- WIP on V 2.x which added a OAuth2 server

- WIP on 2.x auth. method
2025-06-13 19:10:51 +00:00 · 2025-03-28 13:38:28 +00:00
13 changed files with 168 additions and 98 deletions
--- a/src/Authorize/AuthorizeMethodInterface.php
+++ b/src/Authorize/AuthorizeMethodInterface.php
@ -7,7 +7,7 @@ use Ulmus\User\Entity\UserInterface;

 interface AuthorizeMethodInterface
 {
-    public function connect(ServerRequestInterface $request, UserInterface $user) : bool;
+    public function connect(ServerRequestInterface $request) : ServerRequestInterface;

    public function catchRequest(ServerRequestInterface $request) : bool;
 }
--- a/src/Authorize/Header/BasicMethod.php
+++ b/src/Authorize/Header/BasicMethod.php
@ -3,37 +3,31 @@
 namespace Ulmus\User\Authorize\Header;

 use Psr\Http\Message\ServerRequestInterface;
-use Ulmus\User\Entity\BasicAuthUserInterface;
-use Ulmus\User\Entity\UserInterface;
-use Ulmus\User\Lib\Authenticate;
-use Ulmus\User\Lib\Authorize;
+use Ulmus\User\Lib\AuthenticationMethodEnum;

 class BasicMethod implements MethodInterface
 {
    public function __construct(
-        protected Authenticate $authorize,
-        protected BasicAuthUserInterface $user,
        protected string|array $arguments
    ) {}

-    public function execute(ServerRequestInterface $request) : bool
+    public function execute(ServerRequestInterface $request) : ServerRequestInterface
    {
        if ( false === $decoded = base64_decode($this->arguments) ) {
            throw new \RuntimeException("Base64 decoding of given username:password failed");
        }

-        list($userName, $password) = explode(':', $decoded) + [ null, null ];
+        list($username, $password) = explode(':', $decoded) + [ null, null ];

-        if ( empty($userName) ) {
+        if ( empty($username) ) {
            throw new \RuntimeException("A username must be provided");
        }
        elseif ( empty($password) ) {
            throw new \RuntimeException("A password must be provided");
        }

-        $this->authorize->user = $this->user;
-        $this->authorize->authenticate([ $this->user->usernameField() => $userName ], $password);
-
-        return $this->user->loggedIn();
+        return $request->withAttribute('authentication_middleware:method', AuthenticationMethodEnum::UsernamePassword)
+            ->withAttribute('authentication_middleware:username', $username)
+            ->withAttribute('authentication_middleware:password', $password);
    }
 }
--- a/src/Authorize/Header/BearerMethod.php
+++ b/src/Authorize/Header/BearerMethod.php
@ -3,34 +3,30 @@
 namespace Ulmus\User\Authorize\Header;

 use Psr\Http\Message\ServerRequestInterface;
-use Ulmus\User\Authorize\Bearer\JsonWebToken;
 use Ulmus\User\Authorize\Bearer\JsonWebTokenDecoder;
 use Ulmus\User\Entity\UserInterface;
 use Ulmus\User\Lib\Authenticate;
-use Ulmus\User\Lib\Authorize;

 class BearerMethod implements MethodInterface
 {
    protected JsonWebTokenDecoder $jwt;

    public function __construct(
-        protected Authenticate $authorize,
-        protected UserInterface $user,
+        # protected Authenticate $authorize,
+        # protected UserInterface $user,
        protected string $token
    ) {}

-    public function execute(ServerRequestInterface $request) : bool
+    public function execute(ServerRequestInterface $request) : ServerRequestInterface
    {
-        $this->authorize->user = $this->user;
+        # $this->authorize->user = $this->user;

        switch($this->autodetectTokenType()) {
            case BearerTokenTypeEnum::JsonWebToken:
                $payload = $this->jwt->getPayload();

-                if ($payload['sub'] ?? false) {
-                    if ( ! $this->authorize->logUser($payload['sub']) ) {
-                        throw new \Exception("Given user id do not match with an existing/active user");
-                    }
+                if ( $payload['sub'] ?? false) {
+                    $request = $request->withAttribute('authentication_middleware:user_id', $payload['sub']);
                }
                else {
                    throw new \InvalidArgumentException("Given JsonWebToken is missing a 'sub' key (which concords to user id)");
@ -43,8 +39,7 @@ class BearerMethod implements MethodInterface
                break;
        }

