Merge pull request #176 from kenjis/feat-add-auth-token-logins-table

feat: add `auth_token_logins` table

Author: kenjis

.github/workflows/phpcpd.yml

@@ -33,4 +33,4 @@ jobs:
           coverage: none
 
       - name: Detect duplicate code
-        run: phpcpd src/ tests/
+        run: phpcpd src/ tests/ --exclude src/Database/Migrations/2020-12-28-223112_create_auth_tables.php

src/Authentication/Authenticators/AccessTokens.php

@@ -7,7 +7,7 @@
 use CodeIgniter\Shield\Authentication\AuthenticationException;
 use CodeIgniter\Shield\Authentication\AuthenticatorInterface;
 use CodeIgniter\Shield\Entities\User;
-use CodeIgniter\Shield\Models\LoginModel;
+use CodeIgniter\Shield\Models\TokenLoginModel;
 use CodeIgniter\Shield\Models\UserIdentityModel;
 use CodeIgniter\Shield\Models\UserModel;
 use CodeIgniter\Shield\Result;
@@ -21,15 +21,15 @@ class AccessTokens implements AuthenticatorInterface
     protected UserModel $provider;
 
     protected ?User $user = null;
-    protected LoginModel $loginModel;
+    protected TokenLoginModel $loginModel;
 
     public function __construct(UserModel $provider)
     {
         helper('session');
 
         $this->provider = $provider;
 
-        $this->loginModel = model(LoginModel::class); // @phpstan-ignore-line
+        $this->loginModel = model(TokenLoginModel::class); // @phpstan-ignore-line
     }
 
     /**

src/Database/Migrations/2020-12-28-223112_create_auth_tables.php

@@ -26,8 +26,7 @@ public function up(): void
 
         /*
          * Auth Identities Table
-         * Used for storage of passwords, reset hashes
-         * social login identities, etc.
+         * Used for storage of passwords, access tokens, social login identities, etc.
          */
         $this->forge->addField([
             'id'           => ['type' => 'int', 'constraint' => 11, 'unsigned' => true, 'auto_increment' => true],
@@ -49,22 +48,45 @@ public function up(): void
         $this->forge->addForeignKey('user_id', 'users', 'id', '', 'CASCADE');
         $this->forge->createTable('auth_identities', true);
 
-        // Auth Login Attempts Table
+        /**
+         * Auth Login Attempts Table
+         * Records login attempts. A login means users think it is a login.
+         * To login, users do action(s) like posting a form.
+         */
         $this->forge->addField([
             'id'         => ['type' => 'int', 'constraint' => 11, 'unsigned' => true, 'auto_increment' => true],
-            'ip_address' => ['type' => 'varchar', 'constraint' => 255, 'null' => true],
+            'ip_address' => ['type' => 'varchar', 'constraint' => 255],
             'user_agent' => ['type' => 'varchar', 'constraint' => 255, 'null' => true],
-            'identifier' => ['type' => 'varchar', 'constraint' => 255, 'null' => true],
+            'identifier' => ['type' => 'varchar', 'constraint' => 255],
             'user_id'    => ['type' => 'int', 'constraint' => 11, 'unsigned' => true, 'null' => true], // Only for successful logins
             'date'       => ['type' => 'datetime'],
             'success'    => ['type' => 'tinyint', 'constraint' => 1],
         ]);
         $this->forge->addPrimaryKey('id');
         $this->forge->addKey('identifier');
         $this->forge->addKey('user_id');
-        // NOTE: Do NOT delete the user_id or email when the user is deleted for security audits
+        // NOTE: Do NOT delete the user_id or identifier when the user is deleted for security audits
         $this->forge->createTable('auth_logins', true);
 
