Class DigestAuthenticate
Digest Authentication adapter for AuthComponent.
Provides Digest HTTP authentication support for AuthComponent.
Using Digest auth
In your controller's components array, add auth + the required config
public $components = [
'Auth' => [
'authenticate' => ['Digest']
]
];
You should also set AuthComponent::$sessionKey = false;
in your AppController's
beforeFilter() to prevent CakePHP from sending a session cookie to the client.
Since HTTP Digest Authentication is stateless you don't need a login() action in your controller. The user credentials will be checked on each request. If valid credentials are not provided, required authentication headers will be sent by this authentication provider which triggers the login dialog in the browser/client.
You may also want to use $this->Auth->unauthorizedRedirect = false;
.
This causes AuthComponent to throw a ForbiddenException exception instead of
redirecting to another page.
Generating passwords compatible with Digest authentication.
DigestAuthenticate requires a special password hash that conforms to RFC2617.
You can generate this password using DigestAuthenticate::password()
$digestPass = DigestAuthenticate::password($username, $password, env('SERVER_NAME'));
If you wish to use digest authentication alongside other authentication methods,
it's recommended that you store the digest authentication separately. For
example User.digest_pass
could be used for a digest password, while
User.password
would store the password hash for use with other methods like
Basic or Form.
Property Summary
-
$_config protected
array
Runtime config
-
$_configInitialized protected
bool
Whether the config property has already been configured with defaults
-
$_defaultConfig protected
array
Default config for this object.
-
$_needsPasswordRehash protected
bool
Whether or not the user authenticated by this class requires their password to be rehashed with another algorithm.
-
$_passwordHasher protected
AbstractPasswordHasher
Password hasher instance.
-
$_registry protected
ComponentRegistry
A Component registry, used to get more components.
Method Summary
-
__construct() public
Constructor
-
_configDelete() protected
Delete a single config key
-
_configRead() protected
Read a config variable
-
_configWrite() protected
Write a config variable
-
_findUser() protected
Find a user record using the username and password provided.
-
_getDigest() protected
Gets the digest headers from the request/environment.
-
_query() protected
Get query object for fetching user from database.
-
authenticate() public
Authenticate a user using HTTP auth. Will use the configured User model and attempt a login using HTTP auth.
-
config() public
Usage
-
configShallow() public
Merge provided config with existing config. Unlike
config()
which does a recursive merge for nested keys, this method does a simple merge. -
generateResponseHash() public
Generate the response hash for a given digest array.
-
getUser() public
Get a user based on information in the request. Used by cookie-less auth for stateless clients.
-
implementedEvents() public
Returns a list of all events that this authenticate class will listen to.
-
loginHeaders() public
Generate the login headers
-
needsPasswordRehash() public
Returns whether or not the password stored in the repository for the logged in user requires to be rehashed with another algorithm
-
parseAuthData() public
Parse the digest authentication headers and split them up.
-
password() public static
Creates an auth digest password hash to store
-
passwordHasher() public
Return password hasher object
-
unauthenticated() public
Handles an unauthenticated access attempt by sending appropriate login headers
Method Detail
__construct() ¶ public
__construct(Cake\Controller\ComponentRegistry $registry, array $config = [])
Constructor
Besides the keys specified in BaseAuthenticate::$_defaultConfig, DigestAuthenticate uses the following extra keys:
realm
The realm authentication is for, Defaults to the servername.nonce
A nonce used for authentication. Defaults touniqid()
.qop
Defaults to 'auth', no other values are supported at this time.opaque
A string that must be returned unchanged by clients. Defaults tomd5($config['realm'])
Parameters
-
Cake\Controller\ComponentRegistry
$registry The Component registry used on this request.
-
array
$config optional Array of config to use.
_configDelete() ¶ protected
_configDelete(string $key): void
Delete a single config key
Parameters
-
string
$key Key to delete.
Returns
void
Throws
Cake\Core\Exception\Exception
if attempting to clobber existing config
_configRead() ¶ protected
_configRead(string|null $key): mixed
Read a config variable
Parameters
-
string|null
$key Key to read.
Returns
mixed
_configWrite() ¶ protected
_configWrite(string|array $key, mixed $value, bool|string $merge = false): void
Write a config variable
Parameters
-
string|array
$key Key to write to.
-
mixed
$value Value to write.
-
bool|string
$merge optional True to merge recursively, 'shallow' for simple merge, false to overwrite, defaults to false.
Returns
void
Throws
Cake\Core\Exception\Exception
if attempting to clobber existing config
_findUser() ¶ protected
_findUser(string $username, string|null $password = null): bool|array
Find a user record using the username and password provided.
Input passwords will be hashed even when a user doesn't exist. This helps mitigate timing attacks that are attempting to find valid usernames.
Parameters
-
string
$username The username/identifier.
-
string|null
$password optional The password, if not provided password checking is skipped and result of find is returned.
Returns
bool|array
_getDigest() ¶ protected
_getDigest(Cake\Network\Request $request): array
Gets the digest headers from the request/environment.
Parameters
-
Cake\Network\Request
$request Request object.
Returns
array
_query() ¶ protected
_query(string $username): Cake\ORM\Query
Get query object for fetching user from database.