-
-        return $this->user->loggedIn();
+        return $request;
    }

    public function autodetectTokenType() : BearerTokenTypeEnum
@ -57,9 +52,4 @@ class BearerMethod implements MethodInterface

        return BearerTokenTypeEnum::UniqueKey;
    }
-
-    protected function userFromJWT() : UserInterface
-    {
-
-    }
 }
--- a/src/Authorize/Header/DigestMethod.php
+++ b/src/Authorize/Header/DigestMethod.php
@ -9,12 +9,12 @@ use Ulmus\User\Lib\Authenticate;
 class DigestMethod implements MethodInterface
 {
    public function __construct(
-        protected Authenticate $authorize,
-        protected DigestAuthUserInterface $user,
+        # protected Authenticate $authorize,
+        # protected DigestAuthUserInterface $user,
        protected string|array $arguments
    ) {}

-    public function execute(ServerRequestInterface $request) : bool
+    public function execute(ServerRequestInterface $request) : ServerRequestInterface
    {
        $arguments = $this->parseDigestArguments($this->arguments);

@ -28,7 +28,7 @@ class DigestMethod implements MethodInterface

        $arguments['nc'] = str_pad($arguments['nc'] ?? "1", 8, '0', STR_PAD_LEFT);

-        $ha1 = $this->getSecretHash();
+        $ha1 = "@TODO !@"; # $this->authorize->user->getSecretHash();

        if ($isSess) {
            $ha1 = hash($hashMethod, implode(':', [
@ -62,7 +62,13 @@ class DigestMethod implements MethodInterface
            ]));
        }

-        return $response === $arguments['response'];
+        if ($response === $arguments['response']) {
+            $request = $request->withAttribute('authentication_middleware:user_id', $arguments['username']);
+
+            # @TODO ! Add Type here to match login with Username Only
+        }
+
+        return $request;
    }


--- a/src/Authorize/Header/MethodInterface.php
+++ b/src/Authorize/Header/MethodInterface.php
@ -6,5 +6,5 @@ use Psr\Http\Message\ServerRequestInterface;

 interface MethodInterface
 {
-    public function execute(ServerRequestInterface $request) : bool;
+    public function execute(ServerRequestInterface $request) : ServerRequestInterface;
 }
--- a/src/Authorize/HeaderAuthentication.php
+++ b/src/Authorize/HeaderAuthentication.php
@ -6,6 +6,7 @@ use Psr\Http\Message\ServerRequestInterface;
 use Ulmus\User\Common\AuthorizeContentTypeEnum;
 use Ulmus\User\Entity\{ DigestAuthUserInterface, UserInterface };
 use Ulmus\User\Lib\Authenticate;
+use Ulmus\User\Lib\HeaderAuthenticationTypeEnum;

 class HeaderAuthentication implements AuthorizeMethodInterface
 {
@ -13,51 +14,55 @@ class HeaderAuthentication implements AuthorizeMethodInterface
        protected Authenticate $authorize,
    ) { }

-    public function connect(ServerRequestInterface $request, UserInterface $user): bool
+    public function connect(ServerRequestInterface $request): ServerRequestInterface
    {
-        if (null !== ( $auth = $request->getHeaderLine('Authorization') )) {
-            list($method, $value) = explode(' ', $auth, 2) + [ null, null ];
+        $type = HeaderAuthenticationTypeEnum::fromRequest($request);

-            switch(strtolower($method)) {
-                case "basic":
-                    $methodObj = new Header\BasicMethod($this->authorize, $user, $value);
+        if ( null !== $type ) {
+            list(, $value) = explode(' ', $request->getHeaderLine('Authorization'), 2) + [ null, null ];
+
+            switch($type) {
+                case HeaderAuthenticationTypeEnum::Basic:
+                    $methodObj = new Header\BasicMethod($value);
                break;

-                case "digest":
-                    if (! $user instanceof DigestAuthUserInterface) {
-                        throw new \RuntimeException("Your user entity must provide a valid hash of `user:realm:password` ");
-                    }
+                case HeaderAuthenticationTypeEnum::Digest:
+                    #if (! $user instanceof DigestAuthUserInterface) {
+                    #    throw new \RuntimeException("Your user entity must provide a valid hash of `user:realm:password` ");
+                    #}

-                    $methodObj = new Header\DigestMethod($this->authorize, $user, $value);
+                    $methodObj = new Header\DigestMethod($value);
                break;

-                case "bearer":
-                    $methodObj = new Header\BearerMethod($this->authorize, $user, $value);
+                case HeaderAuthenticationTypeEnum::Bearer:
+                    $methodObj = new Header\BearerMethod($value);
                break;

-                case "token":
-
+                case HeaderAuthenticationTypeEnum::Token:
+                    // @TODO !
                break;
-
-                default:
-                    throw new \InvalidArgumentException("An authentication method must be provided");
            }
        }