+        /*
+         * Auth Token Login Attempts Table
+         * Records Bearer Token type login attempts.
+         */
+        $this->forge->addField([
+            'id'         => ['type' => 'int', 'constraint' => 11, 'unsigned' => true, 'auto_increment' => true],
+            'ip_address' => ['type' => 'varchar', 'constraint' => 255],
+            'user_agent' => ['type' => 'varchar', 'constraint' => 255, 'null' => true],
+            'identifier' => ['type' => 'varchar', 'constraint' => 255],
+            'user_id'    => ['type' => 'int', 'constraint' => 11, 'unsigned' => true, 'null' => true], // Only for successful logins
+            'date'       => ['type' => 'datetime'],
+            'success'    => ['type' => 'tinyint', 'constraint' => 1],
+        ]);
+        $this->forge->addPrimaryKey('id');
+        $this->forge->addKey('identifier');
+        $this->forge->addKey('user_id');
+        // NOTE: Do NOT delete the user_id or identifier when the user is deleted for security audits
+        $this->forge->createTable('auth_token_logins', true);
+
         /*
          * Auth Remember Tokens (remember-me) Table
          * @see https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence
@@ -114,6 +136,7 @@ public function down(): void
 
         $this->forge->dropTable('users', true);
         $this->forge->dropTable('auth_logins', true);
+        $this->forge->dropTable('auth_token_logins', true);
         $this->forge->dropTable('auth_remember_tokens', true);
         $this->forge->dropTable('auth_access_tokens', true);
         $this->forge->dropTable('auth_identities', true);

src/Models/LoginModel.php

@@ -2,7 +2,6 @@
 
 namespace CodeIgniter\Shield\Models;
 
-use CodeIgniter\Database\BaseResult;
 use CodeIgniter\I18n\Time;
 use CodeIgniter\Model;
 use CodeIgniter\Shield\Entities\Login;
@@ -11,6 +10,8 @@
 
 class LoginModel extends Model
 {
+    use CheckQueryReturnTrait;
+
     protected $table          = 'auth_logins';
     protected $primaryKey     = 'id';
     protected $returnType     = Login::class;
@@ -36,19 +37,24 @@ class LoginModel extends Model
 
     /**
      * @param int|string|null $userId
-     *
-     * @return BaseResult|false|int|object|string
      */
-    public function recordLoginAttempt(string $identifier, bool $success, ?string $ipAddress = null, ?string $userAgent = null, $userId = null)
-    {
-        return $this->insert([
+    public function recordLoginAttempt(
+        string $identifier,
+        bool $success,
+        ?string $ipAddress = null,
+        ?string $userAgent = null,
+        $userId = null
+    ): void {
+        $return = $this->insert([
             'ip_address' => $ipAddress,
             'user_agent' => $userAgent,
             'identifier' => $identifier,
             'user_id'    => $userId,
             'date'       => date('Y-m-d H:i:s'),
             'success'    => (int) $success,
         ]);
+
+        $this->checkQueryReturn($return);
     }
 
     /**

src/Models/TokenLoginModel.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace CodeIgniter\Shield\Models;
+
+use CodeIgniter\I18n\Time;
+use CodeIgniter\Shield\Entities\Login;
+use Exception;
+use Faker\Generator;
+
+class TokenLoginModel extends LoginModel
+{
+    protected $table = 'auth_token_logins';
+
+    /**
+     * Generate a fake login for testing
+     *
+     * @throws Exception
+     */
+    public function fake(Generator &$faker): Login
+    {
+        return new Login([
+            'ip_address' => $faker->ipv4,
+            'identifier' => 'token: ' . random_string('crypto', 64),
+            'user_id'    => fake(UserModel::class)->id,
+            'date'       => Time::parse('-1 day')->toDateTimeString(),
+            'success'    => true,
+        ]);
+    }
+}

tests/Authentication/AccessTokenAuthenticatorTest.php

@@ -168,7 +168,7 @@ public function testAttemptCannotFindUser()
         $this->assertSame(lang('Auth.badToken'), $result->reason());
 
         // A login attempt should have always been recorded
-        $this->seeInDatabase('auth_logins', [
+        $this->seeInDatabase('auth_token_logins', [
             'identifier' => 'token: abc123',
             'success'    => 0,
         ]);
@@ -195,7 +195,7 @@ public function testAttemptSuccess()
         $this->assertSame($token->token, $foundUser->currentAccessToken()->token);
 
         // A login attempt should have been recorded
-        $this->seeInDatabase('auth_logins', [
+        $this->seeInDatabase('auth_token_logins', [
             'identifier' => 'token: ' . $token->raw_token,
             'success'    => 1,
         ]);