Comments (10)
So you basically would want to skip the entire credential property logic if a callable is set if I get it right?
The idea behind the credential callable is to match against encrypted data, such as hashing the provided $credentialValue
and match it against the retrieved value.
from doctrinemodule.
No, the above code does not skip the credential property logic if a callable is set. It first checks if a callable is set and returns true. If not (for instance, if it returns a hashed value), the credential property is still used as before.
from doctrinemodule.
@Pietr, as @Ocramius indicates, it's not exactly how the callable was envisaged to be used, however it's not a BC break, and seems to make sense to me. Although, it sounds like your callable is doing the actual authenticaiton, rather than jush doing a hash. If the callable is actually doing the work, do you really need the ObjectRepository at all? Would it be simpler to turn your callable into an auth adaper in it's own right?
from doctrinemodule.
@superdweebie I'm using Phpass to do the actual hashing, which uses a per-user salt encoded in the hash string. Hence I cannot have the credential callable return a correct new hashing of the plaintext, without extracting the salt first (which Phpass does not directly support). Phpass does provide a CheckPassword function, which behaves like a credential callable that returns true/false, hence my request for this change.
You indicate this is not how the callable was envisaged to be used, but the current implementation does already support callables that return true/false (it just queries the credential property as well, without actually needing its value). Indeed I could create my own AdapterInterface, but it would be structured similarly to the ObjectRepository, so it feels like reinventing (a tiny bit of) the wheel.
If it is decided not to make this change, I would suggest to remove the support for callables that return a boolean, because it is a bit confusing to provide this functionality while also requiring the credential property to be set in any case.
from doctrinemodule.
@Pietr I now understand better. I'm supportive of the change. Put in a PR :)
(Note I'm, not a commiter, so others will have to want it also)
from doctrinemodule.
I'm fine with changing this behavior so that you can use a callback to actually generate the credential value and avoid access to the object itself, but do not mix $credentialValue
assuming that boolean true
is a special case.
Let's use a different variable for that. It may sound horrible, but maybe a byRef parameter can do the trick (like with Zend\Cache
)
from doctrinemodule.
I agree that changing behavior depending on whether $credentialValue returns a boolean or a string is not very nice. I see three options:
-
Add another property such as $booleanCredentialCallable to ObjectRepository and try to call that callable in the validateIdentity function, if it is set.
-
Instead of providing a single ObjectRepository that tries to handle both types of credential callables, split the cases into different AdapterInterface implementations. The common functionality can be placed in an abstract super class. An alternative but similar design is to keep a single ObjectRepository but to add an 'IdentitityValidationStrategy' to it. There could be a BooleanIdentityValidationStrategy and a StringIdentityValidationStrategy (I know, they aren't good names but you know what I mean...)
-
Only support credential callables that return a boolean indicating correct/incorrect password. Any callable that returns a string (the hashed password) can be easily rewritten to return such a boolean, by moving the string comparison that is currently in the ObjectRepository to the callable.
Solution 1 is the only solution that doesn't really break the current interface for people using a callable that returns a string. However, this solution adds more complexity to the ObjectRepository and, in my opinion, makes that class handle too many cases.
from doctrinemodule.
@Pietr I think I like option 2a best.
from doctrinemodule.
I also agree on the second approach. Injecting some kind of strategy is
fine, by keeping the default one being something like return $credentialValue === $entity->getCredentialValue();
(or similar approach).
I am not 100% sure about all this, but it would be possible to split the
repository auth adapter into a simple find operation + a default strategy
checking the credential property. It still sounds very elaborate and
complex anyway, and it probably wouldn't make things easier for the end
user (who would be faster in implementing his own auth adapter at that
point).
Breaking the interface is not really a problem as long as we do it after
tagging (which will happen as soon as ZF 2.0.0 final is out) and
documenting the change.
Marco Pivetta
On 1 September 2012 11:27, Tim Roediger [email protected] wrote:
@Pietr https://github.com/Pietr I think I like option 2a best.
—
Reply to this email directly or view it on GitHubhttps://github.com//issues/81#issuecomment-8211425.
from doctrinemodule.
Closing this one as there's no further feedback and the current approach is portable enough (IMO).
I will re-open if there is a clear decision about an approach to take
from doctrinemodule.
Related Issues (20)
- Cannot migrate to PHP 8 due to laminas-cache 2.7 dependency. HOT 11
- DriverFactory incompatible with AttributeDriver HOT 1
- vendor/bin/doctrine-module only works if it's a symlink HOT 12
- Unit tests should be executed with PHP 8.0 HOT 1
- Pushed breaking change in 4.2 release HOT 4
- incompatible with doctrine/orm >= 2.12.0 HOT 3
- Missing Versions on Packagist HOT 2
- Deprecate doctrine/cache HOT 8
- Release 5.3.0 with PHP 8.2 Support HOT 5
- Can't install due to conflicting requirements HOT 25
- Current CLI implementation triggers api-tools-mvc-auth events HOT 2
- 6.0.2 regex change is too restrictive HOT 6
- Missing requirement in composer.json HOT 2
- Migration to v6 leads to cache issues HOT 11
- Authentication Error when no credentialCallable is given. HOT 5
- Allow cleanSearchValue method to accept an integer HOT 4
- Mapping error doctrine find, findOneBy, findBy. HOT 1
- Package incorrectly states that it does provide `laminas/laminas-cache-storage-implementation` HOT 3
- Bump to PHP 8.3 ? HOT 3
- orm3 compatibility HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from doctrinemodule.