-        return isset($methodObj) && $methodObj->execute($request);
+        if (isset($methodObj)) {
+            $request = $methodObj->execute($request);
        }

+        return $request;
+    }

    public function catchRequest(ServerRequestInterface $request) : bool
    {
-        foreach(array_merge($request->getHeader('Accept'), $request->getHeader('Content-Type')) as $accept) {
+        # Previously only catched from JSON content-type ; now accepts every connections
+
+        /*foreach(array_merge($request->getHeader('Accept'), $request->getHeader('Content-Type')) as $accept) {
            foreach(explode(',', $accept) as $contentType) {
                if ( AuthorizeContentTypeEnum::tryFrom(strtolower($contentType)) ) {
                    return true;
                }
            }
-        }
+        }*/

-        return false;
+        return $request->hasHeader('authorization');
    }
 }
--- a/src/Authorize/PostRequestAuthentication.php
+++ b/src/Authorize/PostRequestAuthentication.php
@ -5,21 +5,23 @@ namespace Ulmus\User\Authorize;
 use Psr\Http\Message\ServerRequestInterface;
 use Ulmus\User\Entity\UserInterface;
 use Ulmus\User\Lib\Authenticate;
+use Ulmus\User\Lib\AuthenticationMethodEnum;

 class PostRequestAuthentication implements AuthorizeMethodInterface
 {
    public function __construct(
-        public Authenticate $authenticate,
        protected string $fieldUser = "email",
        protected string $postFieldUser = "email",
        protected string $postFieldPassword = "password",
    ) {}

-    public function connect(ServerRequestInterface $request, UserInterface $user): bool
+    public function connect(ServerRequestInterface $request) : ServerRequestInterface
    {
        $post = $request->getParsedBody();

-        return $this->authenticate->authenticate([ $this->fieldUser => $post[$this->postFieldUser] ], $post[$this->postFieldPassword]);
+        return $request->withAttribute('authentication_middleware:method', AuthenticationMethodEnum::UsernamePassword)
+            ->withAttribute('authentication_middleware:username', [ $this->fieldUser => $post[$this->postFieldUser] ])
+            ->withAttribute('authentication_middleware:password', $post[$this->postFieldPassword]);
    }

    public function catchRequest(ServerRequestInterface $request): bool
--- a/src/Lib/Authenticate.php
+++ b/src/Lib/Authenticate.php
@ -42,10 +42,14 @@ class Authenticate {
        $this->session->destroy();
    }

-    public function authenticate(array $userLogin, string $password) : bool
+    public function authenticate(string|array $userLogin, string $password) : bool
    {
        $repository = $this->user::repository();

+        if (is_string($userLogin)) {
+            $userLogin = [ $this->user->usernameField() => $userLogin ];
+        }
+
        foreach($userLogin as $field => $value) {
            $repository->or($field, $value);
        }
@ -120,7 +124,7 @@ class Authenticate {
        return $this;
    }

-    public function logUser(?int $id) : ? UserInterface
+    public function loadUser(?int $id) : ? UserInterface
    {
        try {
            if ($id === null || null === ($entity = $this->user::repository()->loadFromPk($id))) {
@ -133,8 +137,17 @@ class Authenticate {

        $this->user->fromArray($entity);

+        return $this->user;
+    }
+
+    public function logUser(?int $id) : ? UserInterface
+    {
+        if ( null !== $this->loadUser($id) ) {
            $this->user->loggedIn(true);

