From 826ca41fbf88beb25ef233db766c852907317b5f Mon Sep 17 00:00:00 2001 From: kenjis Date: Tue, 19 Sep 2023 15:00:28 +0900 Subject: [PATCH 1/3] docs: improve comments --- src/Config/AuthToken.php | 4 ++-- src/Filters/TokenAuth.php | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Config/AuthToken.php b/src/Config/AuthToken.php index 2d8254471..f83c665fa 100644 --- a/src/Config/AuthToken.php +++ b/src/Config/AuthToken.php @@ -7,13 +7,13 @@ use CodeIgniter\Config\BaseConfig; /** - * Authenticator Configuration for Token Auth and HMAC Auth + * Configuration for Token Auth and HMAC Auth */ class AuthToken extends BaseConfig { /** * -------------------------------------------------------------------- - * Record Login Attempts for Token and HMAC Authorization + * Record Login Attempts for Token Auth and HMAC Auth * -------------------------------------------------------------------- * Specify which login attempts are recorded in the database. * diff --git a/src/Filters/TokenAuth.php b/src/Filters/TokenAuth.php index ee504cbd5..4425c14ff 100644 --- a/src/Filters/TokenAuth.php +++ b/src/Filters/TokenAuth.php @@ -21,7 +21,7 @@ class TokenAuth implements FilterInterface { /** * Do whatever processing this filter needs to do. - * By default it should not return anything during + * By default, it should not return anything during * normal execution. However, when an abnormal state * is found, it should return an instance of * CodeIgniter\HTTP\Response. If it does, script From 92ca399ab36e75cd0d2f8b261231e8da6f100ca0 Mon Sep 17 00:00:00 2001 From: kenjis Date: Tue, 19 Sep 2023 15:00:51 +0900 Subject: [PATCH 2/3] fix: AccessTokens authenticator records all accesses Now Record only failure failures by default. --- .../Authenticators/AccessTokens.php | 52 +++++++++++++------ .../AccessTokenAuthenticatorTest.php | 6 +-- 2 files changed, 39 insertions(+), 19 deletions(-) diff --git a/src/Authentication/Authenticators/AccessTokens.php b/src/Authentication/Authenticators/AccessTokens.php index a09000703..bf6a7a5c4 100644 --- a/src/Authentication/Authenticators/AccessTokens.php +++ b/src/Authentication/Authenticators/AccessTokens.php @@ -8,6 +8,7 @@ use CodeIgniter\I18n\Time; use CodeIgniter\Shield\Authentication\AuthenticationException; use CodeIgniter\Shield\Authentication\AuthenticatorInterface; +use CodeIgniter\Shield\Config\Auth; use CodeIgniter\Shield\Entities\User; use CodeIgniter\Shield\Exceptions\InvalidArgumentException; use CodeIgniter\Shield\Models\TokenLoginModel; @@ -42,6 +43,8 @@ public function __construct(UserModel $provider) */ public function attempt(array $credentials): Result { + $config = config('AuthToken'); + /** @var IncomingRequest $request */ $request = service('request'); @@ -51,14 +54,16 @@ public function attempt(array $credentials): Result $result = $this->check($credentials); if (! $result->isOK()) { - // Always record a login attempt, whether success or not. - $this->loginModel->recordLoginAttempt( - self::ID_TYPE_ACCESS_TOKEN, - $credentials['token'] ?? '', - false, - $ipAddress, - $userAgent - ); + if ($config->recordLoginAttempt >= Auth::RECORD_LOGIN_ATTEMPT_FAILURE) { + // Record all failed login attempts. + $this->loginModel->recordLoginAttempt( + self::ID_TYPE_ACCESS_TOKEN, + $credentials['token'] ?? '', + false, + $ipAddress, + $userAgent + ); + } return $result; } @@ -66,6 +71,18 @@ public function attempt(array $credentials): Result $user = $result->extraInfo(); if ($user->isBanned()) { + if ($config->recordLoginAttempt >= Auth::RECORD_LOGIN_ATTEMPT_FAILURE) { + // Record a banned login attempt. + $this->loginModel->recordLoginAttempt( + self::ID_TYPE_ACCESS_TOKEN, + $credentials['token'] ?? '', + false, + $ipAddress, + $userAgent, + $user->id + ); + } + $this->user = null; return new Result([ @@ -80,14 +97,17 @@ public function attempt(array $credentials): Result $this->login($user); - $this->loginModel->recordLoginAttempt( - self::ID_TYPE_ACCESS_TOKEN, - $credentials['token'] ?? '', - true, - $ipAddress, - $userAgent, - $this->user->id - ); + if ($config->recordLoginAttempt === Auth::RECORD_LOGIN_ATTEMPT_ALL) { + // Record a successful login attempt. + $this->loginModel->recordLoginAttempt( + self::ID_TYPE_ACCESS_TOKEN, + $credentials['token'] ?? '', + true, + $ipAddress, + $userAgent, + $this->user->id + ); + } return $result; } diff --git a/tests/Authentication/Authenticators/AccessTokenAuthenticatorTest.php b/tests/Authentication/Authenticators/AccessTokenAuthenticatorTest.php index c5042dbb8..b87bf3930 100644 --- a/tests/Authentication/Authenticators/AccessTokenAuthenticatorTest.php +++ b/tests/Authentication/Authenticators/AccessTokenAuthenticatorTest.php @@ -174,7 +174,7 @@ public function testAttemptCannotFindUser(): void $this->assertFalse($result->isOK()); $this->assertSame(lang('Auth.badToken'), $result->reason()); - // A login attempt should have always been recorded + // A failed login attempt should have been recorded by default. $this->seeInDatabase($this->tables['token_logins'], [ 'id_type' => AccessTokens::ID_TYPE_ACCESS_TOKEN, 'identifier' => 'abc123', @@ -202,8 +202,8 @@ public function testAttemptSuccess(): void $this->assertInstanceOf(AccessToken::class, $foundUser->currentAccessToken()); $this->assertSame($token->token, $foundUser->currentAccessToken()->token); - // A login attempt should have been recorded - $this->seeInDatabase($this->tables['token_logins'], [ + // A successful login attempt is not recorded by default. + $this->dontSeeInDatabase($this->tables['token_logins'], [ 'id_type' => AccessTokens::ID_TYPE_ACCESS_TOKEN, 'identifier' => $token->raw_token, 'success' => 1, From 5e759984e29ccc2ea4fce8e77cdbb8b591cdb8e1 Mon Sep 17 00:00:00 2001 From: kenjis Date: Tue, 19 Sep 2023 15:18:54 +0900 Subject: [PATCH 3/3] docs: add UPGRADING.md --- UPGRADING.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/UPGRADING.md b/UPGRADING.md index 1ffe19509..e8d30a4ef 100644 --- a/UPGRADING.md +++ b/UPGRADING.md @@ -1,5 +1,16 @@ # Upgrade Guide +## Version 1.0.0-beta.6 to 1.0.0-beta.7 + +### Install New Config AuthToken.php + +A new Config file **AuthToken.php** has been introduced. Run `php spark shield:setup` +again to install it into **app/Config/**, or install it manually. + +Then change the default settings as necessary. When using Token authentication, +the default value has been changed from all accesses to be recorded in the +``token_logins`` table to only accesses that fail authentication to be recorded. + ## Version 1.0.0-beta.3 to 1.0.0-beta.4 ### Important Password Changes