
 
     /**

src/Authentication/Authenticators/Session.php

@@ -10,8 +10,10 @@
 use CodeIgniter\Shield\Authentication\AuthenticatorInterface;
 use CodeIgniter\Shield\Authentication\Passwords;
 use CodeIgniter\Shield\Entities\User;
+use CodeIgniter\Shield\Exceptions\LogicException;
 use CodeIgniter\Shield\Models\LoginModel;
 use CodeIgniter\Shield\Models\RememberModel;
+use CodeIgniter\Shield\Models\UserIdentityModel;
 use CodeIgniter\Shield\Models\UserModel;
 use CodeIgniter\Shield\Result;
 use Exception;
@@ -25,19 +27,23 @@ class Session implements AuthenticatorInterface
      */
     protected UserModel $provider;
 
+    /**
+     * The user logged in
+     */
     protected ?User $user = null;
-    protected LoginModel $loginModel;
 
     /**
      * Should the user be remembered?
      */
     protected bool $shouldRemember = false;
 
+    protected LoginModel $loginModel;
     protected RememberModel $rememberModel;
 
     public function __construct(UserModel $provider)
     {
         helper('setting');
+
         $this->provider      = $provider;
         $this->loginModel    = model(LoginModel::class); // @phpstan-ignore-line
         $this->rememberModel = model(RememberModel::class); // @phpstan-ignore-line
@@ -58,6 +64,8 @@ public function remember(bool $shouldRemember = true): self
     /**
      * Attempts to authenticate a user with the given $credentials.
      * Logs the user in with a successful check.
+     *
+     * @phpstan-param array{email?: string, username?: string, password?: string} $credentials
      */
     public function attempt(array $credentials): Result
     {
@@ -76,7 +84,8 @@ public function attempt(array $credentials): Result
 
             // Fire an event on failure so devs have the chance to
             // let them know someone attempted to login to their account
-            Events::trigger('failedLoginAttempt', $credentials);
+            unset($credentials['password']);
+            Events::trigger('failedLogin', $credentials);
 
             return $result;
         }
@@ -88,9 +97,67 @@ public function attempt(array $credentials): Result
 
         $this->recordLoginAttempt($credentials, true, $ipAddress, $userAgent, $user->getAuthId());
 
+        // If an action has been defined for login, start it up.
+        $actionClass = setting('Auth.actions')['login'] ?? null;
+        if (! empty($actionClass)) {
+            session()->set('auth_action', $actionClass);
+        } else {
+            $this->completeLogin($user);
+        }
+
         return $result;
     }
 
+    /**
+     * Check token in Action
+     *
+     * @param string $type  Action type. 'email_2fa' or 'email_activate'
+     * @param string $token Token to check
+     */
+    public function checkAction(string $type, string $token): bool
+    {
+        $user = $this->loggedIn() ? $this->getUser() : null;
+
+        if ($user === null) {
+            throw new LogicException('Cannot get the User.');
+        }
+
+        $identity = $user->getIdentity($type);
+
+        if (empty($token) || $token !== $identity->secret) {
+            return false;
+        }
+
+        /** @var UserIdentityModel $identityModel */
+        $identityModel = model(UserIdentityModel::class);
+
+        // On success - remove the identity and clean up session
+        $identityModel->deleteIdentitiesByType($user->getAuthId(), $type);
+
+        // Clean up our session
+        session()->remove('auth_action');
+
+        $this->user = $user;
+
+        $this->completeLogin($user);
+
+        return true;
+    }
+
+    private function completeLogin(User $user): void
+    {
+        // a successful login
+        Events::trigger('login', $user);
+    }
+
+    /**
+     * Activate a User
+     */
+    public function activateUser(User $user): void
+    {
+        $this->provider->activate($user);
+    }
+
     /**
      * @param int|string|null $userId
      */
@@ -113,6 +180,8 @@ private function recordLoginAttempt(
     /**
      * Checks a user's $credentials to see if they match an
      * existing user.
+     *
+     * @phpstan-param array{email?: string, username?: string, password?: string} $credentials
      */
     public function check(array $credentials): Result
     {
@@ -126,7 +195,7 @@ public function check(array $credentials): Result
 
         // Remove the password from credentials so we can
         // check afterword.
-        $givenPassword = $credentials['password'] ?? null;
+        $givenPassword = $credentials['password'];
         unset($credentials['password']);
 
         // Find the existing user
@@ -243,30 +312,40 @@ private function checkRememberMeToken(string $remember)
         return $token;
     }
 
-    /**
-     * Logs the given user in.
-     */
-    public function login(User $user): bool
+    private function startLogin(User $user): void
     {
-        $this->user = $user;
-
         // Update the user's last used date on their password identity.
-        $this->user->touchIdentity($this->user->getEmailIdentity());
+        $user->touchIdentity($user->getEmailIdentity());
 
         // Regenerate the session ID to help protect against session fixation
         if (ENVIRONMENT !== 'testing') {
             session()->regenerate();
         }
 
         // Let the session know we're logged in
-        session()->set(setting('Auth.sessionConfig')['field'], $this->user->getAuthId());
+        session()->set(setting('Auth.sessionConfig')['field'], $user->getAuthId());
 
         /** @var Response $response */
         $response = service('response');
 
         // When logged in, ensure cache control headers are in place
         $response->noCache();
+    }
 
+    /**
+     * Logs the given user in.
+     */
+    public function login(User $user): void
+    {
+        $this->user = $user;
+
+        $this->startLogin($user);
+
+        $this->processRemember();
+    }
+
+    private function processRemember()
+    {
         if ($this->shouldRemember && setting('Auth.sessionConfig')['allowRemembering']) {
             $this->rememberUser($this->user->getAuthId());
 
@@ -285,9 +364,6 @@ public function login(User $user): bool
         if (random_int(1, 100) <= 20) {
             $this->rememberModel->purgeOldRememberTokens();
         }
-
-        // Trigger login event, in case anyone cares
-        return Events::trigger('login', $user);
     }
 
     /**

src/Authentication/Traits/HasAccessTokens.php

@@ -22,6 +22,9 @@ trait HasAccessTokens
 
     /**
      * Generates a new personal access token for this user.
+     *
+     * @param string   $name   Token name
+     * @param string[] $scopes Permissions the token grants
      */
     public function generateAccessToken(string $name, array $scopes = ['*']): AccessToken
     {