Parameters
-
string
$username The username/identifier.
Returns
Cake\ORM\Query
authenticate() ¶ public
authenticate(Cake\Network\Request $request, Cake\Network\Response $response): mixed
Authenticate a user using HTTP auth. Will use the configured User model and attempt a login using HTTP auth.
Parameters
-
Cake\Network\Request
$request The request to authenticate with.
-
Cake\Network\Response
$response The response to add headers to.
Returns
mixed
config() ¶ public
config(string|array|null $key = null, mixed|null $value = null, bool $merge = true): mixed
Usage
Reading the whole config:
$this->config();
Reading a specific value:
$this->config('key');
Reading a nested value:
$this->config('some.nested.key');
Setting a specific value:
$this->config('key', $value);
Setting a nested value:
$this->config('some.nested.key', $value);
Updating multiple config settings at the same time:
$this->config(['one' => 'value', 'another' => 'value']);
Parameters
-
string|array|null
$key optional The key to get/set, or a complete array of configs.
-
mixed|null
$value optional The value to set.
-
bool
$merge optional Whether to recursively merge or overwrite existing config, defaults to true.
Returns
mixed
Throws
Cake\Core\Exception\Exception
When trying to set a key that is invalid.
configShallow() ¶ public
configShallow(string|array $key, mixed|null $value = null): $this
Merge provided config with existing config. Unlike config()
which does
a recursive merge for nested keys, this method does a simple merge.
Setting a specific value:
$this->config('key', $value);
Setting a nested value:
$this->config('some.nested.key', $value);
Updating multiple config settings at the same time:
$this->config(['one' => 'value', 'another' => 'value']);
Parameters
-
string|array
$key The key to set, or a complete array of configs.
-
mixed|null
$value optional The value to set.
Returns
$this
generateResponseHash() ¶ public
generateResponseHash(array $digest, string $password, string $method): string
Generate the response hash for a given digest array.
Parameters
-
array
$digest Digest information containing data from DigestAuthenticate::parseAuthData().
-
string
$password The digest hash password generated with DigestAuthenticate::password()
-
string
$method Request method
Returns
string
getUser() ¶ public
getUser(Cake\Network\Request $request): mixed
Get a user based on information in the request. Used by cookie-less auth for stateless clients.
Parameters
-
Cake\Network\Request
$request Request object.
Returns
mixed
implementedEvents() ¶ public
implementedEvents(): array
Returns a list of all events that this authenticate class will listen to.
An authenticate class can listen to following events fired by AuthComponent:
-
Auth.afterIdentify
- Fired after a user has been identified using one of configured authenticate class. The callback function should have signature likeafterIdentify(Event $event, array $user)
when$user
is the identified user record. -
Auth.logout
- Fired when AuthComponent::logout() is called. The callback function should have signature likelogout(Event $event, array $user)
where$user
is the user about to be logged out.
Returns
array
loginHeaders() ¶ public
loginHeaders(Cake\Network\Request $request): string
Generate the login headers
Parameters
-
Cake\Network\Request
$request Request object.
Returns
string
needsPasswordRehash() ¶ public
needsPasswordRehash(): bool
Returns whether or not the password stored in the repository for the logged in user requires to be rehashed with another algorithm
Returns
bool
parseAuthData() ¶ public
parseAuthData(string $digest): array|null
Parse the digest authentication headers and split them up.
Parameters
-
string
$digest The raw digest authentication headers.
Returns
array|null
password() ¶ public static
password(string $username, string $password, string $realm): string
Creates an auth digest password hash to store
Parameters
-
string
$username The username to use in the digest hash.
-
string
$password The unhashed password to make a digest hash for.
-
string
$realm The realm the password is for.
Returns
string
passwordHasher() ¶ public
passwordHasher(): AbstractPasswordHasher
Return password hasher object
Returns
AbstractPasswordHasher
Throws
RuntimeException
If password hasher class not found or it does not extend AbstractPasswordHasher
unauthenticated() ¶ public
unauthenticated(Cake\Network\Request $request, Cake\Network\Response $response): void
Handles an unauthenticated access attempt by sending appropriate login headers
- Null - No action taken, AuthComponent should return appropriate response.
- Cake\Network\Response - A response object, which will cause AuthComponent to simply return that response.
Parameters
-
Cake\Network\Request
$request A request object.
-
Cake\Network\Response
$response A response object.
Returns
void
Throws
Cake\Network\Exception\UnauthorizedException
Property Detail
$_configInitialized ¶ protected
Whether the config property has already been configured with defaults
Type
bool
$_defaultConfig ¶ protected
Default config for this object.
fields
The fields to use to identify a user by.userModel
The alias for users table, defaults to Users.finder
The finder method to use to fetch user record. Defaults to 'all'.passwordHasher
Password hasher class. Can be a string specifying class name or an array containingclassName
key, any other keys will be passed as config to the class. Defaults to 'Default'.- Options
scope
andcontain
have been deprecated since 3.1. Use custom finder instead to modify the query to fetch user record.
Type
array
$_needsPasswordRehash ¶ protected
Whether or not the user authenticated by this class requires their password to be rehashed with another algorithm.
Type
bool