            return $this->user;
        }
+
+        return null;
+    }
 }
--- a/src/Lib/AuthenticationMethodEnum.php
+++ b/src/Lib/AuthenticationMethodEnum.php
@ -0,0 +1,9 @@
+<?php
+
+namespace Ulmus\User\Lib;
+
+enum AuthenticationMethodEnum
+{
+    case ForceLogin;
+    case UsernamePassword;
+}
--- a/src/Lib/HeaderAuthenticationTypeEnum.php
+++ b/src/Lib/HeaderAuthenticationTypeEnum.php
@ -0,0 +1,24 @@
+<?php
+
+namespace Ulmus\User\Lib;
+
+use Psr\Http\Message\ServerRequestInterface;
+
+enum HeaderAuthenticationTypeEnum : string
+{
+    case Basic = "basic";
+    case Digest = "digest";
+    case Bearer = "bearer";
+    case Token = "token";
+
+    public static function fromRequest(ServerRequestInterface $request) : ? static
+    {
+        if ($request->hasHeader('authorization')) {
+            list($method, ) = explode(' ', $request->getHeaderLine('authorization'), 2);
+
+            return static::tryFrom(strtolower($method));
+        }
+
+        return null;
+    }
+}
--- a/src/Middleware/AuthenticationMiddleware.php
+++ b/src/Middleware/AuthenticationMiddleware.php
@ -0,0 +1,50 @@
+<?php
+
+namespace Ulmus\User\Middleware;
+
+use Psr\Http\{
+    Message\ResponseInterface,
+    Message\ServerRequestInterface,
+    Server\MiddlewareInterface,
+    Server\RequestHandlerInterface
+};
+use Ulmus\User\Entity\UserInterface;
+use Ulmus\User\Authorize\PostRequestAuthentication;
+use Ulmus\User\Lib\Authenticate;
+use Ulmus\User\Lib\AuthenticationMethodEnum;
+
+class AuthenticationMiddleware implements MiddlewareInterface
+{
+    public function __construct(
+        protected Authenticate $authenticator,
+        protected \Closure $loginFailedResponse,
+    ) {}
+
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        try {
+            if (null !== $id = $request->getAttribute('authentication_middleware:user_id')) {
+                $this->authenticator->loadUser($id);
+
+                if ( ! $this->authenticator->user->isLoaded() ) {
+                    throw new \Exception("Given user id do not match with an existing/active user");
+                }
+            }
+
+            switch($request->getAttribute('authentication_middleware:method')) {
+                case AuthenticationMethodEnum::ForceLogin:
+                    $this->authenticator->login();
+                    break;
+
+                case AuthenticationMethodEnum::UsernamePassword:
+                    $this->authenticator->authenticate($request->getAttribute('authentication_middleware:username'), $request->getAttribute('authentication_middleware:password'));
+                    break;
+            }
+        }
+        catch(\Exception $e) {
+            return call_user_func($this->loginFailedResponse, [ 'api.error_message' => $e->getMessage() ]);
+        }
+
+        return $handler->handle($request);
+    }
+}
--- a/src/Middleware/HeaderAuthenticationMiddleware.php
+++ b/src/Middleware/HeaderAuthenticationMiddleware.php
@ -14,28 +14,14 @@ use Ulmus\User\Lib\Authenticate;

 class HeaderAuthenticationMiddleware implements MiddlewareInterface
 {
-    protected HeaderAuthentication $authenticator;
-
    public function __construct(
-        protected Authenticate $authorize,
-        protected UserInterface $entity,
-        protected \Closure $loginFailedResponse,
-        HeaderAuthentication $authenticator = null,
-    ) {
-        $this->authenticator = $authenticator ?: new HeaderAuthentication($authorize);
-    }
+        protected HeaderAuthentication $authenticator,
+    ) { }

    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
-        try {
        if ( $this->authenticator->catchRequest($request) ) {
-                if ( ! $this->authenticator->connect($request, $this->entity) ) {
-                    return call_user_func($this->loginFailedResponse, [ 'api.process' => "Auth failed" ]);
-                }
-            }
-        }
-        catch(\Exception $e) {
-            return call_user_func($this->loginFailedResponse, [ 'api.error_message' => $e->getMessage() ]);
+            $request = $this->authenticator->connect($request);
        }

        return $handler->handle($request);
--- a/src/Middleware/PostRequestAuthenticationMiddleware.php
+++ b/src/Middleware/PostRequestAuthenticationMiddleware.php
@ -14,24 +14,15 @@ use Ulmus\User\Lib\Authenticate;

 class PostRequestAuthenticationMiddleware implements MiddlewareInterface
 {
-    protected PostRequestAuthentication $authenticator;
-
    public function __construct(
-        protected UserInterface     $entity,
-        protected \Closure          $loginFailedResponse,
-        PostRequestAuthentication   $authenticator = null,
+        protected PostRequestAuthentication $authenticator,
    ) {
-        $this->authenticator = $authenticator ?: new PostRequestAuthentication(new Authenticate($entity));
    }

    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
-        $this->authenticator->authenticate->rememberMe();
-
        if ( $this->authenticator->catchRequest($request) ) {
-            if ( ! $this->authenticator->connect($request, $this->entity) ) {
-                return call_user_func($this->loginFailedResponse, "Login failed");
-            }
+            $request = $this->authenticator->connect($request);
        }

        return $handler->handle($request);
Author	SHA1	Message	Date
Dave Mc Nicoll	0271aec31b	- WIP on V 2.x which added a OAuth2 server	2025-06-13 19:10:51 +00:00
Dave Mc Nicoll	6582378b6e	- WIP on 2.x auth. method	2025-03-28 13:38:28 +00:00